Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20220914-winse-faq

2025-05-12 13:27:23 +00:00 · 2022-09-20 13:09:58 -04:00 · 2022-09-20 13:09:58 -04:00 · 8e17b31247
commit 8e17b31247
parent ca11de9021 5e9eac3cc3
136 changed files with 7141 additions and 3168 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -19644,6 +19644,16 @@
     "source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md",
     "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview",
     "redirect_document_id": false
     },
     {
     "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md",
     "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust",
     "redirect_document_id": false
     },
     {
     "source_path": "windows/configuration/windows-10-accessibility-for-ITPros.md",
     "redirect_url": "/windows/configuration/windows-accessibility-for-ITPros",
     "redirect_document_id": false
     }
  ]
 }
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -2,7 +2,7 @@
 Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
 This page covers the basic steps for editing our technical documentation.
-For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://docs.microsoft.com/contribute/).
+For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://learn.microsoft.com/contribute/).
 ## Sign a CLA
@ -19,10 +19,10 @@ We've tried to make editing an existing, public file as simple as possible.
 ### To edit a topic
-1. Browse to the [Microsoft Docs](https://docs.microsoft.com/) article that you want to update.
+1. Browse to the [Microsoft Docs](https://learn.microsoft.com/) article that you want to update.
    > **Note**<br>
-    > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main).
+    > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.learn.microsoft.com/help/get-started/edit-article-in-github?branch=main).
 1. Then select the **Pencil** icon.
@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible.
    ![GitHub Web, showing the Pencil icon.](images/pencil-icon.png)
-1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
+1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
 1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.
@ -57,16 +57,16 @@ We've tried to make editing an existing, public file as simple as possible.
    The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics:
-    - [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/)
+    - [Windows client documentation for IT Pros](https://learn.microsoft.com/windows/resources/)
-    - [Microsoft Store](https://docs.microsoft.com/microsoft-store)
+    - [Microsoft Store](https://learn.microsoft.com/microsoft-store)
-    - [Windows 10 for Education](https://docs.microsoft.com/education/windows)
+    - [Windows 10 for Education](https://learn.microsoft.com/education/windows)
-    - [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
+    - [Windows 10 for SMB](https://learn.microsoft.com/windows/smb)
-    - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/)
+    - [Internet Explorer 11](https://learn.microsoft.com/internet-explorer/)
 ## Making more substantial changes
 To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
-For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
+For info about creating a fork or clone, see [Set up a local Git repository](https://learn.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
 Fork the official repo into your personal GitHub account, and then clone the fork down to your local device.  Work locally, then push your changes back into your fork.  Finally, open a pull request back to the main branch of the official repo.
@ -82,4 +82,4 @@ In the new issue form, enter a brief title. In the body of the form, describe th
 - You can use your favorite text editor to edit Markdown files.  We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
 - You can learn the basics of Markdown in just a few minutes.  To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).
+- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference).
--- a/bcs/docfx.json
+++ b/bcs/docfx.json
@ -1,56 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
      "extendBreadcrumb": true,
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "bcs-vsts",
    "markdownEngineName": "dfm"
  }
 }
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@ -1,75 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/**.yml"
        ],
        "exclude": [
          "**/obj/**",
          "devices/hololens/**",
          "**/includes/**"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg",
          "**/*.gif"
        ],
        "exclude": [
          "**/obj/**",
          "devices/hololens/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/hololens/breadcrumb/toc.json",
      "ms.technology": "windows",
      "ms.topic": "article",
      "audience": "ITPro",
      "manager": "dansimp",
      "ms.date": "04/05/2017",
      "feedback_system": "GitHub",
      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "Win.itpro-hololens",
          "folder_relative_path_in_docset": "./"
        } 
        },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "devices/hololens",
    "markdownEngineName": "markdig"
  },
    "contributors_to_exclude": [ 
    "rjagiewich", 
    "traya1", 
    "rmca14", 
    "claydetels19", 
    "Kellylorenebaker",
    "jborsecnik",
    "tiburd",
    "garycentric"
    ]
 }
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@ -1,63 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/**.md",
          "**/**.yml"
        ],
        "exclude": [
          "**/obj/**"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/images/**",
          "**/*.pptx",
          "**/*.pdf"
        ],
        "exclude": [
          "**/obj/**"
        ]
      }
    ],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
      "ROBOTS": "INDEX, FOLLOW",
      "ms.technology": "windows",
      "audience": "ITPro",
      "ms.topic": "article",
      "manager": "dansimp",
      "ms.mktglfcycl": "manage",
      "ms.sitesec": "library",
      "ms.date": "05/23/2017",
      "feedback_system": "GitHub",
      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "Win.surface-hub",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [ 
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "Kellylorenebaker",
        "jborsecnik",
        "tiburd",
        "garycentric"
      ],
      "titleSuffix": "Surface Hub"
    },
    "externalReference": [],
    "template": "op.html",
    "dest": "devices/surface-hub",
    "markdownEngineName": "markdig"
  }
 }
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@ -1,59 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/**.md",
          "**/**.yml"
        ],
        "exclude": [
          "**/obj/**"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/images/**"
        ],
        "exclude": [
          "**/obj/**"
        ]
      }
    ],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/surface/breadcrumb/toc.json",
      "ROBOTS": "INDEX, FOLLOW",
      "ms.technology": "windows",
      "audience": "ITPro",
      "ms.topic": "article",
      "manager": "dansimp",
      "ms.date": "05/09/2017",
      "feedback_system": "GitHub",
      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "Win.surface",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [ 
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "Kellylorenebaker",
        "jborsecnik",
        "tiburd",
        "garycentric"
      ],
      "titleSuffix": "Surface"
    },
    "externalReference": [],
    "template": "op.html",
    "dest": "devices/surface",
    "markdownEngineName": "markdig"
 }
 }
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@ -2,6 +2,16 @@
 ## Week of September 12, 2022
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 9/13/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
 | 9/14/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
 | 9/14/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
 ## Week of September 05, 2022
@ -40,42 +50,3 @@
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
 ## Week of August 08, 2022
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 8/10/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
 | 8/10/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
 | 8/10/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
 | 8/10/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
 | 8/10/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
 | 8/10/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
 | 8/10/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
 | 8/10/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
 | 8/10/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
 | 8/10/2022 | [Enable S mode on Surface Go devices for Education](/education/windows/enable-s-mode-on-surface-go-devices) | modified |
 | 8/10/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
 | 8/10/2022 | [Windows 10 for Education (Windows 10)](/education/windows/index) | modified |
 | 8/10/2022 | [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](/education/windows/s-mode-switch-to-edu) | modified |
 | 8/10/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
 | 8/10/2022 | [Azure AD Join with Set up School PCs app](/education/windows/set-up-school-pcs-azure-ad-join) | modified |
 | 8/10/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
 | 8/10/2022 | [Shared PC mode for school devices](/education/windows/set-up-school-pcs-shared-pc-mode) | modified |
 | 8/10/2022 | [Set up School PCs app technical reference overview](/education/windows/set-up-school-pcs-technical) | modified |
 | 8/10/2022 | [What's new in the Windows Set up School PCs app](/education/windows/set-up-school-pcs-whats-new) | modified |
 | 8/10/2022 | [Set up student PCs to join domain](/education/windows/set-up-students-pcs-to-join-domain) | modified |
 | 8/10/2022 | [Provision student PCs with apps](/education/windows/set-up-students-pcs-with-apps) | modified |
 | 8/10/2022 | [Set up Windows devices for education](/education/windows/set-up-windows-10) | modified |
 | 8/10/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
 | 8/10/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
 | 8/10/2022 | [Set up Take a Test on a single PC](/education/windows/take-a-test-single-pc) | modified |
 | 8/10/2022 | [Take tests in Windows 10](/education/windows/take-tests-in-windows-10) | modified |
 | 8/10/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
 | 8/10/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
 | 8/10/2022 | [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) | modified |
 | 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
 | 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
 | 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
--- a/education/index.yml
+++ b/education/index.yml
@ -73,7 +73,7 @@ productDirectory:
          text: IT admin help
        - url: https://support.office.com/education
          text: Education help center
-        - url: /learn/educator-center/
+        - url: /training/educator-center/
          text: Teacher training packs
    # Card    
    - title: Check out our education journey
@ -115,4 +115,4 @@ additionalContent:
        # Card
        - title: Education Partner community Yammer group
          summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
-          url: https://www.yammer.com/mepn/
+          url: https://www.yammer.com/mepn/
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@ -28,18 +28,22 @@ items:
      href: set-up-school-pcs-shared-pc-mode.md
    - name: Windows 10 configuration recommendations for education customers
      href: configure-windows-for-education.md
    - name: Take tests and assessments in Windows
      href: take-tests-in-windows-10.md
 - name: How-to-guides
  items:
-    - name: Use the Set up School PCs app
+    - name: Configure education features
-      href: use-set-up-school-pcs-app.md
+      items:
-    - name: Take tests and assessments in Windows
+        - name: Configure education themes
-      items: 
+          href: edu-themes.md
-        - name: Overview
+        - name: Configure Stickers
-          href: take-tests-in-windows-10.md
+          href: edu-stickers.md
        - name: Configure Take a Test on a single PC
          href: take-a-test-single-pc.md
        - name: Configure a Test on multiple PCs
          href: take-a-test-multiple-pcs.md
    - name: Use the Set up School PCs app
      href: use-set-up-school-pcs-app.md
    - name: Change Windows edition
      items: 
      - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@ -0,0 +1,77 @@
 ---
 title: Configure Stickers for Windows 11 SE
 description: Description of the Stickers feature and how to configure it via Intune and provisioning package.
 ms.date: 09/15/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: how-to
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer:
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 11 SE, version 22H2</b>
 ---
 # Configure Stickers for Windows 11 SE
 Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
 Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.
 :::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
 Stickers are simple to use, and give students an easy way to express themselves by decorating their desktop, helping to make learning fun.
 ## Benefits of Stickers
 When students feel like they can express themselves at school, they pay more attention and learn, which benefits students, teachers, and the school community. Self-expression is critical to well-being and success at school. Customizing a device is one way to express a personal brand.
 With Stickers, students feel more attached to the device as they feel as if it's their own, they take better care of it, and it's more likely to last.
 ## Enable Stickers
 Stickers aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 To enable Stickers using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
 | Setting |
 |--------|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 Assign the policy to a security group that contains as members the devices or users that you want to enable Stickers on.
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 To configure Stickers using a provisioning package, use the following settings:
 | Setting |
 |--------|
 | <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
 Apply the provisioning package to the devices that you want to enable Stickers on.
 ---
 ## How to use Stickers
 Once the Stickers feature is enabled, the sticker editor can be opened by either:
 - using the contextual menu on the desktop and selecting the option **Add or edit stickers**
 - opening the Settings app > **Personalization** > **Background** > **Add stickers**
 :::image type="content" source="./images/win-11-se-stickers-menu.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true":::
 Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned or deleted from the desktop by using the mouse, keyboard, or touch.
 :::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
 Select the *X button* at the top of the screen to save your progress and close the sticker editor.
 -----------
 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
--- a/education/windows/edu-themes.md
+++ b/education/windows/edu-themes.md
@ -0,0 +1,64 @@
 ---
 title: Configure education themes for Windows 11
 description: Description of education themes for Windows 11 and how to configure them via Intune and provisioning package.
 ms.date: 09/15/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: how-to
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer:
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 11, version 22H2</b>
 - ✅ <b>Windows 11 SE, version 22H2</b>
 ---
 # Configure education themes for Windows 11
 Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
 :::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
 Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
 Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
 ## Enable education themes
 Education themes aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 To enable education themes using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
 | Setting |
 |--------|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 Assign the policy to a security group that contains as members the devices or users that you want to enable education themes on.
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 To configure education themes using a provisioning package, use the following settings:
 | Setting |
 |--------|
 | <li> Path: **`Education/EnableEduThemes`** </li><li>Value: **True**</li>|
 Apply the provisioning package to the devices that you want to enable education themes on.
 ---
 ## How to use the education themes
 Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
 To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
 :::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::
 -----------
 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
--- a/education/windows/images/win-11-se-stickers-animation.gif
+++ b/education/windows/images/win-11-se-stickers-animation.gif
--- a/education/windows/images/win-11-se-stickers-menu.png
+++ b/education/windows/images/win-11-se-stickers-menu.png
--- a/education/windows/images/win-11-se-stickers-picker.png
+++ b/education/windows/images/win-11-se-stickers-picker.png
--- a/education/windows/images/win-11-se-stickers.png
+++ b/education/windows/images/win-11-se-stickers.png
--- a/education/windows/images/win-11-se-themes-1.png
+++ b/education/windows/images/win-11-se-themes-1.png
--- a/education/windows/images/win-11-se-themes.png
+++ b/education/windows/images/win-11-se-themes.png
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@ -47,11 +47,17 @@ landingContent:
          url: windows-11-se-overview.md
        - text: Windows 11 SE settings
          url: windows-11-se-settings-list.md
      - linkListType: whats-new
        links:
        - text: Configure education themes
          url: edu-themes.md
        - text: Configure Stickers
          url: edu-stickers.md
      - linkListType: video
        links:
        - text: Deploy Windows 11 SE using Set up School PCs
          url: https://www.youtube.com/watch?v=Ql2fbiOop7c
-  
+
  - title: Deploy devices with Set up School PCs
    linkLists:
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -87,7 +87,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | Application                             | Supported version | App Type | Vendor                       |
 |-----------------------------------------|-------------------|----------|------------------------------|
 | AirSecure                               | 8.0.0             | Win32    | AIR                          |
 | Alertus Desktop                         | 5.4.44.0          | Win32    | Alertus technologies         |
 | Brave Browser                           | 1.34.80           | Win32    | Brave                        |
 | Bulb Digital Portfolio                  | 0.0.7.0           | Store    | Bulb                         |
 | Cisco Umbrella                          | 3.0.110.0         | Win32    | Cisco                        |
@ -119,7 +118,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | Mozilla Firefox                         | 99.0.1            | Win32    | Mozilla                      |
 | NAPLAN                                  | 2.5.0             | Win32    | NAP                          |
 | Netref Student                          | 22.2.0            | Win32    | NetRef                       |
-| NetSupport Manager                      | 12.01.0011        | Win32    | NetSupport                   |
+| NetSupport Manager                      | 12.01.0014        | Win32    | NetSupport                   |
 | NetSupport Notify                       | 5.10.1.215        | Win32    | NetSupport                   |
 | NetSupport School                       | 14.00.0011        | Win32    | NetSupport                   |
 | NextUp Talker                           | 1.0.49            | Win32    | NextUp Technologies          |
--- a/gdpr/docfx.json
+++ b/gdpr/docfx.json
@ -1,55 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
    "author": "eross-msft",
 		"ms.author": "lizross",
 		"feedback_system": "GitHub",
 		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
 		"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "gdpr",
    "markdownEngineName": "dfm"
  }
 }
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@ -1,63 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/**.md",
          "**/**.yml"
        ],
        "exclude": [
          "**/obj/**"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/images/**"
        ],
        "exclude": [
          "**/obj/**"
        ]
      }
    ],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
      "ROBOTS": "INDEX, FOLLOW",
      "ms.technology": "windows",
      "audience": "ITPro",
      "manager": "dansimp",
      "ms.prod": "w10",
      "ms.author": "dansimp",
      "author": "dansimp",
      "ms.sitesec": "library",
      "ms.topic": "article",
      "ms.date": "04/05/2017",
      "feedback_system": "GitHub",
      "feedback_github_repo": "https://github.com/MicrosoftDocs/mdop-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "Win.mdop",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [ 
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "Kellylorenebaker",
        "jborsecnik",
        "tiburd",
        "garycentric"
      ],
      "titleSuffix": "Microsoft Desktop Optimization Pack"
    },
    "externalReference": [],
    "template": "op.html",
    "dest": "mdop",
    "markdownEngineName": "markdig"
    }
 }
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@ -41,7 +41,7 @@ We've been working on bug fixes and performance improvements to provide you a be
 | ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 | <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education  |
 | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-||  ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+||  ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.learn.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 -->
 ## Previous releases and updates
@ -97,4 +97,4 @@ We've been working on bug fixes and performance improvements to provide you a be
 - Manage prepaid Office 365 subscriptions
 - Manage Office 365 subscriptions acquired by partners
 - Edge extensions in Microsoft Store
- Search results in Microsoft Store for Business
+- Search results in Microsoft Store for Business
--- a/template.md
+++ b/template.md
@ -28,7 +28,7 @@ When you create a new markdown file article, **Save as** this template to a new
 ## Metadata
-The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
+The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.learn.microsoft.com/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
 - You _must_ have a space between the colon (`:`) and the value for a metadata element.
@ -65,7 +65,7 @@ The full metadata block is above the markdown between the `---` lines. For more
 All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
+- [Docs Markdown reference in the Contributor Guide](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main)
 - [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
 - [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
@ -79,7 +79,7 @@ Second-level headings (`##`, also known as H2) generate the on-page TOC that app
 Limit the length of second-level headings to avoid excessive line wraps.
-Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
+Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
 Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
@ -111,7 +111,7 @@ _Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps di
 >
 > It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
-For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
 ### Article in the same repo
@ -149,7 +149,7 @@ There's a broken link report that runs once a week in the build system, get the
 Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
-For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
+For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
 ## Lists
@ -289,4 +289,4 @@ Always include alt text for accessibility, and always end it with a period.
 ## docs.ms extensions
 > [!div class="nextstepaction"]
-> [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/mem/configmgr)
+> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr)
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@ -1,61 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg",
          "**/*.gif"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
      "ms.technology": "windows",
      "audience": "ITPro",
      "ms.topic": "article",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.win-access-protection",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "win-access-protection",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@ -44,6 +44,3 @@ You can use the same management tools to manage all device types running Windows
 [Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
 [Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
 Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/)
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -531,6 +531,18 @@ Additional lists:
 <!--EndSKU-->
 <!--EndCSP-->
 <!--StartCSP-->
 [Local Administrator Password Solution CSP](laps-csp.md)
 <!--StartSKU-->
 |Home|Pro|Business|Enterprise|Education|
 |--- |--- |--- |--- |--- |
 |Yes|Yes|Yes|Yes|Yes|
 <!--EndSKU-->
 <!--EndCSP-->
 <!--StartCSP-->
 [MultiSIM CSP](multisim-csp.md)
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@ -1,7 +1,7 @@
 ---
 title: DeviceStatus CSP
 description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@ -71,12 +71,14 @@ DeviceStatus
 --------VirtualizationBasedSecurityHwReq
 --------VirtualizationBasedSecurityStatus
 --------LsaCfgCredGuardStatus
 ----CertAttestation
 --------MDMClientCertAttestation
 ```
-<a href="" id="devicestatus"></a>**DeviceStatus**  
+<a href="" id="devicestatus"></a>**DeviceStatus**
 The root node for the DeviceStatus configuration service provider.
-<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**  
+<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
 Indicates whether secure boot is enabled. The value is one of the following values:
 - 0 - Not supported
@ -85,67 +87,67 @@ Indicates whether secure boot is enabled. The value is one of the following valu
 Supported operation is Get.
-<a href="" id="devicestatus-cellularidentities"></a>**DeviceStatus/CellularIdentities**  
+<a href="" id="devicestatus-cellularidentities"></a>**DeviceStatus/CellularIdentities**
 Required. Node for queries on the SIM cards.
 >[!NOTE]
 >Multiple SIMs are supported.
-<a href="" id="devicestatus-cellularidentities-imei"></a>**DeviceStatus/CellularIdentities/**<strong>*IMEI*</strong>  
+<a href="" id="devicestatus-cellularidentities-imei"></a>**DeviceStatus/CellularIdentities/**<strong>*IMEI*</strong>
 The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
-<a href="" id="devicestatus-cellularidentities-imei-imsi"></a>**DeviceStatus/CellularIdentities/*IMEI*/IMSI**  
+<a href="" id="devicestatus-cellularidentities-imei-imsi"></a>**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
 The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
 Supported operation is Get.
-<a href="" id="devicestatus-cellularidentities-imei-iccid"></a>**DeviceStatus/CellularIdentities/*IMEI*/ICCID**  
+<a href="" id="devicestatus-cellularidentities-imei-iccid"></a>**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
 The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
 Supported operation is Get.
-<a href="" id="devicestatus-cellularidentities-imei-phonenumber"></a>**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**  
+<a href="" id="devicestatus-cellularidentities-imei-phonenumber"></a>**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
 Phone number associated with the specific IMEI number.
 Supported operation is Get.
-<a href="" id="devicestatus-cellularidentities-imei-commercializationoperator"></a>**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**  
+<a href="" id="devicestatus-cellularidentities-imei-commercializationoperator"></a>**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
 The mobile service provider or mobile operator associated with the specific IMEI number.
 Supported operation is Get.
-<a href="" id="devicestatus-cellularidentities-imei-roamingstatus"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**  
+<a href="" id="devicestatus-cellularidentities-imei-roamingstatus"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
 Indicates whether the SIM card associated with the specific IMEI number is roaming.
 Supported operation is Get.
-<a href="" id="devicestatus-cellularidentities-imei-roamingcompliance"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**  
+<a href="" id="devicestatus-cellularidentities-imei-roamingcompliance"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
 Boolean value that indicates compliance with the enforced enterprise roaming policy.
 Supported operation is Get.
-<a href="" id="devicestatus-networkidentifiers"></a>**DeviceStatus/NetworkIdentifiers**  
+<a href="" id="devicestatus-networkidentifiers"></a>**DeviceStatus/NetworkIdentifiers**
 Node for queries on network and device properties.
-<a href="" id="devicestatus-networkidentifiers-macaddress"></a>**DeviceStatus/NetworkIdentifiers/**<strong>*MacAddress*</strong>  
+<a href="" id="devicestatus-networkidentifiers-macaddress"></a>**DeviceStatus/NetworkIdentifiers/**<strong>*MacAddress*</strong>
 MAC address of the wireless network card. A MAC address is present for each network card on the device.
-<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv4"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**  
+<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv4"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
 IPv4 address of the network card associated with the MAC address.
 Supported operation is Get.
-<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv6"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**  
+<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv6"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
 IPv6 address of the network card associated with the MAC address.
 Supported operation is Get.
-<a href="" id="devicestatus-networkidentifiers-macaddress-isconnected"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**  
+<a href="" id="devicestatus-networkidentifiers-macaddress-isconnected"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
 Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
 Supported operation is Get.
-<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**  
+<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
 Type of network connection. The value is one of the following values:
 - 2 - WLAN (or other Wireless interface)
@ -154,10 +156,10 @@ Type of network connection. The value is one of the following values:
 Supported operation is Get.
-<a href="" id="devicestatus-compliance"></a>**DeviceStatus/Compliance**  
+<a href="" id="devicestatus-compliance"></a>**DeviceStatus/Compliance**
 Node for the compliance query.
-<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**  
+<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
 Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
 - 0 - Not encrypted
@ -165,42 +167,42 @@ Boolean value that indicates compliance with the enterprise encryption policy fo
 Supported operation is Get.
-<a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**  
+<a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**
 Added in Windows, version 1607. Node for the TPM query.
 Supported operation is Get.
-<a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**  
+<a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**
 Added in Windows, version 1607. String that specifies the specification version.
 Supported operation is Get.
-<a href="" id="devicestatus-os"></a>**DeviceStatus/OS**  
+<a href="" id="devicestatus-os"></a>**DeviceStatus/OS**
 Added in Windows, version 1607. Node for the OS query.
 Supported operation is Get.
-<a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**  
+<a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**
 Added in Windows, version 1607. String that specifies the OS edition.
 Supported operation is Get.
-<a href="" id="devicestatus-os-mode"></a>**DeviceStatus/OS/Mode**  
+<a href="" id="devicestatus-os-mode"></a>**DeviceStatus/OS/Mode**
 Added in Windows, version 1803. Read only node that specifies the device mode.
-Valid values:  
+Valid values:
 - 0 - The device is in standard configuration.
 - 1 - The device is in S mode configuration.
 Supported operation is Get.
-<a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**  
+<a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**
 Added in Windows, version 1607. Node for the antivirus query.
 Supported operation is Get.
-<a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**  
+<a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**
 Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
 Valid values:
@ -218,7 +220,7 @@ If more than one antivirus provider is active, this node returns:
 This node also returns 0 when no antivirus provider is active.
-<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**  
+<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**
 Added in Windows, version 1607. Integer that specifies the status of the antivirus.
 Valid values:
@ -231,12 +233,12 @@ Valid values:
 Supported operation is Get.
-<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**  
+<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
 Added in Windows, version 1607. Node for the anti-spyware query.
 Supported operation is Get.
-<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**  
+<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
 Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
 Valid values:
@ -254,7 +256,7 @@ If more than one anti-spyware provider is active, this node returns:
 This node also returns 0 when no anti-spyware provider is active.
-<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**  
+<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
 Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
 Valid values:
@ -266,12 +268,12 @@ Valid values:
 Supported operation is Get.
-<a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**  
+<a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**
 Added in Windows, version 1607. Node for the firewall query.
 Supported operation is Get.
-<a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**  
+<a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**
 Added in Windows, version 1607. Integer that specifies the status of the firewall.
 Valid values:
@ -284,75 +286,75 @@ Valid values:
 Supported operation is Get.
-<a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**  
+<a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**
 Added in Windows, version 1607. Node for the UAC query.
 Supported operation is Get.
-<a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**  
+<a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**
 Added in Windows, version 1607. Integer that specifies the status of the UAC.
 Supported operation is Get.
-<a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**  
+<a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**
 Added in Windows, version 1607. Node for the battery query.
 Supported operation is Get.
-<a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**  
+<a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**
 Added in Windows, version 1607. Integer that specifies the status of the battery
 Supported operation is Get.
-<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**  
+<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**
 Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
 The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 Supported operation is Get.
-<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**  
+<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**
 Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
 The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 Supported operation is Get.
-<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**  
+<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**
 Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
 Supported operation is Get.
-<a href="" id="devicestatus-deviceguard"></a>**DeviceStatus/DeviceGuard**  
+<a href="" id="devicestatus-deviceguard"></a>**DeviceStatus/DeviceGuard**
 Added in Windows, version 1709. Node for Device Guard query.
 Supported operation is Get.
-<a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**  
+<a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
 Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
 - 0x0: System meets hardware configuration requirements
- 0x1: SecureBoot required 
+- 0x1: SecureBoot required
 - 0x2: DMA Protection required
 - 0x4: HyperV not supported for Guest VM
 - 0x8: HyperV feature isn't available
 Supported operation is Get.
-<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**  
+<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
 Added in Windows, version 1709. Virtualization-based security status.  Value is one of the following:
 - 0 - Running
- 1 - Reboot required 
+- 1 - Reboot required
- 2 - 64-bit architecture required 
+- 2 - 64-bit architecture required
- 3 - Not licensed 
+- 3 - Not licensed
- 4 - Not configured 
+- 4 - Not configured
- 5 - System doesn't meet hardware requirements 
+- 5 - System doesn't meet hardware requirements
 - 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
 Supported operation is Get.
-<a href="" id="devicestatus-deviceguard-lsacfgcredguardstatus"></a>**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**  
+<a href="" id="devicestatus-deviceguard-lsacfgcredguardstatus"></a>**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
 Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
 - 0 - Running
@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
 Supported operation is Get.
 <a href="" id="devicestatus-certattestation-mdmclientcertattestation"></a>**DeviceStatus/CertAttestation/MDMClientCertAttestation**
 Added in Windows 11, version 22H2.  MDM Certificate attestation information.  This will return an XML blob containing the relevant attestation fields.
 Supported operation is Get.
 ## Related topics
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -565,7 +565,7 @@ The data type is string.
 Default string is as follows:
-`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
+`https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
 Add **SDDL**
@ -1677,4 +1677,4 @@ To read a log file:
 ## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@ -2028,7 +2028,7 @@ The content below are the latest versions of the DDF files:
                    <Delete />
                    <Replace />
                  </AccessType>
-                  <Description>SDDL String controlling access to the channel. Default: https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
+                  <Description>SDDL String controlling access to the channel. Default: https://learn.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
                  <DFFormat>
                    <chr />
                  </DFFormat>
@ -2178,9 +2178,3 @@ The content below are the latest versions of the DDF files:
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -219,7 +219,7 @@ Requirements:
 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
-5. Copy the PolicyDefinitions folder to `\\SYSVOL\contoso.com\policies\PolicyDefinitions`.
+5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
   If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@ -40,6 +40,7 @@ eUICCs
 ------------ServerName
 ----------------DiscoveryState
 ----------------AutoEnable
 ----------------IsDiscoveryServer
 --------Profiles
 ------------ICCID
 ----------------ServerName
@ -112,6 +113,13 @@ Supported operations are Add, Get, and Replace.
 Value type is bool.
 <a href="" id="euicc-downloadservers-servername-isdiscoveryserver"></a>**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer**  
 Optional. Indicates whether the server is a discovery server. This setting must be defined by the MDM when the ServerName subtree is created.
 Supported operations are Add, Get, and Replace. 
 Value type is bool. Default value is false.
 <a href="" id="euicc-profiles"></a>**_eUICC_/Profiles**  
 Interior node. Required. Represents all enterprise-owned profiles.
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@ -247,6 +247,30 @@ The XML below if for Windows 10, version 1803.
                            </DFType>
                        </DFProperties>
                    </Node>
                    <Node>
                        <NodeName>IsDiscoveryServer</NodeName>
                        <DFProperties>
                            <AccessType>
                                <Add />
                                <Get />
                                <Replace />
                            </AccessType>
                            <DefaultValue>false</DefaultValue>
                            <Description>Indicates whether the server is a discovery server. Optional, default value is false.</Description>
                            <DFFormat>
                                <bool />
                            </DFFormat>
                            <Occurrence>
                                <ZeroOrOne />
                            </Occurrence>
                            <Scope>
                                <Dynamic />
                            </Scope>
                            <DFType>
                                <MIME>text/plain</MIME>
                            </DFType>
                        </DFProperties>
                    </Node>
                </Node>
            </Node>
            <Node>
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@ -92,7 +92,7 @@ The XML below is the current version for this CSP.
            <AccessType>
              <Get />
            </AccessType>
-            <Description>Provides the current status of the device health request.  For the complete list of status see https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
+            <Description>Provides the current status of the device health request.  For the complete list of status see https://learn.microsoft.com/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes</Description>
            <DFFormat>
              <int />
            </DFFormat>
@ -456,9 +456,3 @@ The XML below is the current version for this CSP.
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@ -0,0 +1,760 @@
 ---
 title: Local Administrator Password Solution CSP
 description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
 ms.author: jsimmons
 ms.topic: article
 ms.prod: w11
 ms.technology: windows
 author: jsimmons
 ms.localizationpriority: medium
 ms.date: 07/04/2022
 ms.reviewer: jsimmons
 manager: jsimmons
 ---
 # Local Administrator Password Solution CSP
 The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
 > [!IMPORTANT]
 > Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
 The following example shows the LAPS CSP in tree format.
 ```xml
 ./Device/Vendor/MSFT
 LAPS
 ----Policies
 --------BackupDirectory
 --------PasswordAgeDays
 --------PasswordLength
 --------PasswordComplexity
 --------PasswordExpirationProtectionEnabled
 --------AdministratorAccountName
 --------ADPasswordEncryptionEnabled
 --------ADPasswordEncryptionPrincipal
 --------ADEncryptedPasswordHistorySize
 --------PostAuthenticationResetDelay
 --------PostAuthenticationActions
 ----Actions
 --------ResetPassword
 --------ResetPasswordStatus
 ```
 The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
 |Setting name|Azure-joined|Hybrid-joined|
 |---|---|---|
 |BackupDirectory|Yes|Yes
 |PasswordAgeDays|Yes|Yes
 |PasswordLength|Yes|Yes|
 |PasswordComplexity|Yes|Yes|
 |PasswordExpirationProtectionEnabled|No|Yes|
 |AdministratorAccountName|Yes|Yes|
 |ADPasswordEncryptionEnabled|No|Yes|
 |ADPasswordEncryptionPrincipal|No|Yes|
 |ADEncryptedPasswordHistorySize|No|Yes|
 |PostAuthenticationResetDelay|Yes|Yes|
 |PostAuthenticationActions|Yes|Yes|
 |ResetPassword|Yes|Yes|
 |ResetPasswordStatus|Yes|Yes|
 > [!IMPORTANT]
 > Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration.
 ## ./Device/Vendor/MSFT/LAPS
 Defines the root node for the LAPS CSP.
 <!--Policy-->
 ### Policies
 Defines the interior parent node for all configuration-related settings in the LAPS CSP.
 <!--/Policy-->
 <!--Policy-->
 ### BackupDirectory
 <!--Description-->
 Allows the administrator to configure which directory the local administrator account password is backed up to.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 Data type is integer. Supported operations are Add, Get, Replace, and Delete.
 <!--SupportedValues-->
 The allowable settings are:
 |Value|Description of setting|
 |--- |--- |
 |0|Disabled (password won't be backed up)|
 |1|Back up the password to Azure AD only|
 |2|Back up the password to Active Directory only|
 If not specified, this setting will default to 0 (disabled).
 <!--/SupportedValues-->
 <!--/Policy-->
 <!--Policy-->
 ### PasswordAgeDays
 <!--Description-->
 Use this policy to configure the maximum password age of the managed local administrator account.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 If not specified, this setting will default to 30 days
 This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password Azure AD.
 This setting has a maximum allowed value of 365 days.
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### PasswordComplexity
 <!--Description-->
 Use this setting to configure password complexity of the managed local administrator account.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 The allowable settings are:
 |Value|Description of setting|
 |--- |--- |
 |1|Large letters|
 |2|Large letters + small letters|
 |3|Large letters + small letters + numbers|
 |4|Large letters + small letters + numbers + special characters|
 If not specified, this setting will default to 4.
 > [!IMPORTANT]
 > Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS. Microsoft recommends that this setting always be configured to 4.
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### PasswordLength
 <!--Description-->
 Use this setting to configure the length of the password of the managed local administrator account.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 If not specified, this setting will default to 14 characters.
 This setting has a minimum allowed value of 8 characters.
 This setting has a maximum allowed value of 64 characters.
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### AdministratorAccountName
 <!--Description-->
 Use this setting to configure the name of the managed local administrator account.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
 If specified, the specified account's password will be managed.
 > [!IMPORTANT]
 > If a custom account name is specified in this setting, the specified account must be created via other means. Specifying a name in this setting will not cause the account to be created.
 <!--/SupportedValues-->
 Data type is string.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### PasswordExpirationProtectionEnabled
 <!--Description-->
 Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 When this setting is set to True, planned password expiration that would result in a password age greater than what is specified by the "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately, and the new password expiration date is set according to policy.
 If not specified, this setting defaults to True.
 > [!IMPORTANT]
 > This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory.
 <!--/SupportedValues-->
 Data type is boolean.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### ADPasswordEncryptionEnabled
 <!--Description-->
 Use this setting to configure whether the password is encrypted before being stored in Active Directory.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 This setting is ignored if the password is currently being stored in Azure.
 If this setting is set to True, and the Active Directory domain meets the 2016 DFL prerequisite, the password is encrypted before being stored in Active Directory.
 If this setting is missing or set to False, or the Active Directory domain doesn't meet the DFL prerequisite, the password is stored as clear-text in Active Directory.
 If not specified, this setting defaults to False.
 > [!IMPORTANT]
 > This setting is ignored unless BackupDirectory is configured to back up the password to Active Directory, AND the the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
 <!--/SupportedValues-->
 Data type is boolean.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### ADPasswordEncryptionPrincipal
 <!--Description-->
 Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 This setting is ignored if the password is currently being stored in Azure.
 If not specified, the password can only be decrypted by the Domain Admins group in the device's domain.
 If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
 If the specified user or group account is invalid the device will fall back to using the Domain Admins group in the device's domain.
 > [!IMPORTANT]
 > The string stored in this setting must be either a SID in string form or the fully qualified name of a user or group. Valid examples include:
 >
 > "S-1-5-21-2127521184-1604012920-1887927527-35197"
 >
 > "contoso\LAPSAdmins"
 >
 > "lapsadmins@contoso.com"
 >
 > The principal identified (either by SID or user\group name) must exist and be resolvable by the device.
 > [!IMPORTANT]
 > This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
 <!--/SupportedValues-->
 Data type is string.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### ADEncryptedPasswordHistorySize
 <!--Description-->
 Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 If not specified, this setting will default to 0 passwords (disabled).
 This setting has a minimum allowed value of 0 passwords.
 This setting has a maximum allowed value of 12 passwords.
 > [!IMPORTANT]
 > This setting is ignored unless ADPasswordEncryptionEnabled is configured to True and all other prerequisites are met.
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### PostAuthenticationResetDelay
 <!--Description-->
 Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions (see the PostAuthenticationActions setting below).
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 If not specified, this setting will default to 24 hours.
 This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
 This setting has a maximum allowed value of 24 hours.
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ### PostAuthenticationActions
 <!--Description-->
 Use this setting to specify the actions to take upon expiration of the configured grace period (see the PostAuthenticationResetDelay setting above).
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 This setting can have ONE of the following values:
 |Value|Name|Action(s) taken upon expiry of the grace period|
 |--- |--- |--- |
 |1|Reset password|The managed account password will be reset|
 |3|Reset password and log off|The managed account password will be reset and any interactive logon sessions using the managed account will be terminated|
 |5|Reset password and reboot|The managed account password will be reset and the managed device will be immediately rebooted.|
 If not specified, this setting will default to 3.
 > [!IMPORTANT]
 > The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.
 > [!IMPORTANT]
 > From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Add, Get, Replace, and Delete.
 <!--/Policy-->
 <!--Policy-->
 ## Actions
 Defines the parent interior node for all action-related settings in the LAPS CSP.
 <!--/Policy-->
 <!--Policy-->
 ### ResetPassword
 <!--Description-->
 Use this Execute action to request an immediate reset of the local administrator account password, ignoring the normal constraints such as PasswordLengthDays, etc.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Execute.
 <!--/Policy-->
 <!--Policy-->
 ### ResetPasswordStatus
 <!--Description-->
 Use this setting to query the status of the last submitted ResetPassword action.
 <!--/Description-->
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|Yes|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 The value returned is an HRESULT code.
 S_OK (0x0) - the last submitted ResetPassword action succeeded.
 E_PENDING (0x8000000) - the last submitted ResetPassword action is still executing.
 other - the last submitted ResetPassword action encountered the returned error.
 <!--/SupportedValues-->
 Data type is integer.
 Supported operations are Get.
 <!--/Policy-->
 ### SyncML examples
 The following examples are provided to show proper format and shouldn't be taken as a recommendation.
 #### Azure-joined device backing password up to Azure AD
 This example is configuring an Azure-joined device to back up its password to Azure Active Directory:
 ```xml
 <SyncMl xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdId>1</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>1</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>2</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>7</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>3</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>4</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>4</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>32</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>5</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>ContosoLocalLapsAdmin</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>6</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>8</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>7</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>3</Data>
      </Item>
    </Add>&lt;Final/&gt;</SyncBody>
 </SyncMl>
 ```
 #### Hybrid-joined device backing password up to Active Directory
 This example is configuring a hybrid device to back up its password to Active Directory with password encryption enabled:
 ```xml
 <SyncMl xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdId>1</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>2</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>2</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordAgeDays</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>20</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>3</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>3</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>4</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordLength</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>14</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>5</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/AdministratorAccountName</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>ContosoLocalLapsAdmin</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>6</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PasswordExpirationProtectionEnabled</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">bool</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>True</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>7</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionEnabled</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">bool</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>True</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>8</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADPasswordEncryptionPrincipal</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>LAPSAdmins@contoso.com</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>9</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/ADEncryptedPasswordHistorySize</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>6</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>10</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationResetDelay</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>4</Data>
      </Item>
    </Add>
    <Add>
      <CmdId>11</CmdId>
      <Item>
        <Target>
          <LocURI>./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>5</Data>
      </Item>
    </Add>&lt;Final/&gt;</SyncBody>
 </SyncMl>
 ```
 ## Related articles
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@ -0,0 +1,654 @@
 ---
 title: LAPS DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
 ms.author: jsimmons
 ms.topic: article
 ms.prod: w11
 ms.technology: windows
 author: jsimmons
 ms.localizationpriority: medium
 ms.date: 07/04/2022
 ms.reviewer: jsimmons
 manager: jsimmons
 ---
 # Local Administrator Password Solution DDF file
 This article shows the OMA DM device description framework (DDF) for the Local Administrator Password Solution (LAPS) configuration service provider. 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 The XML below is the current version for this CSP.
 ```xml
 <?xml version='1.0' encoding='utf-8' standalone='yes'?>
 <identity
  xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  owner="Microsoft"
  namespace="Windows-DeviceManagement-CspDefinition"
  name="LAPS">
  <cspDefinition>
    <MgmtTree>
      <VerDTD>1.2</VerDTD>
      <BinaryPath>"%windir%\system32\LapsCSP.dll</BinaryPath>
      <Diagnostics></Diagnostics>
      <ComClsid>{298a6f17-03e7-4bd4-971c-544f359527b7}</ComClsid>
      <Node>
        <NodeName>LAPS</NodeName>
        <Path>./Device/Vendor/MSFT</Path>
        <DFProperties>
          <AccessType>
            <Get />
          </AccessType>
          <Description>The root node for the LAPS configuration service provider.</Description>
          <DFFormat>
            <node />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <DDFName></DDFName>
          </DFType>
          <Applicability>
            <OsBuildVersion>99.9.99999</OsBuildVersion>
            <CspVersion>1.0</CspVersion>
          </Applicability>
          <ExposedTo>
            <Mdm />
          </ExposedTo>
        </DFProperties>
        <Node>
          <NodeName>Policies</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>Root node for LAPS policies.</Description>
            <DFFormat>
              <node />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFTitle>Policies</DFTitle>
            <DFType>
              <DDFName></DDFName>
            </DFType>
            <AtomicRequired />
          </DFProperties>
          <Node>
            <NodeName>BackupDirectory</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>0</DefaultValue>
              <Description>Use this setting to configure which directory the local admin account password is backed up to.
 The allowable settings are:
 0=Disabled (password will not be backed up)
 1=Backup the password to Azure AD only
 2=Backup the password to Active Directory only
 If not specified, this setting will default to 0.</Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="ENUM">
                <Enum>
                  <Value>0</Value>
                  <ValueDescription>Disabled (password will not be backed up)</ValueDescription>
                </Enum>
                <Enum>
                  <Value>1</Value>
                  <ValueDescription>Backup the password to Azure AD only</ValueDescription>
                </Enum>
                <Enum>
                  <Value>2</Value>
                  <ValueDescription>Backup the password to Active Directory only</ValueDescription>
                </Enum>
              </AllowedValues>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>PasswordAgeDays</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>30</DefaultValue>
              <Description>Use this policy to configure the maximum password age of the managed local administrator account.
 If not specified, this setting will default to 30 days
 This setting has a minimum allowed value of 1 day when backing the password to onpremises Active Directory, and 7 days when backing the password to Azure AD.
 This setting has a maximum allowed value of 365 days.</Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="Range">
                <Value>[1-365]</Value>
              </AllowedValues>
              <DependencyBehavior>
                <DependencyGroup FriendlyId="BackupDirectory">
                  <DependencyChangedAllowedValues ValueType="Range">
                      <Value>[7-365]</Value>
                  </DependencyChangedAllowedValues>
                  <Dependency Type="DependsOn">
                    <DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
                    <DependencyAllowedValue ValueType="ENUM">
                      <Enum>
                        <Value>1</Value>
                        <ValueDescription>BackupDirectory configured to Azure AD</ValueDescription>
                      </Enum>
                    </DependencyAllowedValue>
                  </Dependency>
                </DependencyGroup>
              </DependencyBehavior>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>PasswordComplexity</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>4</DefaultValue>
              <Description>Use this setting to configure password complexity of the managed local administrator account.
 The allowable settings are:
 1=Large letters
 2=Large letters + small letters
 3=Large letters + small letters + numbers
 4=Large letters + small letters + numbers + special characters
 If not specified, this setting will default to 4.</Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="ENUM">
                <Enum>
                  <Value>1</Value>
                  <ValueDescription>Large letters</ValueDescription>
                </Enum>
                <Enum>
                  <Value>2</Value>
                  <ValueDescription>Large letters + small letters</ValueDescription>
                </Enum>
                <Enum>
                  <Value>3</Value>
                  <ValueDescription>Large letters + small letters + numbers</ValueDescription>
                </Enum>
                <Enum>
                  <Value>4</Value>
                  <ValueDescription>Large letters + small letters + numbers + special characters</ValueDescription>
                </Enum>
              </AllowedValues>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>PasswordLength</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>14</DefaultValue>
              <Description>Use this setting to configure the length of the password of the managed local administrator account.
 If not specified, this setting will default to 14 characters.
 This setting has a minimum allowed value of 8 characters.
 This setting has a maximum allowed value of 64 characters.</Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="Range">
                <Value>[8-64]</Value>
              </AllowedValues>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>AdministratorAccountName</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <Description>Use this setting to configure the name of the managed local administrator account.
 If not specified, the default built-in local administrator account will be located by well-known SID (even if renamed).
 If specified, the specified account's password will be managed.
 Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.</Description>
              <DFFormat>
                <chr />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>PasswordExpirationProtectionEnabled</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>True</DefaultValue>
              <Description>Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
 When this setting is enabled, planned password expiration that would result in a password age greater than that dictated by "PasswordAgeDays" policy is NOT allowed. When such expiration is detected, the password is changed immediately and the new password expiration date is set according to policy.
 If not specified, this setting defaults to True.</Description>
              <DFFormat>
                <bool />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="ENUM">
                <Enum>
                  <Value>false</Value>
                  <ValueDescription>Allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
                </Enum>
                <Enum>
                  <Value>true</Value>
                  <ValueDescription>Do not allow configured password expiriration timestamp to exceed maximum password age</ValueDescription>
                </Enum>
              </AllowedValues>
              <DependencyBehavior>
                <DependencyGroup FriendlyId="BackupDirectory">
                  <Dependency Type="DependsOn">
                    <DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
                    <DependencyAllowedValue ValueType="ENUM">
                      <Enum>
                        <Value>2</Value>
                        <ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
                      </Enum>
                    </DependencyAllowedValue>
                  </Dependency>
                </DependencyGroup>
              </DependencyBehavior>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>ADPasswordEncryptionEnabled</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>False</DefaultValue>
              <Description>Use this setting to configure whether the password is encrypted before being stored in Active Directory.
 This setting is ignored if the password is currently being stored in Azure.
 This setting is only honored when the Active Directory domain is at Windows Server 2016 Domain Functional Level or higher.
 If this setting is enabled, and the Active Directory domain meets the DFL prerequisite, the password will be encrypted before before being stored in Active Directory.
 If this setting is disabled, or the Active Directory domain does not meet the DFL prerequisite, the password will be stored as clear-text in Active Directory.
 If not specified, this setting defaults to False.</Description>
              <DFFormat>
                <bool />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="ENUM">
                <Enum>
                  <Value>false</Value>
                  <ValueDescription>Store the password in clear-text form in Active Directory</ValueDescription>
                </Enum>
                <Enum>
                  <Value>true</Value>
                  <ValueDescription>Store the password in encrypted form in Active Directory</ValueDescription>
                </Enum>
              </AllowedValues>
              <DependencyBehavior>
                <DependencyGroup FriendlyId="BackupDirectory">
                  <Dependency Type="DependsOn">
                    <DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
                    <DependencyAllowedValue ValueType="ENUM">
                      <Enum>
                        <Value>2</Value>
                        <ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
                      </Enum>
                    </DependencyAllowedValue>
                  </Dependency>
                </DependencyGroup>
              </DependencyBehavior>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>ADPasswordEncryptionPrincipal</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <Description>Use this setting to configure the name or SID of a user or group that can decrypt the password stored in Active Directory.
 This setting is ignored if the password is currently being stored in Azure.
 If not specified, the password will be decryptable by the Domain Admins group in the device's domain.
 If specified, the specified user or group will be able to decrypt the password stored in Active Directory.
 If the specified user or group account is invalid the device will fallback to using the Domain Admins group in the device's domain.</Description>
              <DFFormat>
                <chr />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <DependencyBehavior>
                <DependencyGroup FriendlyId="BackupDirectory">
                  <Dependency Type="DependsOn">
                    <DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
                    <DependencyAllowedValue ValueType="ENUM">
                      <Enum>
                        <Value>2</Value>
                        <ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
                      </Enum>
                    </DependencyAllowedValue>
                  </Dependency>
                </DependencyGroup>
              </DependencyBehavior>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>ADEncryptedPasswordHistorySize</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>0</DefaultValue>
              <Description>Use this setting to configure how many previous encrypted passwords will be remembered in Active Directory.
 If not specified, this setting will default to 0 passwords (disabled).
 This setting has a minimum allowed value of 0 passwords.
 This setting has a maximum allowed value of 12 passwords.</Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="Range">
                <Value>[0-12]</Value>
              </AllowedValues>
              <DependencyBehavior>
                <DependencyGroup FriendlyId="BackupDirectory">
                  <Dependency Type="DependsOn">
                    <DependencyUri>Vendor/MSFT/LAPS/Policies/BackupDirectory</DependencyUri>
                    <DependencyAllowedValue ValueType="ENUM">
                      <Enum>
                        <Value>2</Value>
                        <ValueDescription>BackupDirectory configured to Active Directory</ValueDescription>
                      </Enum>
                    </DependencyAllowedValue>
                  </Dependency>
                </DependencyGroup>
              </DependencyBehavior>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>PostAuthenticationResetDelay</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>24</DefaultValue>
              <Description>Use this setting to specify the amount of time (in hours) to wait after an authentication before executing the specified post-authentication actions.
  If not specified, this setting will default to 24 hours.
  This setting has a minimum allowed value of 0 hours (this disables all post-authentication actions).
  This setting has a maximum allowed value of 24 hours.</Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="Range">
                <Value>[0-24]</Value>
              </AllowedValues>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>PostAuthenticationActions</NodeName>
            <DFProperties>
              <AccessType>
                <Add />
                <Delete />
                <Get />
                <Replace />
              </AccessType>
              <DefaultValue>3</DefaultValue>
              <Description>Use this setting to specify the actions to take upon expiration of the configured grace period.
 If not specified, this setting will default to 3 (Reset the password and logoff the managed account).
              </Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <ZeroOrOne />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AllowedValues ValueType="ENUM">
                <Enum>
                  <Value>1</Value>
                  <ValueDescription>Reset password: upon expiry of the grace period, the managed account password will be reset.</ValueDescription>
                </Enum>
                <Enum>
                  <Value>3</Value>
                  <ValueDescription>Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.</ValueDescription>
                </Enum>
                <Enum>
                  <Value>5</Value>
                  <ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</ValueDescription>
                </Enum>
              </AllowedValues>
            </DFProperties>
          </Node>
        </Node>
        <Node>
          <NodeName>Actions</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <DFFormat>
              <node />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFTitle>Actions</DFTitle>
            <DFType>
              <DDFName></DDFName>
            </DFType>
          </DFProperties>
          <Node>
            <NodeName>ResetPassword</NodeName>
            <DFProperties>
              <AccessType>
                <Exec />
              </AccessType>
              <Description>Use this setting to tell the CSP to immediately generate and store a new password for the managed local administrator account.</Description>
              <DFFormat>
                <null />
              </DFFormat>
              <Occurrence>
                <One />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
              <AsynchronousTracking ResourceSuccessURI="ResetPasswordStatus" ResourceSuccessValues="0" ResourceInProgressValues="10" ResourceFailureValues="20"/>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>ResetPasswordStatus</NodeName>
            <DFProperties>
              <AccessType>
                <Get />
              </AccessType>
              <DefaultValue>0</DefaultValue>
              <Description>Use this setting to query the status of the last submitted ResetPassword execute action.</Description>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <One />
              </Occurrence>
              <Scope>
                <Dynamic />
              </Scope>
              <DFTitle>ResetPasswordStatus</DFTitle>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
            </DFProperties>
          </Node>
        </Node>
      </Node>
    </MgmtTree>
  </cspDefinition>
 </identity>
 ```
 ## Related articles
 [LAPS configuration service provider](laps-csp.md)
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@ -0,0 +1,47 @@
 ---
 title: PersonalDataEncryption CSP
 description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices.
 ms.author: v-nsatapathy
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.localizationpriority: medium
 ms.date: 09/12/2022
 ms.reviewer: 
 manager: dansimp
 ms.collection: highpri
 ---
 # PersonalDataEncryption CSP
 The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
 The following shows the PersonalDataEncryption configuration service provider in tree format:
 ```
 ./User/Vendor/MSFT/PDE
 -- EnablePersonalDataEncryption
 -- Status
 -------- PersonalDataEncryptionStatus
 ```
 **EnablePersonalDataEncryption**: 
 - 0 is default (disabled)
 - 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). 
 The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for the PDE to be enabled.
 **Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
 > [!Note]
 > The policy is only applicable on Enterprise and Education SKUs.
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Business|No|No|
 |Enterprise|No|Yes|
 |Education|No|Yes|
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@ -0,0 +1,127 @@
 ---
 title: PersonalDataEncryption DDF file
 description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider.
 ms.author: v-nsatapathy
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nimishasatapathy
 ms.localizationpriority: medium
 ms.date: 09/10/2022
 ms.reviewer: 
 manager: dansimp
 ---
 # PersonalDataEncryption DDF file
 This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider. 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
 The XML below is the current version for this CSP. 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
  <VerDTD>1.2</VerDTD>  
  <Node>
    <NodeName>PDE</NodeName>
    <Path>./User/Vendor/MSFT</Path>
    <DFProperties>
      <AccessType>
        <Get />
      </AccessType>
      <DFFormat>
        <node />
      </DFFormat>
      <Occurrence>
        <One />
      </Occurrence>
      <Scope>
        <Permanent />
      </Scope>
      <DFType>
        <DDFName />
      </DFType>      
    </DFProperties>
    <Node>
      <NodeName>EnablePersonalDataEncryption</NodeName>
      <DFProperties>
        <AccessType>
          <Add />
          <Delete />
          <Get />
          <Replace />
        </AccessType>
        <Description>Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy.</Description>
        <DFFormat>
          <int />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFType>
          <MIME />
        </DFType>
        <MSFT:AllowedValues ValueType="ENUM">
          <MSFT:Enum>
            <MSFT:Value>0</MSFT:Value>
            <MSFT:ValueDescription>Disable Personal Data Encryption.</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>1</MSFT:Value>
            <MSFT:ValueDescription>Enable Personal Data Encryption.</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>Status</NodeName>
      <DFProperties>
        <AccessType>
          <Get />
        </AccessType>
        <DFFormat>
          <node />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Permanent />
        </Scope>
        <DFType>
          <DDFName />
        </DFType>
      </DFProperties>
      <Node>
        <NodeName>PersonalDataEncryptionStatus</NodeName>
        <DFProperties>
          <AccessType>
            <Get />
          </AccessType>
          <Description>This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled.</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
        </DFProperties>
      </Node>
    </Node>
  </Node>
 </MgmtTree>
 ```
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@ -1559,6 +1559,16 @@ ms.date: 10/08/2020
 - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
 - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
 - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
 - [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources)
 - [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller)
 - [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles)
 - [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride)
 - [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource)
 - [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol)
 - [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings)
 - [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources)
 - [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures)
 - [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval)
 - [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
 - [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
 - [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -5173,6 +5173,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  </dd>
 </dl>
 ### ADMX_WindowsRemoteManagement policies  
 <dl>
@ -6303,6 +6304,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  </dd>
 </dl>
 ### DesktopAppInstaller policies 
 <dl>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources" id="desktopappinstaller-enableadditionalsources">DesktopAppInstaller/EnableAdditionalSources</a>
  </dd>
 <dd>
    <a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller"id="desktopappinstaller-enableappinstaller">DesktopAppInstaller/EnableAppInstaller</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enabledefaultsource"id="desktopappinstaller-enabledefaultsource">DesktopAppInstaller/EnableDefaultSource</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablelocalmanifestfiles"id="desktopappinstaller-enablelocalmanifestfiles">DesktopAppInstaller/EnableLocalManifestFiles</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablehashoverride"id="desktopappinstaller-enablehashoverride">DesktopAppInstaller/EnableHashOverride</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablemicrosoftstoresource"id="desktopappinstaller-enablemicrosoftstoresource">DesktopAppInstaller/EnableMicrosoftStoreSource</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablemsappinstallerprotocol"id="desktopappinstaller-enablemsappinstallerprotocol">DesktopAppInstaller/EnableMSAppInstallerProtocol</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablesettings"id="desktopappinstaller-enablesettings">DesktopAppInstaller/EnableSettings</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enableallowedsources"id="desktopappinstaller-enableallowedsources">DesktopAppInstaller/EnableAllowedSources</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enableexperimentalfeatures"id="desktopappinstaller-enableexperimentalfeatures">DesktopAppInstaller/EnableExperimentalFeatures</a>
  </dd>
  <dd>
    <a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-sourceautoupdateinterval"id="desktopappinstaller-sourceautoupdateinterval">DesktopAppInstaller/SourceAutoUpdateInterval</a>
  </dd>
 </dl>
 ### DeviceGuard policies
 <dl>
@ -6550,6 +6588,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-experience.md#experience-allowsyncmysettings" id="experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
  </dd>
  <dd>
    <a href="./policy-csp-experience.md#experience-allowspotlightcollection" id="experience-allowspotlightcollection">Experience/AllowSpotlightCollection</a>
  </dd>
  <dd>
    <a href="./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata" id="experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
  </dd>
@ -7895,6 +7936,42 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
 ### Printers policies
 <dl>
  <dd>
    <a href="./policy-csp-printers.md#printers-approvedusbprintdevices" id="printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-approvedusbprintdevicesuser" id="printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurecopyfilespolicy" id="printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configuredrivervalidationlevel" id="printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configureipppagecountspolicy" id="printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configureredirectionguardpolicy" id="printers-configureredirectionguardpolicy">Printers/ConfigureRedirectionGuardPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurerpcconnectionpolicy" id="printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurerpclistenerpolicy" id="printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-configurerpctcpport" id="printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-enabledevicecontrol" id="printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-enabledevicecontroluser" id="printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-managedriverexclusionlist" id="printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions" id="printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
  </dd>
@ -7904,6 +7981,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-printers.md#printers-publishprinters" id="printers-publishprinters">Printers/PublishPrinters</a>
  </dd>
  <dd>
    <a href="./policy-csp-printers.md#printers-restrictdriverinstallationtoadministrators" id="printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
  </dd>
 </dl>
 ### Privacy policies
@ -8360,6 +8440,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
  </dd>
  <dd>
    <a href="./policy-csp-search.md#search-disablesearch" id="search-disablesearch">Search/DisableSearch</a>
  </dd>
  <dd>
    <a href="./policy-csp-search.md#search-donotusewebresults" id="search-donotusewebresults">Search/DoNotUseWebResults</a>
  </dd>
@ -8514,6 +8597,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-disablecontextmenus" id="start-disablecontextmenus">Start/DisableContextMenus</a>
  </dd> 
  <dd>
    <a href="./policy-csp-start.md#start-disablecontrolcenter" id="start-disablecontrolcenter">Start/DisableControlCenter</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-disableeditingquicksettings" id="start-disableeditingquicksettings">Start/DisableEditingQuickSettings</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-forcestartsize" id="start-forcestartsize">Start/ForceStartSize</a>
@ -8545,6 +8634,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-start.md#start-hiderecentlyaddedapps" id="start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-hiderecommendedsection" id="start-hiderecommendedsection">Start/HideRecommendedSection</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-hiderestart" id="start-hiderestart">Start/HideRestart</a>
  </dd>
@ -8560,6 +8652,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-start.md#start-hideswitchaccount" id="start-hideswitchaccount">Start/HideSwitchAccount</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-hidetaskviewbutton" id="start-hidetaskviewbutton">Start/HideTaskViewButton</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-hideusertile" id="start-hideusertile">Start/HideUserTile</a>
  </dd>
@ -8569,6 +8664,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-start.md#start-nopinningtotaskbar" id="start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-simplifyquicksettings" id="start-simplifyquicksettings">Start/SimplifyQuickSettings</a>
  </dd>
  <dd>
    <a href="./policy-csp-start.md#start-startlayout" id="start-startlayout">Start/StartLayout</a>
  </dd>
@ -9166,6 +9264,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  </dd>
 </dl>
 ### WebThreatDefense policies
 <dl>
  <dd>
    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-enableservice" id="webthreatdefense-enableservice">WebThreatDefense/EnableService</a>
  </dd>
  <dd>
    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifymalicious" id="webthreatdefense-notifymalicious">WebThreatDefense/NotifyMalicious</a>
  </dd>
  <dd>
    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifypasswordreuse" id="webthreatdefense-notifypasswordreuse">WebThreatDefense/NotifyPasswordReuse</a>
  </dd>
  <dd>
    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifyunsafeapp" id="webthreatdefense-notifyunsafeapp">WebThreatDefense/NotifyUnsafeApp</a>
  </dd>
 </dl>
 ### Wifi policies
 <dl>
@ -9308,6 +9423,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" id="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
  </dd>
  <dd>
    <a href="./policy-csp-windowslogon.md#windowslogon-enablemprnotifications" id="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
  </dd>
  <dd>
    <a href="./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers" id="windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@ -0,0 +1,595 @@
 ---
 title: Policy CSP - DesktopAppInstaller
 description: Learn about the Policy CSP - DesktopAppInstaller.
 ms.author: v-aljupudi
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: alekyaj
 ms.date: 08/24/2022
 ms.reviewer: 
 manager: aaroncz
 ---
 # Policy CSP - DesktopAppInstaller
 >[!TIP]
 > These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <hr/>
 <!--Policies-->
 ## DesktopAppInstaller policies  
 <dl>
  <dd>
    <a href="#desktopappinstaller-enableadditionalsources">DesktopAppInstaller/EnableAdditionalSources</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enableappinstaller">DesktopAppInstaller/EnableAppInstaller</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enabledefaultsource">DesktopAppInstaller/EnableDefaultSource</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enablelocalmanifestfiles">DesktopAppInstaller/EnableLocalManifestFiles</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enablehashoverride">DesktopAppInstaller/EnableHashOverride</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enablemicrosoftstoresource">DesktopAppInstaller/EnableMicrosoftStoreSource</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enablemsappinstallerprotocol">DesktopAppInstaller/EnableMSAppInstallerProtocol</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enablesettings">DesktopAppInstaller/EnableSettings</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enableallowedsources">DesktopAppInstaller/EnableAllowedSources</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-enableexperimentalfeatures">DesktopAppInstaller/EnableExperimentalFeatures</a>
  </dd>
  <dd>
    <a href="#desktopappinstaller-sourceautoupdateinterval">DesktopAppInstaller/SourceAutoUpdateInterval</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enableadditionalsources"></a>**DesktopAppInstaller/EnableAdditionalSources**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/).
 If you don't configure this setting, no additional sources will be configured for Windows Package Manager.
 If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/).
 If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Additional Windows Package Manager Sources*
 -   GP name: *EnableAdditionalSources*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enableappinstaller"></a>**DesktopAppInstaller/EnableAppInstaller**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
 - If you enable or don't configure this setting, users will be able to use the Windows Package Manager.
 - If you disable this setting, users won't be able to use the Windows Package Manager.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Controls whether the Windows Package Manager can be used by the users*
 -   GP name: *EnableAppInstaller*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enabledefaultsource"></a>**DesktopAppInstaller/EnableDefaultSource**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls the default source included with the Windows Package Manager.
 If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed.
 - If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed.
 - If you disable this setting the default source for the Windows Package Manager won't be available.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Windows Package Manager Default Source*
 -   GP name: *EnableDefaultSource*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enablelocalmanifestfiles"></a>**DesktopAppInstaller/EnableLocalManifestFiles**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls whether users can install packages with local manifest files.
 - If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
 - If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Windows Package Manager Local Manifest Files*
 -   GP name: *EnableLocalManifestFiles*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <!--Policy-->
 <a href="" id="desktopappinstaller-enablehashoverride"></a>**DesktopAppInstaller/EnableHashOverride**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest.
 - If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings.
 - If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable App Installer Hash Override*
 -   GP name: *EnableHashOverride*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enablemicrosoftstoresource"></a>**DesktopAppInstaller/EnableMicrosoftStoreSource**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls the Microsoft Store source included with the Windows Package Manager.
 If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
 - If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed.
 - If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Windows Package Manager Microsoft Store Source*
 -   GP name: *EnableMicrosoftStoreSource*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enablemsappinstallerprotocol"></a>**DesktopAppInstaller/EnableMSAppInstallerProtocol**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol. 
 - If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. 
 - If you disable this setting, users will not be able to install packages from websites that use this protocol.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable MS App Installer Protocol*
 -   GP name: *EnableMSAppInstallerProtocol*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enablesettings"></a>**DesktopAppInstaller/EnableSettings**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
 - If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager.
 - If you disable this setting, users will not be able to change settings for Windows Package Manager.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Windows Package Manager Settings Command*
 -   GP name: *EnableSettings*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enableallowedsources"></a>**DesktopAppInstaller/EnableAllowedSources**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy.
 - If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export.
 - If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Windows Package Manager Settings Command*
 -   GP name: *EnableAllowedSources*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-enableexperimentalfeatures"></a>**DesktopAppInstaller/EnableExperimentalFeatures**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
 - If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager.
 - If you disable this setting, users will not be able to enable experimental features for Windows Package Manager.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable Windows Package Manager Experimental Features*
 -   GP name: *EnableExperimentalFeatures*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="desktopappinstaller-sourceautoupdateinterval"></a>**DesktopAppInstaller/SourceAutoUpdateInterval**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
 - If you enable this setting, the number of minutes specified will be used by Windows Package Manager.
 - If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes*
 -   GP name: *SourceAutoUpdateInterval*
 -   GP path: *Administrative Templates\Windows Components\App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--/Policies-->
 ## Related topics
 [Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@ -50,6 +50,9 @@ manager: aaroncz
  <dd>
    <a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
  </dd>
  <dd>
    <a href="#experience-allowspotlightcollection">Experience/AllowSpotlightCollection</a>
  </dd>
  <dd>
    <a href="#experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
  </dd>
@ -494,6 +497,50 @@ The following list shows the supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="experience-allowspotlightcollection"></a>**Experience/AllowSpotlightCollection**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Business|No|No|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows spotlight collection on the device.
 - If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings.
 - If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop
 - When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft
 - Default value: 1
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**  
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@ -46,8 +46,13 @@ manager: aaroncz
  <dd>
    <a href="#fileexplorer-setallowedstoragelocations">FileExplorer/SetAllowedStorageLocations</a>
  </dd>
  <dd>
    <a href="#fileexplorer-disablegraphrecentitems">FileExplorer/DisableGraphRecentItems</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
@ -276,10 +281,10 @@ This policy configures the folders that the user can enumerate and access in the
 The following list shows the supported values:
 - 0: All folders
- 15:Desktop, Documents, Pictures, and Downloads
+- 15: Desktop, Documents, Pictures, and Downloads
- 31:Desktop, Documents, Pictures, Downloads, and Network
+- 31: Desktop, Documents, Pictures, Downloads, and Network
- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
+- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads
- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
+- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network
 <!--/SupportedValues-->
@ -331,7 +336,7 @@ This policy configures the folders that the user can enumerate and access in the
 <!--SupportedValues-->
 The following list shows the supported values:
- 0: all storage locations
+- 0: All storage locations
 - 1: Removable Drives
 - 2: Sync roots
 - 3: Removable Drives, Sync roots, local drive
@ -350,9 +355,62 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="fileexplorer-disablegraphrecentitems"></a>**FileExplorer/DisableGraphRecentItems**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|Yes|
 |Windows SE|No|Yes|
 |Business|No|No|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - 0: Files from Office.com will display in the Home node
 - 1: No files from Office.com will be retrieved or displayed
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Turn off files from Office.com in Quick access view*
 -   GP name: *DisableGraphRecentItems*
 -   GP path: *File Explorer*
 -   GP ADMX file name: *Explorer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--/Policies-->
 ## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@ -20,6 +20,9 @@ manager: aaroncz
 ## HumanPresence policies  
 <dl>
  <dd>
    <a href="#humanpresence-forceinstantdim">HumanPresence/ForceInstantDim</a>
  </dd>
  <dd>
    <a href="#humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
  </dd>
@ -33,6 +36,56 @@ manager: aaroncz
 <hr/>
 <!--Policy-->
 <a href="" id="humanpresence-forceinstantdim"></a>**HumanPresence/ForceInstantDim**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|Yes|
 |Business|No|No|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP Friendly name: *Force Instant Dim*
 -   GP name: *ForceInstantDim*
 -   GP path: *Windows Components/Human Presence*
 -   GP ADMX file name: *Sensors.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - 2 = ForcedOff
 - 1 = ForcedOn
 - 0 = DefaultToUserChoice
 - Defaults to 0.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="humanpresence-forceinstantlock"></a>**HumanPresence/ForceInstantLock**  
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@ -31,6 +31,18 @@ manager: aaroncz
  </dd>
  <dd>
    <a href="#kerberos-pkinithashalgorithmconfiguration">Kerberos/PKInitHashAlgorithmConfiguration</a>
  </dd>  
  <dd>
    <a href="#kerberos-pkinithashalgorithmsha1">Kerberos/PKInitHashAlgorithmSHA1</a>
  </dd>
  <dd>
    <a href="#kerberos-pkinithashalgorithmsha256">Kerberos/PKInitHashAlgorithmSHA256</a>
  </dd>
  <dd>
    <a href="#kerberos-pkinithashalgorithmsha384">Kerberos/PKInitHashAlgorithmSHA384</a>
  </dd>
  <dd>
    <a href="#kerberos-pkinithashalgorithmsha512">Kerberos/PKInitHashAlgorithmSHA512</a>
  </dd>
  <dd>
    <a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
@ -231,22 +243,20 @@ ADMX Info:
 This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
-If you enable this policy, you'll be able to configure one of four states for each algorithm:
+If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies.
 * **Default**: This state sets the algorithm to the recommended state.
 * **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
 * **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
 * **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
 If you disable or don't configure this policy, each algorithm will assume the **Default** state.
 * 0 - **Disabled**
 * 1 - **Enabled**
 More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
-   GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol*
+-   GP Friendly name: *Configure Hash algorithms for certificate logon*
 -   GP name: *PKInitHashAlgorithmConfiguration*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
@ -256,6 +266,209 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-pkinithashalgorithmsha1"></a>**Kerberos/PKInitHashAlgorithmSHA1**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
 * 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
 * 1 - **Default**: This state sets the algorithm to the recommended state.
 * 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
 * 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
 If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure Hash algorithms for certificate logon*
 -   GP name: *PKInitHashAlgorithmConfiguration*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-pkinithashalgorithmsha256"></a>**Kerberos/PKInitHashAlgorithmSHA256**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
 * 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
 * 1 - **Default**: This state sets the algorithm to the recommended state.
 * 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
 * 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
 If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure Hash algorithms for certificate logon*
 -   GP name: *PKInitHashAlgorithmConfiguration*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-pkinithashalgorithmsha384"></a>**Kerberos/PKInitHashAlgorithmSHA384**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
 * 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
 * 1 - **Default**: This state sets the algorithm to the recommended state.
 * 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
 * 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
 If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure Hash algorithms for certificate logon*
 -   GP name: *PKInitHashAlgorithmConfiguration*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-pkinithashalgorithmsha512"></a>**Kerberos/PKInitHashAlgorithmSHA512**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
 * 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
 * 1 - **Default**: This state sets the algorithm to the recommended state.
 * 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
 * 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
 If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure Hash algorithms for certificate logon*
 -   GP name: *PKInitHashAlgorithmConfiguration*
 -   GP path: *System/Kerberos*
 -   GP ADMX file name: *Kerberos.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**  
@ -456,4 +669,4 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac
 ## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-csp-lsa.md
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@ -0,0 +1,131 @@
 ---
 title: Policy CSP - LocalSecurityAuthority
 description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS).
 ms.author: vinpa
 author: vinaypamnani-msft
 ms.reviewer: 
 manager: aaroncz
 ms.topic: reference
 ms.prod: windows-client
 ms.technology: itpro-manage
 ms.localizationpriority: medium
 ms.date: 08/26/2022
 ---
 # Policy CSP - LocalSecurity Authority
 <hr/>
 <!--Policies-->
 ## LocalSecurityAuthority policies
 <dl>
  <dd>
    <a href="#localsecurityauthority-allowcustomsspsaps">LocalSecurityAuthority/AllowCustomSSPsAPs</a>
  </dd>
  <dd>
    <a href="#localsecurityauthority-configurelsaprotectedprocess">LocalSecurityAuthority/ConfigureLsaProtectedProcess</a>
  </dd>
 </dl>
 > [!TIP]
 > These are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <hr/>
 <!--Policy-->
 <a href="" id="localsecurityauthority-allowcustomsspsaps"></a>**LocalSecurityAuthority/AllowCustomSSPsAPs**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).
 If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs.
 If you disable this policy setting, LSASS will block custom SSPs and APs from loading.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS*
 -   GP name: *AllowCustomSSPsAPs*
 -   GP path: *System/Local Security Authority*
 -   GP ADMX file name: *LocalSecurityAuthority.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="localsecurityauthority-configurelsaprotectedprocess"></a>**Kerberos/ConfigureLsaProtectedProcess**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.
 If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process.
 If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.
 If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure LSASS to run as a protected process*
 -   GP name: *ConfigureLsaProtectedProcess*
 -   GP path: *System/Local Security Authority*
 -   GP ADMX file name: *LocalSecurityAuthority.admx*
 <!--/ADMXBacked-->
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@ -27,12 +27,36 @@ manager: aaroncz
  <dd>
    <a href="#printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
  </dd>
  <dd>
    <a href="#printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
  </dd>
  <dd>
    <a href="#printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configureredirectionguardpolicy">Printers/ConfigureRedirectionGuardPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
  </dd>
  <dd>
    <a href="#printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
  </dd>
  <dd>
    <a href="#printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
  </dd>
  <dd>
    <a href="#printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
  </dd>
  <dd>
    <a href="#printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
  </dd>
  <dd>
    <a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
  </dd>
@ -42,6 +66,9 @@ manager: aaroncz
  <dd>
    <a href="#printers-publishprinters">Printers/PublishPrinters</a>
  </dd>
  <dd>
    <a href="#printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
  </dd>
 </dl>
 > [!TIP]
@ -57,38 +84,14 @@ manager: aaroncz
 <a href="" id="printers-approvedusbprintdevices"></a>**Printers/ApprovedUsbPrintDevices**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -109,7 +112,6 @@ These requirements include restricting printing to USB connected printers that m
 This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled.
 The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
 Parent deliverable: 26209274 - Device Control: Printer
 <!--/Description-->
 <!--ADMXBacked-->
@ -129,38 +131,14 @@ ADMX Info:
 <a href="" id="printers-approvedusbprintdevicesuser"></a>**Printers/ApprovedUsbPrintDevicesUser**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -194,42 +172,423 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurecopyfilespolicy"></a>**Printers/ConfigureCopyFilesPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate.
 If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
 The following are the supported values:
 Type: DWORD. Defaults to 1.
 - 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections.
 - 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value.
 - 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Manage processing of Queue-specific files*
 -   GP name: *ConfigureCopyFilesPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configuredrivervalidationlevel"></a>**Printers/ConfigureDriverValidationLevel**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate.
 If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
 The following are the supported values:
 Type: DWORD. Defaults to 4.
 - 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer.
 - 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer.
 - 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL).
 - 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store.
 - 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Manage Print Driver signature validation*
 -   GP name: *ConfigureDriverValidationLevel*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configureipppagecountspolicy"></a>**Printers/ConfigureIppPageCountsPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary.
 If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs.
 The following are the supported values:
 AlwaysSendIppPageCounts: DWORD. Defaults to 0.
 - 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**.
 - 1 (Enabled) - Job accounting information will always be sent for IPP print jobs.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Always send job page count information for IPP printers*
 -   GP name: *ConfigureIppPageCountsPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configureredirectionguardpolicy"></a>**Printers/ConfigureRedirectionGuardPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used.
 If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
 The following are the supported values:
 Type: DWORD, defaults to 1.
 - 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process.
 - 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used.
 - 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled.  
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure Redirection Guard*
 -   GP name: *ConfigureRedirectionGuardPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurerpcconnectionpolicy"></a>**Printers/ConfigureRpcConnectionPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack.
 There are 2 values which can be configured:
 - RpcUseNamedPipeProtocol DWORD
     - 0: RpcOverTcp (default)
     - 1: RpcOverNamedPipes
 - RpcAuthentication DWORD
     - 0: RpcConnectionAuthenticationDefault (default)
     - 1: RpcConnectionAuthenticationEnabled
     - 2: RpcConnectionAuthenticationDisabled
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines.
 If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly.
 The following are the supported values:
 - Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines.
 - Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure RPC connection settings*
 -   GP name: *ConfigureRpcConnectionPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurerpclistenerpolicy"></a>**Printers/ConfigureRpcListenerPolicy**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack.
 There are 2 values which can be configured:
 - RpcProtocols DWORD
     - 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes
     - 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default)
     - 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP
 - ForceKerberosForRpc DWORD
     - 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support
     - 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*.
 If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
 The following are the supported values:
 - Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol.
 - Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure RPC listener settings*
 -   GP name: *ConfigureRpcListenerPolicy*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-configurerpctcpport"></a>**Printers/ConfigureRpcTcpPort**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage a new DWORD Value added under the  the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack.
 - RpcTcpPort DWORD
     - 0: Use dynamic TCP ports for RPC over TCP (default).
     - 1-65535: Use the given port for RPC over TCP.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*.
 If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
 The following are the supported values:
 - Not configured  or Disabled - The print stack uses dynamic TCP ports for RPC over TCP.
 - Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure RPC over TCP port*
 -   GP name: *ConfigureRpcTcpPort*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-enabledevicecontrol"></a>**Printers/EnableDeviceControl**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -274,38 +633,14 @@ ADMX Info:
 <a href="" id="printers-enabledevicecontroluser"></a>**Printers/EnableDeviceControlUser**  
 <!--SupportedSKUs-->
-<table>
+|Edition|Windows 10|Windows 11|
-<tr>
+|--- |--- |--- |
-    <th>Edition</th>
+|Home|No|No|
-    <th>Windows 10</th>
+|Pro|Yes|Yes|
-    <th>Windows 11</th>
+|Windows SE|No|Yes|
-</tr>
+|Business|Yes|Yes|
-<tr>
+|Enterprise|Yes|Yes|
-    <td>Home</td>
+|Education|Yes|Yes|
    <td>No</td>
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -345,6 +680,62 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="printers-managedriverexclusionlist"></a>**Printers/ManageDriverExclusionList**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update.
 The default value of the policy will be Unconfigured.
 If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list.
 If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value.
 The following are the supported values:
 Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList`
 Type: REG_SZ
 Value Name: Hash of excluded file
 Value Data: Name of excluded file
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Manage Print Driver exclusion list*
 -   GP name: *ManageDriverExclusionList*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**  
@ -548,6 +939,61 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="printers-restrictdriverinstallationtoadministrators"></a>**Printers/RestrictDriverInstallationToAdministrators**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users. 
 This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup.
 The default value of the policy will be Unconfigured.
 If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer.
 If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer.
 The following are the supported values:
 - Not configured or Enabled - Only administrators can install print drivers on the computer.
 - Disabled - Standard users are allowed to install print drivers on the computer.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Restrict installation of print drivers to Administrators*
 -   GP name: *RestrictDriverInstallationToAdministrators*
 -   GP path: *Printers*
 -   GP ADMX file name: *Printing.admx*
 <!--/ADMXBacked-->
 <hr/>
 <!--/Policies-->
 ## Related topics
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@ -57,6 +57,9 @@ manager: aaroncz
  <dd>
    <a href="#search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
  </dd>
  <dd>
    <a href="#search-disablesearch">Search/DisableSearch</a>
  </dd>
  <dd>
    <a href="#search-donotusewebresults">Search/DoNotUseWebResults</a>
  </dd>
@ -639,6 +642,57 @@ The following list shows the supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="search-disablesearch"></a>**Search/DisableSearch**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|Yes|
 |Windows SE|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
 It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP Friendly name: *Fully disable Search UI*
 -   GP name: *DisableSearch*
 -   GP path: *Windows Components/Search*
 -   GP ADMX file name: *Search.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) – Do not disable search.
 -   1 – Disable search.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="search-donotusewebresults"></a>**Search/DoNotUseWebResults**  
@ -774,7 +828,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index.
 <!--/Description-->
 <!--ADMXMapped-->
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@ -56,6 +56,12 @@ manager: aaroncz
  <dd>
    <a href="#start-disablecontextmenus">Start/DisableContextMenus</a>
  </dd>
  <dd>
    <a href="#start-disablecontrolcenter">Start/DisableControlCenter</a>
  </dd>
  <dd>
    <a href="#start-disableeditingquicksettings">Start/DisableEditingQuickSettings</a>
  </dd>
  <dd>
    <a href="#start-forcestartsize">Start/ForceStartSize</a>
  </dd>
@ -86,6 +92,9 @@ manager: aaroncz
  <dd>
    <a href="#start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
  </dd>
  <dd>
    <a href="#start-hiderecommendedsection">Start/HideRecommendedSection</a>
  </dd>
  <dd>
    <a href="#start-hiderestart">Start/HideRestart</a>
  </dd>
@ -101,6 +110,9 @@ manager: aaroncz
  <dd>
    <a href="#start-hideswitchaccount">Start/HideSwitchAccount</a>
  </dd>
  <dd>
    <a href="#start-hidetaskviewbutton">Start/HideTaskViewButton</a>
  </dd>
  <dd>
    <a href="#start-hideusertile">Start/HideUserTile</a>
  </dd>
@ -113,6 +125,9 @@ manager: aaroncz
  <dd>
    <a href="#start-showorhidemostusedapps">Start/ShowOrHideMostUsedApps</a>
  </dd>
  <dd>
    <a href="#start-simplifyquicksettings">Start/SimplifyQuickSettings</a>
  </dd>
  <dd>
    <a href="#start-startlayout">Start/StartLayout</a>
  </dd>
@ -665,6 +680,100 @@ The following list shows the supported values:
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="start-disablecontrolcenter"></a>**Start/DisableControlCenter**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume. 
 If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled. 
 >[!Note]
 > A reboot is required for this policy setting to take effect.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP Friendly name: *Remove control center*
 -   GP name: *DisableControlCenter*
 -   GP path: *Start Menu and Taskbar*
 -   GP ADMX file name: *Taskbar.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following are the supported values:
 - Integer 0 - Disabled/Not configured.
 - Integer 1 - Enabled.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="start-disableeditingquicksettings"></a>**Start/DisableEditingQuickSettings**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy will allow admins to indicate whether Quick Actions can be edited by the user.
 <!--/Description-->
 <!--SupportedValues-->
 The following are the supported values:
 - 0: Allow editing Quick Actions (default)
 - 1: Disable editing Quick Actions
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
@ -1208,6 +1317,47 @@ To validate on Desktop, do the following steps:
 <hr/>
 <!--Policy-->
 <a href="" id="start-hiderecommendedsection"></a>**Start/HideRecommendedSection**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 > * User
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows you to hide the Start Menu's Recommended section when enabled.
 <!--/Description-->
 <!--SupportedValues-->
 The following are the supported values:
 - 0 (default): Do not hide the Start menu's Recommended section.
 - 1: Hide the Start menu's Recommended section.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="start-hiderestart"></a>**Start/HideRestart**  
@ -1453,6 +1603,48 @@ To validate on Desktop, do the following steps:
 <hr/>
 <!--Policy-->
 <a href="" id="start-hidetaskviewbutton"></a>**Start/HideTaskViewButton**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 > * User
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows you to hide the Task View button from the Taskbar and its corresponding option in the Settings app.
 <!--/Description-->
 <!--SupportedValues-->
 The following are the supported values:
 - 0 (default): Do not hide the Taskbar's Task View button.
 - 1: Hide the Taskbar's Task View button.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="start-hideusertile"></a>**Start/HideUserTile**  
@ -1622,38 +1814,15 @@ To validate on Desktop, do the following steps:
 <a href="" id="start-showorhidemostusedapps"></a>**Start/ShowOrHideMostUsedApps**  
 <!--SupportedSKUs-->
-<table>
+
-<tr>
+|Edition|Windows 10|Windows 11|
-    <th>Edition</th>
+|--- |--- |--- |
-    <th>Windows 10</th>
+|Home|No|No|
-    <th>Windows 11</th>
+|Pro|Yes|Yes|
-</tr>
+|Windows SE|Yes|Yes|
-<tr>
+|Business|Yes|Yes|
-    <td>Home</td>
+|Enterprise|Yes|Yes|
-    <td>No</td>
+|Education|Yes|Yes|
    <td>No</td>
 </tr>
 <tr>
    <td>Pro</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Business</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 <tr>
    <td>Education</td>
    <td>Yes</td>
    <td>Yes</td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
@ -1686,6 +1855,47 @@ On clean install, the user setting defaults to "hide".
 <hr/>
 <!--Policy-->
 <a href="" id="start-simplifyquicksettings"></a>**Start/SimplifyQuickSettings**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy will allow admins to indicate whether the default or simplified Quick Actions layout should be loaded.
 <!--/Description-->
 <!--SupportedValues-->
 The following are the supported values:
 - 0: load regular Quick Actions layout.
 - 1: load simplified Quick Actions layout.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="start-startlayout"></a>**Start/StartLayout**  
@ -1746,4 +1956,4 @@ ADMX Info:
 ## Related topics
-[Policy configuration service provider](policy-configuration-service-provider.md)
+[Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@ -0,0 +1,233 @@
 ---
 title: Policy CSP - WebThreatDefense
 description: Learn about the Policy CSP - WebThreatDefense.
 ms.author: v-aljupudi
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: alekyaj
 ms.localizationpriority: medium
 ms.date: 09/27/2019
 ms.reviewer: 
 manager: aaroncz
 ---
 # Policy CSP - WebThreatDefense
 <hr/>
 <!--Policies-->
 ## WebThreatDefense policies  
 <dl>
  <dd>
    <a href="#webthreatdefense-enableservice">WebThreatDefense/EnableService</a>
  </dd>
  <dd>
    <a href="#webthreatdefense-notifymalicious">WebThreatDefense/NotifyMalicious</a>
  </dd>
  <dd>
    <a href="#webthreatdefense-notifypasswordreuse">WebThreatDefense/NotifyPasswordReuse</a>
  </dd>
  <dd>
    <a href="#webthreatdefense-notifyunsafeapp">WebThreatDefense/NotifyUnsafeApp</a>
  </dd>
 </dl>
 >[!NOTE]
 >In Microsoft Intune, this CSP is under the “Enhanced Phishing Protection” category.
 <!--Policy-->
 <a href="" id="webthreatdefense-enableservice"></a>**WebThreatDefense/EnableService**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Windows SE|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.  
 If you enable this policy setting or don’t configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off.
 If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP Friendly name: *Configure Web Threat Defense*
 -   GP name: *EnableWebThreatDefenseService*
 -   GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections*
 -   GP ADMX file name: *WebThreatDefense.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -	0: Turns off Enhanced Phishing Protection.
 -	1: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="webthreatdefense-notifymalicious"></a>**WebThreatDefense/NotifyMalicious**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Windows SE|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
 If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above, and encourages them to change their password.
 If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -	0: Turns off Enhanced Phishing Protection notifications when users type their work or school password into one of the following malicious scenarios: a reported phishing site, a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
 -	1: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="webthreatdefense-notifypasswordreuse"></a>**WebThreatDefense/NotifyPasswordReuse**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Windows SE|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
 If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
 If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -	0: Turns off Enhanced Phishing Protection notifications when users reuse their work or school password.
 -	1: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="webthreatdefense-notifyunsafeapp"></a>**WebThreatDefense/NotifyUnsafeApp**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Windows SE|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
 If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps.
 If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps. 
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -	0: Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
 -	1: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps.  
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 ## Related topics
 [Policy configuration service provider](policy-configuration-service-provider.md)
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@ -35,6 +35,9 @@ manager: aaroncz
  <dd>
    <a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
  </dd>
  <dd>
    <a href="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
  </dd>
  <dd>
    <a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
  </dd>
@ -362,6 +365,52 @@ Supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="windowslogon-enablemprnotifications"></a>**WindowsLogon/EnableMPRNotifications**  
 <!--SupportedSKUs-->
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows winlogon to send MPR notifications in the system if a credential manager is configured.
 If you disable (0), MPR notifications will not be sent by winlogon.
 If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon.
 <!--/Description-->
 <!--SupportedValues-->
 Supported values:  
 -   0 - disabled
 -   1 (default)- enabled
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**  
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@ -1,7 +1,7 @@
 ---
 title: SharedPC CSP
 description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@ -31,6 +31,7 @@ The following example shows the SharedPC configuration service provider manageme
 ./Vendor/MSFT
 SharedPC
 ----EnableSharedPCMode
 ----EnableSharedPCModeWithOneDriveSync
 ----SetEduPolicies
 ----SetPowerPolicies
 ----MaintenanceStartTime
@ -47,12 +48,12 @@ SharedPC
 ----InactiveThreshold
 ----MaxPageFileSizeMB
 ```
-<a href="" id="--vendor-msft-sharedpc"></a>**./Vendor/MSFT/SharedPC**  
+<a href="" id="--vendor-msft-sharedpc"></a>**./Vendor/MSFT/SharedPC**
 The root node for the SharedPC configuration service provider.
 The supported operation is Get.
-<a href="" id="enablesharedpcmode"></a>**EnableSharedPCMode**  
+<a href="" id="enablesharedpcmode"></a>**EnableSharedPCMode**
 A boolean value that specifies whether Shared PC mode is enabled.
 The supported operations are Add, Get, Replace, and Delete.
@ -61,16 +62,23 @@ Setting this value to True triggers the action to configure a device to Shared P
 The default value is Not Configured and SharedPC mode is not enabled.
-<a href="" id="setedupolicies"></a>**SetEduPolicies**  
+<a href="" id="enablesharedpcmodewithonedrivesync"></a>**EnableSharedPCModeWithOneDriveSync**
 Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on.
 The supported operations are Add, Get, Replace, and Delete.
 The default value is false.
 <a href="" id="setedupolicies"></a>**SetEduPolicies**
 A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment.
 The supported operations are Add, Get, Replace, and Delete.
-The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. 
+The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
 In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
-<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**  
+<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
 Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
 > [!NOTE]
@ -80,7 +88,7 @@ The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
-<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**  
+<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
 Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
 > [!NOTE]
@ -90,7 +98,7 @@ The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
-<a href="" id="signinonresume"></a>**SignInOnResume**  
+<a href="" id="signinonresume"></a>**SignInOnResume**
 Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
 > [!NOTE]
@ -100,8 +108,8 @@ The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured and its value in the SharedPC provisioning package is True.
-<a href="" id="sleeptimeout"></a>**SleepTimeout**  
+<a href="" id="sleeptimeout"></a>**SleepTimeout**
-The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. 
+The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
 > [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
@ -110,7 +118,7 @@ The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600.
-<a href="" id="enableaccountmanager"></a>**EnableAccountManager**  
+<a href="" id="enableaccountmanager"></a>**EnableAccountManager**
 A boolean that enables the account manager for shared PC mode.
 > [!NOTE]
@ -120,7 +128,7 @@ The supported operations are Add, Get, Replace, and Delete.
 The default value is Not Configured and its value in the SharedPC provisioning package is True.
-<a href="" id="accountmodel"></a>**AccountModel**  
+<a href="" id="accountmodel"></a>**AccountModel**
 Configures which type of accounts are allowed to use the PC.
 > [!NOTE]
@ -136,7 +144,7 @@ The following list shows the supported values:
 Its value in the SharedPC provisioning package is 1 or 2.
-<a href="" id="deletionpolicy"></a>**DeletionPolicy**  
+<a href="" id="deletionpolicy"></a>**DeletionPolicy**
 Configures when accounts are deleted.
 > [!NOTE]
@ -149,7 +157,7 @@ For Windows 10, version 1607, here's the list shows the supported values:
 -   0 - Delete immediately.
 -   1 (default) - Delete at disk space threshold.
-For Windows 10, version 1703, here's the list of supported values:  
+For Windows 10, version 1703, here's the list of supported values:
 - 0 - Delete immediately.
 - 1 - Delete at disk space threshold.
@ -157,7 +165,7 @@ For Windows 10, version 1703, here's the list of supported values:
 The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
-<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**  
+<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**
 Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
 > [!NOTE]
@ -169,7 +177,7 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel
 The supported operations are Add, Get, Replace, and Delete.
-<a href="" id="disklevelcaching"></a>**DiskLevelCaching**  
+<a href="" id="disklevelcaching"></a>**DiskLevelCaching**
 Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
 > [!NOTE]
@ -181,48 +189,48 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel
 The supported operations are Add, Get, Replace, and Delete.
-<a href="" id="restrictlocalstorage"></a>**RestrictLocalStorage**  
+<a href="" id="restrictlocalstorage"></a>**RestrictLocalStorage**
-Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. 
+Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
 The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
 > [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**  
+<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
-Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. 
+Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
- Value type is string. 
+- Value type is string.
- Supported operations are Add, Get, Replace, and Delete.  
+- Supported operations are Add, Get, Replace, and Delete.
 > [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**  
+<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
-Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional. 
+Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional.
-Value type is string. Supported operations are Add, Get, Replace, and Delete. 
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
 > [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
-<a href="" id="inactivethreshold"></a>**InactiveThreshold**  
+<a href="" id="inactivethreshold"></a>**InactiveThreshold**
 Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
- The default value is Not Configured. 
+- The default value is Not Configured.
- Value type is integer. 
+- Value type is integer.
 - Supported operations are Add, Get, Replace, and Delete.
 The default in the SharedPC provisioning package is 30.
-<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**  
+<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
-Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional. 
+Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional.
 > [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
- Default value is Not Configured. 
+- Default value is Not Configured.
- Value type is integer. 
+- Value type is integer.
 - Supported operations are Add, Get, Replace, and Delete.
 The default in the SharedPC provisioning package is 1024.
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@ -1,7 +1,7 @@
 ---
 title: SharedPC DDF file
 description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
@ -70,6 +70,32 @@ The XML below is the DDF for Windows 10, version 1703.
                </DFType>
            </DFProperties>
        </Node>
        <Node>
              <NodeName>EnableSharedPCModeWithOneDriveSync</NodeName>
              <DFProperties>
                <AccessType>
                  <Add />
                  <Delete />
                  <Get />
                  <Replace />
                </AccessType>
                <DefaultValue>false</DefaultValue>
                <Description>Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on</Description>
                <DFFormat>
                  <bool />
                </DFFormat>
                <Occurrence>
                  <One />
                </Occurrence>
                <Scope>
                  <Dynamic />
                </Scope>
                <DFTitle>Enable Shared PC mode with OneDrive sync</DFTitle>
                <DFType>
                  <MIME />
                </DFType>
              </DFProperties>
            </Node>
        <Node>
            <NodeName>SetEduPolicies</NodeName>
            <DFProperties>
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@ -299,6 +299,11 @@ items:
            items:
              - name: HealthAttestation DDF
                href: healthattestation-ddf.md
          - name: Local Administrator Password Solution CSP
            href: laps-csp.md
            items:
              - name: Local Administrator Password Solution DDF
                href: laps-ddf-file.md
          - name: MultiSIM CSP
            href: multisim-csp.md
            items:
@ -333,6 +338,11 @@ items:
            items:
              - name: PassportForWork DDF file
                href: passportforwork-ddf.md
          - name: PersonalDataEncryption CSP
            href: personaldataencryption-csp.md
            items:
              - name: PersonalDataEncryption DDF file
                href: personaldataencryption-ddf-file.md
          - name: Personalization CSP
            href: personalization-csp.md
            items:
@ -685,6 +695,8 @@ items:
                href: policy-csp-deliveryoptimization.md
              - name: Desktop
                href: policy-csp-desktop.md
              - name: DesktopAppInstaller
                href: policy-csp-desktopappinstaller.md
              - name: DeviceGuard
                href: policy-csp-deviceguard.md
              - name: DeviceHealthMonitoring
@ -733,6 +745,8 @@ items:
                href: policy-csp-licensing.md
              - name: LocalPoliciesSecurityOptions
                href: policy-csp-localpoliciessecurityoptions.md
              - name: LocalSecurityAuthority
                href: policy-csp-lsa.md
              - name: LocalUsersAndGroups
                href: policy-csp-localusersandgroups.md
              - name: LockDown
@ -813,6 +827,8 @@ items:
                href: policy-csp-userrights.md
              - name: VirtualizationBasedTechnology
                href: policy-csp-virtualizationbasedtechnology.md
              - name: WebThreatDefense
                href: policy-csp-webthreatdefense.md
              - name: Wifi
                href: policy-csp-wifi.md
              - name: WindowsAutoPilot
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@ -43,7 +43,7 @@
    - name: Accessibility settings
      items:
         - name: Accessibility information for IT Pros
-           href: windows-10-accessibility-for-ITPros.md
+           href: windows-accessibility-for-ITPros.md
         - name: Configure access to Microsoft Store
           href: stop-employees-from-using-microsoft-store.md
         - name: Configure Windows Spotlight on the lock screen
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@ -157,7 +157,7 @@ Use the following steps to add your XML file to a group policy, and apply the po
 4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
-    For more information on using group policies, see [Implement Group Policy Objects](/learn/modules/implement-group-policy-objects/).
+    For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
 ### Create a Microsoft Endpoint Manager policy to deploy your XML file
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@ -59,7 +59,7 @@ ms.topic: article
                              <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
                                   "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
                                   "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only 
-                                   see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
+                                   see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
                              -->
                              <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -192,7 +192,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
                              <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
                                   "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
                                   "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only 
-                                   see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
+                                   see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
                              -->
                              <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -313,7 +313,7 @@ This sample demonstrates that only a global profile is used, with no active user
                              <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
                                   "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
                                   "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only 
-                                   see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
+                                   see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
                              -->
                              <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
@ -365,7 +365,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
                              <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
                                   "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
                                   "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only 
-                                   see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
+                                   see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
                              -->
                              <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@ -458,7 +458,7 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob
                              <!-- A link file is required for desktop applications to show on start layout, the link file can be placed under
                                   "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs" if the link file is shared for all users or
                                   "%AppData%\Microsoft\Windows\Start Menu\Programs" if the link file is for the specific user only 
-                                   see document https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop
+                                   see document https://learn.microsoft.com/windows/configuration/start-layout-xml-desktop
                              -->
                              <!-- for inbox desktop applications, a link file might already exist and can be used directly -->
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Accessories\paint.lnk" />
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@ -179,6 +179,6 @@ Here is a list of CSPs supported on Windows 10 Enterprise:
 -   [Update CSP](/windows/client-management/mdm/update-csp)
 -   [VPN CSP](/windows/client-management/mdm/vpn-csp)
 -   [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
-   [Wi-Fi CSP](/documentation/)
+-   [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp)
 -   [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
 -   [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)
--- a/windows/configuration/supported-csp-start-menu-layout-windows.md
+++ b/windows/configuration/supported-csp-start-menu-layout-windows.md
@ -14,6 +14,7 @@ ms.localizationpriority: medium
 **Applies to**:
 - Windows 11
 - Windows 11, version 22H2
 The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
@ -49,6 +50,10 @@ For information on customizing the Start menu layout using policy, see [Customiz
  The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.
 **The following policies are supported starting with Windows 11, version 22H2:**
 - [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
 - [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
 ## Existing CSP policies that Windows 11 doesn't support
 - [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
@ -56,6 +61,9 @@ For information on customizing the Start menu layout using policy, see [Customiz
 - [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
  - Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`
 > [!NOTE]
 > The following two policies are supported starting in Windows 11, version 22H2
 - [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
  - Group policy:
--- a/windows/configuration/windows-10-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-10-accessibility-for-ITPros.md
@ -1,91 +0,0 @@
 ---
 title: Windows 10 accessibility information for IT Pros (Windows 10)
 description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them
 keywords: accessibility, settings, vision, hearing, physical, cognition, assistive
 ms.prod: w10
 ms.author: lizlong
 author: lizgt2000
 ms.localizationpriority: medium
 ms.date: 01/12/2018
 ms.reviewer: 
 manager: aaroncz
 ms.topic: reference
 ---
 # Accessibility information for IT Professionals 
 Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. 
 This topic helps IT administrators learn about built-in accessibility features, and includes a few recommendations for how to support people in your organization who use these features.
 ## General recommendations
 - **Be aware of Ease of Access settings** – Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows 10. 
 - **Do not block settings** – Avoid using Group Policy or MDM settings that override Ease of Access settings. 
 - **Encourage choice** – Allow people in your organization to customize their computers based on their needs. That customization might mean installing an add-on for their browser, or a non-Microsoft assistive technology.
 ## Vision
 | Accessibility feature | Description |
 |---------------------------|------------|
 | [Use Narrator to use devices without a screen](https://support.microsoft.com/help/22798/windows-10-narrator-get-started) | Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices.|
 | [Create accessible apps](https://developer.microsoft.com/windows/accessible-apps) | You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.|
 | Use keyboard shortcuts for [Windows](https://support.microsoft.com/help/12445/windows-keyboard-shortcuts), [Narrator](https://support.microsoft.com/help/22806), and [Magnifier](https://support.microsoft.com/help/13810) | Get the most out of Windows with shortcuts for apps and desktops.|
 | Get closer with [Magnifier](https://support.microsoft.com/help/11542/windows-use-magnifier) | Magnifier enlarges all or part of your screen and offers various configuration settings.|
 | [Cursor and pointer adjustments](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.|
 | [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
 | [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
 | [Customize the size](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) of screen items | You can adjust the size of text, icons, and other screen items to make them easier to see.|
 | [Improve contrast](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Many high-contrast themes are available to suit your needs.|
 | [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
 | [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
 | [Read in Braille](https://support.microsoft.com/help/4004263) | Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.|
 ## Hearing
 | Accessibility feature | Description |
 |---------------------------|------------|
 | [Transcribe with Translator](https://www.skype.com/en/features/skype-translator) | Translator can transcribe voice to text so you won’t miss what’s being said. |
 | [Use Skype for sign language](https://www.skype.com/en/) | Skype is available on various platforms and devices, so you don’t have to worry about whether your co-workers, friends and family can communicate with you.|
 | [Get visual notifications for sounds](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | You can replace audible alerts with visual alerts.|
 | [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear)|If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
 | [Read spoken words with closed captioning](https://support.microsoft.com/help/21055/windows-10-closed-caption-settings) | You can customize things like color, size, and background transparency to suit your needs and tastes.|
 | [Switch to mono audio](https://support.microsoft.com/help/27933/) | Sending all sounds to both left and right channels is helpful for those people with partial hearing loss or deafness in one ear.|
 ## Physical
 | Accessibility feature | Description|
 |---------------------------|------------|
 | [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
 | [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
 | Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
 | [Live Tiles](https://support.microsoft.com/help/17176/windows-10-organize-your-apps)| Because Live Tiles display constantly updated information for many apps, you don't have to bother actually opening them. You can arrange, resize, and move tiles as needed.| 
 | [Keyboard assistance features](https://support.microsoft.com/help/27936)| You can personalize your keyboard to ignore repeated keys and do other helpful things if you have limited control of your hands.|
 | [Mouse Keys](https://support.microsoft.com/help/27936)|If a mouse is difficult to use, you can control the pointer by using your numeric keypad.|
 ## Cognition
 | Accessibility feature | Description|
 |---------------------------|------------|
 | [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
 | Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
 | [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
 | [Use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721) | Fluent Sitka Small and Fluent Calibri are fonts that address "visual crowding" by adding character and enhance word and line spacing. |
 | [Edge Reading View](https://support.microsoft.com/help/17204/windows-10-take-your-reading-with-you) | Clears distracting content from web pages so you can stay focused on what you really want to read. |
 | [Edge includes an e-book reader](https://support.microsoft.com/help/4014945) | The Microsoft Edge e-book reader includes options to increase text spacing and read text aloud to help make it easier for everyone to read and enjoy text, including people with learning differences like dyslexia and English language learners. |
 ## Assistive technology devices built into Windows 10
 | Assistive technology | How it helps |
 |---------------------------|------------|
 | [Hear text read aloud with Narrator](https://support.microsoft.com/help/17173) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
 | [Use Speech Recognition]( https://support.microsoft.com/help/17208 ) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
 | [Save time with keyboard shortcuts]( https://support.microsoft.com/help/17189) | Keyboard shortcuts for apps and desktops.|
 ## Other resources
 [Windows accessibility](https://www.microsoft.com/Accessibility/windows)
 [Designing accessible software]( https://msdn.microsoft.com/windows/uwp/accessibility/designing-inclusive-software)
 [Inclusive Design](https://www.microsoft.com/design/inclusive)
 [Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@ -0,0 +1,117 @@
 ---
 title: Windows accessibility information for IT Pros
 description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them.
 ms.prod: windows-client
 ms.technology: itpro-configure
 ms.author: lizlong
 author: lizgt2000
 ms.reviewer: 
 manager: aaroncz
 ms.localizationpriority: medium
 ms.date: 09/20/2022
 ms.topic: reference
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 ---
 # Accessibility information for IT professionals
 Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
 This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features.
 Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).<!-- 6294246 -->
 ## General recommendations
 - **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows.
 - **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings.
 - **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology.
 ## Vision
 - [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Starting in Windows 11, version 22H2, Narrator includes more natural voices.
 - [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
 - Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops.
  - [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec)
  - [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a)
  - [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd)
 - Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings.
 - [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d).
  - Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.
  - Adjust the size of text, icons, and other screen items to make them easier to see.
  - Many high-contrast themes are available to suit your needs.
 - [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
 - [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do.
 - [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
 - [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
 - [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
 ## Hearing
 - [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
 - [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
 - [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1).
  - Replace audible alerts with visual alerts.
  - If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
  - Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear.
 - [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes.
 - Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions.
 ## Physical
 - [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
 - [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do.
 - [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion.
 - [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe).
  - If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys.
  - If a mouse is difficult to use, you can control the pointer by using your numeric keypad.
 ## Cognition
 - [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
 - [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing.
 - [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read.
 ## Assistive technology devices built into Windows
 - [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
 - [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
 - [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
 ## Other resources
 [Windows accessibility](https://www.microsoft.com/Accessibility/windows)
 [Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software)
 [Inclusive design](https://www.microsoft.com/design/inclusive)
 [Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)
--- a/windows/configure/docfx.json
+++ b/windows/configure/docfx.json
@ -1,57 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "feedback_system": "None",
      "hideEdit": true,
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.windows-configure"
        }
      },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "windows-configure",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/deploy/docfx.json
+++ b/windows/deploy/docfx.json
@ -1,56 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.windows-deploy",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "windows-deploy",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@ -100,8 +100,8 @@ landingContent:
      - linkListType: learn
        links:
          - text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps
-            url: /learn/modules/windows-plan
+            url: /training/modules/windows-plan
          - text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps
-            url: /learn/modules/windows-prepare/
+            url: /training/modules/windows-prepare/
          - text: Deploy updates for Windows 10 and Microsoft 365 Apps
-            url: /learn/modules/windows-deploy
+            url: /training/modules/windows-deploy
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@ -1,11 +1,14 @@
 ---
-title: "How to check Windows release health"
+title: How to check Windows release health
 description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption.
 ms.date: 08/16/2022
 ms.author: v-nishmi
 author: DocsPreview
 manager: jren
-ms.topic: article
+ms.reviewer: mstewart
 ms.topic: how-to
 ms.prod: w10
-localization_priority: Normal
+localization_priority: medium
 ms.custom: 
 - Adm_O365
 - 'O365P_ServiceHealthModern'
@ -21,36 +24,35 @@ search.appverid:
 - MOE150
 - BCS160
 - IWA160
 description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption."
 ---
 # How to check Windows release health
-The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues so you can troubleshoot issues your users may be experiencing and/or to determine when, and at what scale, to deploy an update in your organization. 
+The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization.
-If you are unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from logging into your tenant. 
+If you're unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from signing into your tenant.
-To be informed about the latest updates and releases, follow us on Twitter [@WindowsUpdate](https://twitter.com/windowsupdate).
+To be informed about the latest updates and releases, follow [@WindowsUpdate](https://twitter.com/windowsupdate) on Twitter.
 ## How to review Windows release health information
-1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), and sign in with an administrator account.
+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), and sign in with an administrator account.
    > [!NOTE]
-    > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true#roles-available-in-the-microsoft-365-admin-center).
+    > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles).
 2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
-3. On the **Windows release health** page, you will have access to known issue information for all supported versions of the Windows operating system.
+3. On the **Windows release health** page, you'll have access to known issue information for all supported versions of the Windows operating system.
   The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
   ![View of current issues in release health.](images/WRH-menu.png)
-   A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days. 
+   A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days.
-   
+
   ![View of known issues in release health.](images/WRH-known-issues-20H2.png)
-   
+
   The **History** tab shows the history of known issues that have been resolved for up to 6 months.
   ![View of history issues in release health.](images/WRH-history-20H2.png)
@ -63,24 +65,23 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
   - **Originating KB** - The KB number where the issue was first identified.
   - **Originating build** - The build number for the KB.
-   Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example:
+   Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. For example:
   ![A screenshot showing issue details.](images/WRH-known-issue-detail.png)
-     
+
 ## Status definitions
 In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows:
 | Status | Definition |
 |:-----|:-----|
-|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there is no confirmation that users are affected. |
+|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there's no confirmation that users are affected. |
-|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue’s scope of impact, mitigation steps, and root cause. |
+|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue's scope, mitigation steps, and root cause. |
-|**Confirmed** | After close review, Microsoft teams have determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
+|**Confirmed** | After close review, Microsoft has determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
 |**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. |
 |**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. |
-|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it’s deployed in the customer’s environment. |
+|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it's deployed in the customer's environment. |
-|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it’s deployed in the customer’s environment. |
+|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it's deployed in the customer's environment. |
 ## Known issue history
@ -96,29 +97,29 @@ A list of all status updates posted in the selected timeframe will be displayed,
 ### Windows release health coverage
-   **What is Windows release health?**   
+- **What is Windows release health?**
    Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements.
 -   **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?**   
-    Windows release health does not monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
+    Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
 -   **Where do I find Windows release health?**   
-    After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, click **Health** and you’ll see **Windows release health**.
+    After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**.
 -   **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?**   
-    No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
+    No. While the content is similar, you may see more issues and technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
 -   **How often will content be updated?**   
-    In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
+    To ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have more details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
 -   **Can I share this content publicly or with other Windows customers?**   
-    Windows release health is provided to you as a licensed Windows customer and is not to be shared publicly.
+    Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
 -   **Is the content redundant? How is the content organized in the different tabs?**   
-    Windows release health provides three tabs. The landing **All versions** tab allows you to click into a specific version of Windows. The Known issues tab shows the list of issues that are active or resolved in the past 30 days. The History tab shows a six-month history of known issues that have been resolved.
+    Windows release health provides three tabs. The landing **All versions** tab allows you to select a specific version of Windows. The **Known issues** tab shows the list of issues that are active or resolved in the past 30 days. The **History** tab shows a six-month history of known issues that have been resolved.
-   **How do I find information for the versions of Windows I’m managing?**   
+-   **How do I find information for the versions of Windows I'm managing?**   
-    On the **All versions** tab, you can select any Windows version. This will take you to the Known issues tab filtered for the version you selected. The known issues tab provides the list of active known issues and those resolved in the last 30 days. This selection persists throughout your session until changed. From the History tab you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
+    On the **All versions** tab, you can select any Windows version. This action takes you to the **Known issues** tab filtered for the version you selected. The **Known issues** tab provides the list of active known issues and the issues resolved in the last 30 days. This selection persists throughout your session until changed. From the **History** tab, you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
 ### Microsoft 365 Admin Center functions
@ -126,13 +127,13 @@ A list of all status updates posted in the selected timeframe will be displayed,
    You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords.
 -   **How do I add other Windows admins?**   
-    Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of “Service Support admin.”
+    Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**.
-   **Why can’t I click to the KB article from the Known issues or History tabs?**   
+-   **Why can't I click to the KB article from the Known issues or History tabs?**   
-    Within the issue description, you’ll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue’s Details pane.
+    Within the issue description, you'll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue's Details pane.
-   **Microsoft 365 admin center has a mobile app but I don’t see Windows release health under the Health menu. Is this an open issue?**   
+-   **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?**   
-    We are working to build the Windows release health experience on mobile devices in a future release.
+    We're working to build the Windows release health experience on mobile devices in a future release.
 ### Help and support
@ -140,7 +141,7 @@ A list of all status updates posted in the selected timeframe will be displayed,
    Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
 -   **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**   
-    The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the Known issue you’re seeking help on, click the Details pane and you’ll find the ID under the issue title. It will be the letters WI followed by a number, similar to “WI123456”.
+    The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. It will be the letters `WI` followed by a number, similar to `WI123456`.
 -   **How can I learn more about expanding my use of Microsoft 365 admin center?**
-    To learn more, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).
+    For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center).
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@ -2,9 +2,9 @@
 title: Deploy Windows client updates with Configuration Manager
 description: Deploy Windows client updates with Configuration Manager
 ms.prod: w10
-author: aczechowski
+author: mestew
 ms.localizationpriority: medium
-ms.author: aaroncz
+ms.author: mstewart
 ms.reviewer: 
 manager: dougeby
 ms.topic: article
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@ -88,8 +88,8 @@ The Microsoft Graph SDK includes a PowerShell extension that you can use to scri
 ### Building your own application
 Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
- Learning Path: [Microsoft Graph Fundamentals](/learn/paths/m365-msgraph-fundamentals/)
+- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
- Learning Path: [Build apps with Microsoft Graph](/learn/paths/m365-msgraph-associate/)
+- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
 Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@ -10,6 +10,7 @@ ms.topic: article
 ms.custom:
 - seo-marvel-apr2020
 ms.collection: highpri
 date: 09/22/2022
 ---
 # Manage device restarts after updates
@ -18,11 +19,11 @@ ms.collection: highpri
 **Applies to**
 - Windows 10
-
+- Windows 11
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
 ## Schedule update installation
@ -100,15 +101,27 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
 ## Limit restart delays
-After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
+After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
 ## Control restart notifications
-In Windows 10, version 1703, we have added settings to control restart notifications for users.
+### Display options for update notifications
 Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
 **0** (default) - Use the default Windows Update notifications </br>
 **1** - Turn off all notifications, excluding restart warnings </br>
 **2** - Turn off all notifications, including restart warnings </br>
 To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).
 Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
 To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
 ### Auto-restart notifications
-Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
+Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
 To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
@ -198,10 +211,10 @@ There are three different registry combinations for controlling restart behavior
 ## Related articles
- [Update Windows 10 in the enterprise](index.md)
+- [Update Windows in the enterprise](index.md)
 - [Overview of Windows as a service](waas-overview.md)
- [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md)
+- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
+- [Configure BranchCache for Windows updates](waas-branchcache.md)
 - [Configure Windows Update for Business](waas-configure-wufb.md)
 - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@ -3,12 +3,12 @@ title: Manage additional Windows Update settings
 description: In this article, learn about additional settings to control the behavior of Windows Update.
 ms.prod: w10
 ms.localizationpriority: medium
-author: aczechowski
+author: mestew
-ms.author: aaroncz
+ms.author: mstewart
-manager: dougeby
+manager: aaroncz
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
 date: 09/22/2022
 ---
 # Manage additional Windows Update settings
@ -36,6 +36,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
 | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
 | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
 | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
 | |  [Windows Update notifications display organization name](#bkmk_display-name) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->| 
 >[!IMPORTANT]
 >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@ -230,7 +231,7 @@ To do this, follow these steps:
     > [!NOTE]
     > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
-To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
+To use Automatic Updates with a server that is running Windows Software Update Services (WSUS), see the [Deploying Microsoft Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services) guidance.
 When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
@ -246,3 +247,32 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
 *  WUStatusServer (REG_SZ)
   This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
 ## <a name="bkmk_display-name"> </a> Display organization name in Windows Update notifications
 <!--6286260-->
 When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
 The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways:
 - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) 
 - [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register)
 - [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
 To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
   - **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations`
  -   **DWORD value name**: UsoDisableAADJAttribution
  - **Value data:** 1
 The following PowerShell script is provided as an example to you: 
 ```powershell
 $registryPath = "HKLM:\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations"
 $Name = "UsoDisableAADJAttribution"
 $value = "1" 
 if (!(Test-Path $registryPath)) 
 {
  New-Item -Path $registryPath -Force | Out-Null
 }
 New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
 ```
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@ -178,12 +178,14 @@ There are additional settings that affect the notifications.
 We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
-**0** (default) – Use the default Windows Update notifications
+**0** (default) - Use the default Windows Update notifications </br>
-**1** – Turn off all notifications, excluding restart warnings
+**1** - Turn off all notifications, excluding restart warnings </br>
-**2** – Turn off all notifications, including restart warnings
+**2** - Turn off all notifications, including restart warnings </br>
-> [!NOTE]
+Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
-> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
+
 > [!NOTE] 
 > Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
 Still more options are available in **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart restart warning notifications schedule for updates**. This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the period for auto-restart imminent warning notifications (15-60 minutes is the default). We recommend using the default notifications.
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@ -444,14 +444,14 @@ System Information:
 Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
 Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again.  Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
 Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
-Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
+Refer to https://learn.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information.
 ```
 ### XML log sample
 ```xml
 <?xml version="1.0" encoding="utf-16"?>
-<SetupDiag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://docs.microsoft.com/windows/deployment/upgrade/setupdiag">
+<SetupDiag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://learn.microsoft.com/windows/deployment/upgrade/setupdiag">
  <Version>1.6.0.0</Version>
  <ProfileName>FindSPFatalError</ProfileName>
  <ProfileGuid>A4028172-1B09-48F8-AD3B-86CDD7D55852</ProfileGuid>
@ -494,7 +494,7 @@ Error: 0x00000057</FailureData>
  <FailureData>LogEntry: 2019-06-06 21:47:11, Error                 SP     Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData>
  <FailureData>LogEntry: 2019-06-06 21:47:11, Error                 SP     Error converting install time 5/2/2019 to structure[gle=0x00000057]</FailureData>
  <FailureData>
-Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.</FailureData>
+Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes" for error information.</FailureData>
  <FailureDetails>Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel</FailureDetails>
 </SetupDiag>
 ```
@ -548,7 +548,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
        "LogEntry: 2019-06-06 21:47:11, Error                 SP     Error converting install time 5\/2\/2019 to structure[
            gle=0x00000057
        ]",
-        "\u000aRefer to \"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/Debug\/system-error-codes\" for error information."
+        "\u000aRefer to \"https:\/\/learn.microsoft.com\/windows\/desktop\/Debug\/system-error-codes\" for error information."
    ],
    "FailureDetails":"Err = 0x00000057, LastOperation = Gather data, scope: EVERYTHING, LastPhase = Downlevel",
    "DeviceDriverInfo":null,
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@ -1,61 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg",
          "**/*.gif"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
      "ms.technology": "windows",
      "ms.topic": "article",
      "ms.date": "04/05/2017",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.win-device-security",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "win-device-security",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/eulas/docfx.json
+++ b/windows/eulas/docfx.json
@ -1,57 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
      "extendBreadcrumb": true,
      "feedback_system": "None",
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "eula-vsts",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@ -105,7 +105,7 @@ conceptualContent:
        - url: /windows/configuration/provisioning-packages/provisioning-packages
          itemType: how-to-guide
          text: Use Provisioning packages to configure new devices
-        - url: /windows/configuration/windows-10-accessibility-for-itpros
+        - url: /windows/configuration/windows-accessibility-for-itpros
          itemType: overview
          text: Accessibility information for IT Pros
        - url: /windows/configuration/customize-start-menu-layout-windows-11
--- a/windows/keep-secure/docfx.json
+++ b/windows/keep-secure/docfx.json
@ -1,57 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "feedback_system": "None",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.keep-secure",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "keep-secure",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/known-issues/docfx.json
+++ b/windows/known-issues/docfx.json
@ -1,58 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
      "feedback_system": "GitHub",
      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "known-issues",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/manage/TOC.yml
+++ b/windows/manage/TOC.yml
@ -1,2 +0,0 @@
 - name: Test
  href: test.md
--- a/windows/manage/docfx.json
+++ b/windows/manage/docfx.json
@ -1,56 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.windows-manage",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "windows-manage",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/manage/test.md
+++ b/windows/manage/test.md
@ -1,19 +0,0 @@
 ---
 title: Test
 description: Test
 ms.prod: w11
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: dstrome
 ms.author: dstrome
 ms.reviewer: 
 manager: dstrome
 ms.topic: article
 ---
 # Test
 ## Deployment planning
 This article provides guidance to help you plan for Windows 11 in your organization.
--- a/windows/plan/docfx.json
+++ b/windows/plan/docfx.json
@ -1,56 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.windows-plan",
          "folder_relative_path_in_docset": "./"
        }
      },
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "windows-plan",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@ -68,50 +68,50 @@ productDirectory:
 #     # Card
 #     - title: cardtitle1
 #       links:
-#         - url: file1.md OR https://docs.microsoft.com/file1
+#         - url: file1.md OR https://learn.microsoft.com/file1
 #           itemType: itemType
 #           text: linktext1
-#         - url: file2.md OR https://docs.microsoft.com/file2
+#         - url: file2.md OR https://learn.microsoft.com/file2
 #           itemType: itemType
 #           text: linktext2
-#         - url: file3.md OR https://docs.microsoft.com/file3
+#         - url: file3.md OR https://learn.microsoft.com/file3
 #           itemType: itemType
 #           text: linktext3
 #       # footerLink (optional)
 #       footerLink:
-#         url: filefooter.md OR https://docs.microsoft.com/filefooter
+#         url: filefooter.md OR https://learn.microsoft.com/filefooter
 #         text: See more
 #     # Card
 #     - title: cardtitle2
 #       links:
-#         - url: file1.md OR https://docs.microsoft.com/file1
+#         - url: file1.md OR https://learn.microsoft.com/file1
 #           itemType: itemType
 #           text: linktext1
-#         - url: file2.md OR https://docs.microsoft.com/file2
+#         - url: file2.md OR https://learn.microsoft.com/file2
 #           itemType: itemType
 #           text: linktext2
-#         - url: file3.md OR https://docs.microsoft.com/file3
+#         - url: file3.md OR https://learn.microsoft.com/file3
 #           itemType: itemType
 #           text: linktext3
 #       # footerLink (optional)
 #       footerLink:
-#         url: filefooter.md OR https://docs.microsoft.com/filefooter
+#         url: filefooter.md OR https://learn.microsoft.com/filefooter
 #         text: See more
 #     # Card
 #     - title: cardtitle3
 #       links:
-#         - url: file1.md OR https://docs.microsoft.com/file1
+#         - url: file1.md OR https://learn.microsoft.com/file1
 #           itemType: itemType
 #           text: linktext1
-#         - url: file2.md OR https://docs.microsoft.com/file2
+#         - url: file2.md OR https://learn.microsoft.com/file2
 #           itemType: itemType
 #           text: linktext2
-#         - url: file3.md OR https://docs.microsoft.com/file3
+#         - url: file3.md OR https://learn.microsoft.com/file3
 #           itemType: itemType
 #           text: linktext3
 #       # footerLink (optional)
 #       footerLink:
-#         url: filefooter.md OR https://docs.microsoft.com/filefooter
+#         url: filefooter.md OR https://learn.microsoft.com/filefooter
 #         text: See more
 # # tools section (optional)
@ -122,15 +122,15 @@ productDirectory:
 #     # Card
 #     - title: cardtitle1
 #       # imageSrc should be square in ratio with no whitespace
-#       imageSrc: ./media/index/image1.svg OR https://docs.microsoft.com/media/logos/image1.svg
+#       imageSrc: ./media/index/image1.svg OR https://learn.microsoft.com/media/logos/image1.svg
 #       url: file1.md
 #     # Card
 #     - title: cardtitle2
-#       imageSrc: ./media/index/image2.svg OR https://docs.microsoft.com/media/logos/image2.svg
+#       imageSrc: ./media/index/image2.svg OR https://learn.microsoft.com/media/logos/image2.svg
 #       url: file2.md
 #     # Card
 #     - title: cardtitle3
-#       imageSrc: ./media/index/image3.svg OR https://docs.microsoft.com/media/logos/image3.svg
+#       imageSrc: ./media/index/image3.svg OR https://learn.microsoft.com/media/logos/image3.svg
 #       url: file3.md
 # additionalContent section (optional)
@ -144,15 +144,15 @@ productDirectory:
 #         # Card
 #         - title: cardtitle1
 #           summary: cardsummary1
-#           url: file1.md OR https://docs.microsoft.com/file1
+#           url: file1.md OR https://learn.microsoft.com/file1
 #         # Card
 #         - title: cardtitle2
 #           summary: cardsummary2
-#           url: file1.md OR https://docs.microsoft.com/file2
+#           url: file1.md OR https://learn.microsoft.com/file2
 #         # Card
 #         - title: cardtitle3
 #           summary: cardsummary3
-#           url: file1.md OR https://docs.microsoft.com/file3
+#           url: file1.md OR https://learn.microsoft.com/file3
 #   # footer (optional)
 #   footer: "footertext [linktext](/footerfile)"
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@ -1,61 +0,0 @@
 {
  "build": {
    "content": [
      {
        "files": [
          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**",
          "README.md",
          "LICENSE",
          "LICENSE-CODE",
          "ThirdPartyNotices"
        ]
      }
    ],
    "resource": [
      {
        "files": [
          "**/*.png",
          "**/*.jpg"
        ],
        "exclude": [
          "**/obj/**",
          "**/includes/**",
          "_themes/**",
          "_themes.pdf/**"
        ]
      }
    ],
    "overwrite": [],
    "externalReference": [],
    "globalMetadata": {
      "recommendations": true,
      "breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
      "ms.prod": "w10",
      "ms.date": "4/30/2019",
      "audience": "ITPro",
      "titleSuffix": "Windows Release Information",
      "extendBreadcrumb": true,
      "feedback_system": "None",
      "contributors_to_exclude": [
        "rjagiewich", 
        "traya1", 
        "rmca14", 
        "claydetels19", 
        "jborsecnik",
        "tiburd",
        "garycentric"
      ]
    },
    "fileMetadata": {},
    "template": [],
    "dest": "release-information",
    "markdownEngineName": "markdig"
  }
 }
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@ -5,13 +5,19 @@
  href: zero-trust-windows-device-health.md
  expanded: true
 - name: Hardware security
-  items: 
+  items:
    - name: Overview
      href: hardware.md
    - name: Microsoft Pluton security processor
      items:
        - name: Microsoft Pluton overview
          href: information-protection/pluton/microsoft-pluton-security-processor.md
        - name: Microsoft Pluton as TPM
          href: information-protection/pluton/pluton-as-tpm.md
    - name: Trusted Platform Module
      href: information-protection/tpm/trusted-platform-module-top-node.md
-      items: 
+      items:
-        - name: Trusted Platform Module Overview
+        - name: Trusted Platform Module overview
          href: information-protection/tpm/trusted-platform-module-overview.md
        - name: TPM fundamentals
          href: information-protection/tpm/tpm-fundamentals.md
@ -32,16 +38,16 @@
    - name: System Guard Secure Launch and SMM protection
      href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
    - name: Enable virtualization-based protection of code integrity
-      href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md    
+      href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
    - name: Kernel DMA Protection
      href: information-protection/kernel-dma-protection-for-thunderbolt.md
    - name: Windows secured-core devices
      href: /windows-hardware/design/device-experiences/oem-highly-secure
 - name: Operating system security
-  items: 
+  items:
   - name: Overview
     href: operating-system.md
-   - name: System security   
+   - name: System security
     items:
     - name: Secure the Windows boot process
       href: information-protection/secure-the-windows-10-boot-process.md
@ -70,19 +76,19 @@
       href: threat-protection/security-policy-settings/security-policy-settings.md
     - name: Security auditing
       href: threat-protection/auditing/security-auditing-overview.md
-   - name: Encryption and data protection 
+   - name: Encryption and data protection
     href: encryption-data-protection.md
     items:
     - name: Encrypted Hard Drive
       href: information-protection/encrypted-hard-drive.md
-     - name: BitLocker 
+     - name: BitLocker
       href: information-protection/bitlocker/bitlocker-overview.md
-       items: 
+       items:
        - name: Overview of BitLocker Device Encryption in Windows
          href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
        - name: BitLocker frequently asked questions (FAQ)
          href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
-          items: 
+          items:
            - name: Overview and requirements
              href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
            - name: Upgrading
@ -128,7 +134,7 @@
        - name: Protecting cluster shared volumes and storage area networks with BitLocker
          href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
        - name: Troubleshoot BitLocker
-          items: 
+          items:
            - name: Troubleshoot BitLocker
              href: information-protection/bitlocker/troubleshoot-bitlocker.md
            - name: "BitLocker cannot encrypt a drive: known issues"
@ -142,20 +148,28 @@
            - name: "BitLocker configuration: known issues"
              href: information-protection/bitlocker/ts-bitlocker-config-issues.md
            - name: Troubleshoot BitLocker and TPM issues
-              items: 
+              items:
                - name: "BitLocker cannot encrypt a drive: known TPM issues"
                  href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
                - name: "BitLocker and TPM: other known issues"
                  href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
                - name: Decode Measured Boot logs to track PCR changes
                  href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
     - name: Personal Data Encryption (PDE)
       items:
       - name: Personal Data Encryption (PDE) overview
         href: information-protection/personal-data-encryption/overview-pde.md
       - name: Personal Data Encryption (PDE) (FAQ)
         href: information-protection/personal-data-encryption/faq-pde.yml
       - name: Configure Personal Data Encryption (PDE) in Intune
         href: information-protection/personal-data-encryption/configure-pde-in-intune.md    
     - name: Configure S/MIME for Windows
-       href: identity-protection/configure-s-mime.md    
+       href: identity-protection/configure-s-mime.md
   - name: Network security
     items:
     - name: VPN technical guide
       href: identity-protection/vpn/vpn-guide.md
-       items: 
+       items:
        - name: VPN connection types
          href: identity-protection/vpn/vpn-connection-type.md
        - name: VPN routing decisions
@ -182,13 +196,13 @@
       href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
   - name: Windows security baselines
     href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
-     items: 
+     items:
      - name: Security Compliance Toolkit
        href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
      - name: Get support
-        href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md     
+        href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
   - name: Virus & threat protection
-     items: 
+     items:
      - name: Overview
        href: threat-protection/index.md
      - name: Microsoft Defender Antivirus
@ -206,7 +220,7 @@
      - name: Microsoft Defender for Endpoint
        href: /microsoft-365/security/defender-endpoint
   - name: More Windows security
-     items: 
+     items:
      - name: Override Process Mitigation Options to help enforce app-related security policies
        href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
      - name: Use Windows Event Forwarding to help with intrusion detection
@ -215,13 +229,13 @@
        href: threat-protection/block-untrusted-fonts-in-enterprise.md
      - name: Windows Information Protection (WIP)
        href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
-        items: 
+        items:
         - name: Create a WIP policy using Microsoft Intune
           href: information-protection/windows-information-protection/overview-create-wip-policy.md
-           items: 
+           items:
            - name: Create a WIP policy in Microsoft Intune
              href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
-              items: 
+              items:
                - name: Deploy your WIP policy in Microsoft Intune
                  href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
                - name: Associate and deploy a VPN policy for WIP in Microsoft Intune
@ -232,7 +246,7 @@
              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
         - name: Create a WIP policy using Microsoft Endpoint Configuration Manager
           href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
-           items: 
+           items:
            - name: Create and deploy a WIP policy in Configuration Manager
              href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
            - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
@ -249,7 +263,7 @@
           href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
         - name: General guidance and best practices for WIP
           href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
-           items: 
+           items:
            - name: Enlightened apps for use with WIP
              href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
            - name: Unenlightened and enlightened app behavior while using WIP
@ -274,17 +288,20 @@
     href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
   - name: Windows Sandbox
     href: threat-protection/windows-sandbox/windows-sandbox-overview.md
-     items: 
+     items:
        - name: Windows Sandbox architecture
          href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
        - name: Windows Sandbox configuration
          href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
   - name: Microsoft Defender SmartScreen overview
     href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
     items:
        - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
          href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
   - name: Configure S/MIME for Windows
     href: identity-protection\configure-s-mime.md
   - name: Windows Credential Theft Mitigation Guide Abstract
-     href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md 
+     href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
 - name: User security and secured identity
  items:
    - name: Overview
@ -297,7 +314,7 @@
      href: identity-protection/enterprise-certificate-pinning.md
    - name: Protect derived domain credentials with Credential Guard
      href: identity-protection/credential-guard/credential-guard.md
-      items: 
+      items:
        - name: How Credential Guard works
          href: identity-protection/credential-guard/credential-guard-how-it-works.md
        - name: Credential Guard Requirements
@ -322,12 +339,12 @@
      href: identity-protection/password-support-policy.md
    - name: Access Control Overview
      href: identity-protection/access-control/access-control.md
-      items: 
+      items:
        - name: Local Accounts
          href: identity-protection/access-control/local-accounts.md
        - name: User Account Control
          href: identity-protection/user-account-control/user-account-control-overview.md
-          items: 
+          items:
            - name: How User Account Control works
              href: identity-protection/user-account-control/how-user-account-control-works.md
            - name: User Account Control security policy settings
@ -336,10 +353,10 @@
              href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
    - name: Smart Cards
      href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
-      items: 
+      items:
        - name: How Smart Card Sign-in Works in Windows
          href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
-          items: 
+          items:
            - name: Smart Card Architecture
              href: identity-protection/smart-cards/smart-card-architecture.md
            - name: Certificate Requirements and Enumeration
@ -354,7 +371,7 @@
              href: identity-protection/smart-cards/smart-card-removal-policy-service.md
        - name: Smart Card Tools and Settings
          href: identity-protection/smart-cards/smart-card-tools-and-settings.md
-          items: 
+          items:
            - name: Smart Cards Debugging Information
              href: identity-protection/smart-cards/smart-card-debugging-information.md
            - name: Smart Card Group Policy and Registry Settings
@ -363,10 +380,10 @@
              href: identity-protection/smart-cards/smart-card-events.md
        - name: Virtual Smart Cards
          href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
-          items: 
+          items:
            - name: Understanding and Evaluating Virtual Smart Cards
              href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
-              items: 
+              items:
                - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
                  href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
                - name: Use Virtual Smart Cards
@ -388,7 +405,7 @@
   - name: Azure Virtual Desktop
     href: /azure/virtual-desktop/
 - name: Security foundations
-  items: 
+  items:
    - name: Overview
      href: security-foundations.md
    - name: Microsoft Security Development Lifecycle
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@ -2,17 +2,17 @@
 title: Encryption and data protection in Windows
 description: Get an overview encryption and data protection in Windows 11 and Windows 10
 search.appverid: MET150 
-author: denisebmsft
+author: frankroj
-ms.author: deniseb
+ms.author: frankroj
-manager: dansimp 
+manager: aaroncz
-ms.topic: conceptual
+ms.topic: overview
-ms.date: 09/08/2021
+ms.date: 09/22/2022
-ms.prod: m365-security
+ms.prod: windows-client
-ms.technology: windows-sec
+ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: 
 ms.custom: 
-ms.reviewer: deepakm, rafals  
+ms.reviewer: rafals  
 ---
 # Encryption and data protection in Windows client
@ -32,8 +32,8 @@ Encrypted hard drives provide:
 - Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
 - Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
 Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. 
@ -45,8 +45,14 @@ BitLocker provides encryption for the operating system, fixed data, and removabl
 Windows consistently improves data protection by improving existing options and providing new strategies.
 ## Personal Data Encryption (PDE)
 <!-- Max 5963468 OS 32516487 -->
 (*Applies to: Windows 11, version 22H2 and later*)
 [!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
 ## See also
 - [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
 - [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
 - [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@ -5,7 +5,7 @@ ms.prod: m365-security
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection:
  - M365-identity-device-management
@ -22,6 +22,24 @@ appliesto:
 - ✅ <b>Windows Server 2022</b>
 ---
 # Manage Windows Defender Credential Guard
 ## Default Enablement
 Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
 ### Requirements for automatic enablement
 Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements:
 |Component|Requirement|
 |---|---|
 |Operating System|Windows 11 Enterprise 22H2|
 |Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
 |Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
 > [!NOTE]
 > If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
 ## Enable Windows Defender Credential Guard
 Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -5,7 +5,7 @@ ms.prod: m365-security
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection:
  - M365-identity-device-management
@ -58,8 +58,8 @@ For information about Windows Defender Remote Credential Guard hardware and soft
 When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
 > [!WARNING]
-> Enabling Windows Defender Credential Guard on domain controllers is not supported.
+> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time.
-> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
+> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
 > [!NOTE]
 > Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
@ -103,9 +103,6 @@ The following tables describe baseline protections, plus protections for improve
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
 |Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
 > [!IMPORTANT]
 > Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
 > [!IMPORTANT]
 > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@ -25,6 +25,8 @@ appliesto:
 param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
 Set-StrictMode -Version Latest
 $path = "C:\DGLogs\"
 $LogFile = $path + "DeviceGuardCheckLog.txt"
@ -796,7 +798,13 @@ function CheckOSArchitecture
 function CheckSecureBootState
 {
-    $_secureBoot = Confirm-SecureBootUEFI
+    try { 
        $_secureBoot = Confirm-SecureBootUEFI
    }
    catch
    {
        $_secureBoot = $false
    }
    Log $_secureBoot
    if($_secureBoot)
    {
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@ -35,7 +35,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
 - Multi-factor Authentication is required during Windows Hello for Business provisioning
 - Proper name resolution, both internal and external names
 - Active Directory and an adequate number of domain controllers per site to support authentication
- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments)
+- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud Kerberos trust deployments)
 - One or more workstation computers running Windows 10, version 1703 or later
 If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.  
@ -44,23 +44,23 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
 ## Deployment and trust models
-Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*.
+Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*.
 Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
 The trust model determines how you want users to authenticate to the on-premises Active Directory:
 - The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates.
- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it.
+- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it.
 - The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
 - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
 > [!Note]
-> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
 Following are the various deployment guides and models included in this topic:
- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md)
+- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md)
 - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
 - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
 - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@ -29,9 +29,9 @@ sections:
  - name: Ignored
    questions:
-      - question: What is Windows Hello for Business cloud trust?
+      - question: What is Windows Hello for Business cloud Kerberos trust?
        answer: |
-          Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust).
+          Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).
      - question: What about virtual smart cards?
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@ -96,8 +96,8 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
 |--- |--- |--- |
 |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
 |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
-|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust|
+|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
-|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
+|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
 |**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
 |**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
 |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@ -21,10 +21,10 @@ Windows Hello for Business authentication is passwordless, two-factor authentica
 Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
 - [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview)
+- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust)
 - [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
 - [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview)
+- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust)
 - [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
 - [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
@ -43,7 +43,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
 |D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
 |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)
+## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)
 ![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
@ -78,13 +78,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
 > [!NOTE]
 > You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
-## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)
+## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)
 ![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
+|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
 |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
 |C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
 |D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@ -26,7 +26,7 @@ List of provisioning flows:
 - [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
 - [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment)
+- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment)
 - [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
 - [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
 - [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
@ -62,9 +62,9 @@ List of provisioning flows:
 [Return to top](#windows-hello-for-business-provisioning)
-## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment
+## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment
-![Hybrid Azure AD joined provisioning in a cloud trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
+![Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a Managed environment.](images/howitworks/prov-haadj-cloudtrust-managed.png)
 [Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
@ -74,7 +74,7 @@ List of provisioning flows:
 |   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.  |
 > [!NOTE]
-> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
+> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
 [Return to top](#windows-hello-for-business-provisioning)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@ -1,6 +1,6 @@
 ---
-title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
+title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business)
-description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
+description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
 ms.prod: m365-security
 author: paolomatarazzo
 ms.author: paoloma
@ -11,66 +11,68 @@ ms.topic: article
 localizationpriority: medium
 ms.date: 2/15/2022
 appliesto:
- ✅ <b>Windows 10 21H2 and later</b>
+- ✅ <b>Windows 10, version 21H2 and later</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Hybrid deployment</b>
 - ✅ <b>Cloud Kerberos trust</b>
 ---
-# Hybrid Cloud Trust Deployment (Preview)
+# Hybrid Cloud Kerberos Trust Deployment (Preview)
-Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
+Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
-## Introduction to Cloud Trust
+## Introduction to Cloud Kerberos Trust
-The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
+The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
-Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
+Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI.
+- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI
- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate.
+- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate
- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup.
+- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup
 > [!NOTE]
-> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
+> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
-## Azure Active Directory Kerberos and Cloud Trust Authentication
+## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication
-Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
+Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
 With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.
 When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object.
-More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
+More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
-If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
+If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
 ## Prerequisites
 | Requirement | Notes |
 | --- | --- |
 | Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
-| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
+| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
 | Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
 | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
-| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
+| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
 ### Unsupported Scenarios
-The following scenarios aren't supported using Windows Hello for Business cloud trust:
+The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
 - On-premises only deployments
 - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
 - Scenarios that require a certificate for authentication
- Using cloud trust for "Run as"
+- Using cloud Kerberos trust for "Run as"
- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
+- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
 > [!NOTE]
-> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys.
+> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
 > 
 > To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\<domain-DN\>).
 ## Deployment Instructions
-Deploying Windows Hello for Business cloud trust consists of two steps:
+Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
 1. Set up Azure AD Kerberos in your hybrid environment.
 1. Configure Windows Hello for Business policy and deploy it to devices.
@ -79,74 +81,35 @@ Deploying Windows Hello for Business cloud trust consists of two steps:
 If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
-If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud trust.
+If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
 ### Configure Windows Hello for Business Policy
-After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices.
+After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
-#### Configure Using Group Policy
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
 Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
 The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.  
 You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
 Cloud trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
 > [!NOTE]
 > If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
 ##### Update Group Policy Objects
 You may need to update your Group Policy definitions to be able to configure the cloud trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
 You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
 ##### Create the Windows Hello for Business Group Policy object
 Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
 1. Start the **Group Policy Management Console** (gpmc.msc).
 1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
 1. Right-click **Group Policy object** and select **New**.
 1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
 1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
 1. In the navigation pane, expand **Policies** under **Device Configuration**.
 1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
 1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
 1. In the content pane, double-click **Use cloud trust for on-premises authentication**. Click **Enable** and click **OK**.
 1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
 This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
 > [!Important]
 > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
 #### Configure Using Intune
 Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
-The cloud trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
+The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
-##### Create a user Group that will be targeted for Windows Hello for Business
+### Create a user Group that will be targeted for Windows Hello for Business
-If you have an existing group you want to target with Windows Hello for Business cloud trust policy, you can skip this step.
+If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/)
-1. Browse to **Groups** and select **New group**.
+1. Browse to **Groups** and select **New group**
 1. Configure the following group settings:
-    1. Group type: "Security"
+    1. Group type: **Security**
-    1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing
+    1. Group name: *WHFB cloud Kerberos trust users* or a group name of your choosing
-    1. Membership type: Assigned
+    1. Membership type: **Assigned**
-1. Select **Members** and add users that you want to target with Windows Hello for Business cloud trust.
+1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust
-You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center.
+You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center
-##### Enable Windows Hello for Business
+### Enable Windows Hello for Business
-If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
+If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
 You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
@ -162,53 +125,91 @@ You can also follow these steps to create a device configuration policy instead
 1. Select Next to move to **Assignments**.
 1. Under Included groups, select **Add groups**.
-1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
+1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
 1. Select Next to move to the Applicability Rules.
 1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
 Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
-##### Configure Cloud Trust policy
+### Configure Cloud Kerberos Trust policy
-To configure the cloud trust policy, follow the steps below:
+To configure the cloud Kerberos trust policy, follow the steps below:
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
 1. Browse to Devices > Windows > Configuration Profiles > Create profile.
 1. For Platform, select Windows 10 and later.
 1. For Profile Type, select **Templates** and select the **Custom** Template.
-1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud trust".
+1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
 1. In Configuration Settings, add a new configuration with the following settings:
-
+    
-    - Name: "Windows Hello for Business cloud trust" or another familiar name
+    | Setting |
-    - Description: Enable Windows Hello for Business cloud trust for sign-in and on-premises SSO.
+    |--------|
-    - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth
+    | <ul><li>Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name</li><li>Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*</li><li>OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\<tenant ID>*`/Policies/UseCloudTrustForOnPremAuth`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li></ul>|
-
+    
-        >[!IMPORTANT]
+    >[!IMPORTANT]
-        >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
+    >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
-
+    
    - Data type: Boolean
    - Value: True
    [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox)
-
+    
 1. Select Next to navigate to **Assignments**.
 1. Under Included groups, select **Add groups**.
-1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
+1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
 1. Select Next to move to the Applicability Rules.
 1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
 > [!Important]
-> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
+> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
 The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.  
 You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
 cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
 > [!NOTE]
 > If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
 #### Update Group Policy Objects
 You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
 You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
 #### Create the Windows Hello for Business Group Policy object
 Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
 1. Start the **Group Policy Management Console** (gpmc.msc).
 1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
 1. Right-click **Group Policy object** and select **New**.
 1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
 1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
 1. In the navigation pane, expand **Policies** under **Device Configuration**.
 1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
 1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
 1. In the content pane, double-click **Use cloud Kerberos trust for on-premises authentication**. Click **Enable** and click **OK**.
 1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
 This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
 > [!Important]
 > If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
 ---
 ## Provisioning
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud trust is enabled by policy.
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud Kerberos trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
 You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console.  
-  ![Cloud trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
+  ![cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
-The cloud trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud trust is not being enforced by policy or if the device is Azure AD joined.
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust is not being enforced by policy or if the device is Azure AD joined.
 This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
@ -228,11 +229,11 @@ After a successful MFA, the provisioning flow asks the user to create and valida
 ### Sign-in
-Once a user has set up a PIN with cloud trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
+Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
 ## Troubleshooting
-If you encounter issues or want to share feedback about Windows Hello for Business cloud trust, share via the Windows Feedback Hub app by following these steps:
+If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:
 1. Open **Feedback Hub**, and make sure that you're signed in.
 1. Submit feedback by selecting the following categories:
@ -241,24 +242,24 @@ If you encounter issues or want to share feedback about Windows Hello for Busine
 ## Frequently Asked Questions
-### Does Windows Hello for Business cloud trust work in my on-premises environment?
+### Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
 This feature doesn't work in a pure on-premises AD domain services environment.
-### Does Windows Hello for Business cloud trust work in a Windows login with RODC present in the hybrid environment?
+### Does Windows Hello for Business cloud Kerberos trust work in a Windows login with RODC present in the hybrid environment?
-Windows Hello for Business cloud trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud trust will work.
+Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
-### Do I need line of sight to a domain controller to use Windows Hello for Business cloud trust?
+### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
-Windows Hello for Business cloud trust requires line of sight to a domain controller for some scenarios:
+Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
 - The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device
 - When attempting to access an on-premises resource from an Azure AD joined device
-### Can I use RDP/VDI with Windows Hello for Business cloud trust?
+### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
-Windows Hello for Business cloud trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
+Windows Hello for Business cloud Kerberos trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
-### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust?
+### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
-No, only the number necessary to handle the load from all cloud trust devices.
+No, only the number necessary to handle the load from all cloud Kerberos trust devices.
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@ -31,7 +31,7 @@ This article lists the infrastructure requirements for the different deployment
 The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
-| Requirement | Cloud trust (Preview)<br/>Group Policy or Modern managed | Key trust<br/>Group Policy or Modern managed | Certificate trust<br/>Mixed managed | Certificate trust<br/>Modern managed | 
+| Requirement | cloud Kerberos trust<br/>Group Policy or Modern managed | Key trust<br/>Group Policy or Modern managed | Certificate Trust<br/>Mixed managed | Certificate Trust<br/>Modern managed | 
 | --- | --- | --- | --- | --- |
 | **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br>  *Minimum:* Windows 10, version 1703<br>  *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).<br/>**Azure AD Joined:**<br>  Windows 10, version 1511 or later| Windows 10, version 1511 or later |
 | **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
@ -44,7 +44,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
 | **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
 > [!Important]
-> - Hybrid deployments support non-destructive PIN reset that works with certificate trust, key trust and cloud trust models.
+> - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models.
 >
 >   **Requirements:**
 >   - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@ -94,9 +94,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
 ## Comparing key-based and certificate-based authentication
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
-Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
 ## Learn more
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 > [!NOTE]
-> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md.
 The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@ -65,8 +65,8 @@ landingContent:
            url: hello-identity-verification.md
      - linkListType: how-to-guide
        links:
-          - text: Hybrid Cloud Trust Deployment
+          - text: Hybrid Cloud Kerberos Trust Deployment
-            url: hello-hybrid-cloud-trust.md
+            url: hello-hybrid-cloud-kerberos-trust.md
          - text: Hybrid Azure AD Joined Key Trust Deployment
            url: hello-hybrid-key-trust.md
          - text: Hybrid Azure AD Joined Certificate Trust Deployment
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -35,8 +35,8 @@
    href: hello-prepare-people-to-use.md
  - name: Deployment Guides
    items:
-    - name: Hybrid Cloud Trust Deployment
+    - name: Hybrid Cloud Kerberos Trust Deployment
-      href: hello-hybrid-cloud-trust.md
+      href: hello-hybrid-cloud-kerberos-trust.md
    - name: Hybrid Azure AD Joined Key Trust
      items: 
      - name: Hybrid Azure AD Joined Key Trust Deployment
--- a/Show More
+++ b/Show More