Merge branch 'main' into Benny-54-cleanup-cm1

2025-05-12 05:17:22 +00:00 · 2022-05-25 09:28:39 +05:30 · 2022-05-25 09:28:39 +05:30 · 90527c3a57
commit 90527c3a57
parent 86bca79355 d111b4fb45
49 changed files with 993 additions and 508 deletions
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -52,6 +52,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
 |DRC INSIGHT Online Assessments	        |12.0.0.0  |Store    |Data recognition Corporation|
 |Duo from Cisco	                        |2.25.0     |Win32    |Cisco|
 |e-Speaking Voice and Speech recognition	|4.4.0.8 |Win32   |e-speaking|
 |eTests                                 |4.0.25    |Win32   |CASAS|
 |FortiClient	                        |7.0.1.0083	|Win32    |Fortinet|
 |Free NaturalReader	                    |16.1.2	    |Win32    |Natural Soft|
 |GoGuardian	                            |1.4.4	   |Win32     |GoGuardian|
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@ -31,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
   1. Download the FOD .cab file:
        - [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab)
-        - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
+        - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
        - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab)
        - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab)
        - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab)
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@ -13,6 +13,16 @@ ms.date: 06/26/2017
 # CMPolicyEnterprise CSP
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Business|No|No|
 |Enterprise|No|No|
 |Education|No|No|
 The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
 > [!NOTE]
@ -20,9 +30,12 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise
 Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
 Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
 **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
-**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
+**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
 The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
@ -71,7 +84,8 @@ Specifies whether the list of connections is in preference order.
 A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
 <a href="" id="connxxx"></a>**Conn**<strong>*XXX*</strong>  
-Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
+
 Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
 <a href="" id="connectionid"></a>**ConnectionID**  
 Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
@ -89,7 +103,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th
 |Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}|
 |Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}|
 For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
@ -132,7 +145,6 @@ Specifies the type of connection being referenced. The following list describes
 ## OMA client provisioning examples
 Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
 ```xml
@ -226,7 +238,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C
 ## OMA DM examples
 Adding an application-based mapping policy:
 ```xml
@ -363,7 +374,6 @@ Adding a host-based mapping policy:
 ## Microsoft Custom Elements
 |Element|Available|
 |--- |--- |
 |parm-query|Yes|
@ -372,7 +382,6 @@ Adding a host-based mapping policy:
 ## Related topics
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/config-lock.md
+++ b/windows/client-management/mdm/config-lock.md
@ -1,92 +1,90 @@
 ---
-title: Secured-Core Configuration Lock
+title: Secured-core configuration lock
-description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. 
+description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
 manager: dansimp
 ms.author: v-lsaldanha
 ms.topic: article
 ms.prod: w11
 ms.technology: windows
 author: lovina-saldanha
-ms.date: 03/14/2022
+ms.date: 05/24/2022
 ---
-# Secured-Core PC Configuration Lock 
+# Secured-core PC configuration lock
 **Applies to**
-   Windows 11
+- Windows 11
-In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
+In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
-Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
+Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
-To summarize, Config Lock:
+To summarize, config lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM
+- Enables IT to "lock" secured-core PC features when managed through MDM
 - Detects drift remediates within seconds
- DOES NOT prevent malicious attacks
+- Doesn't prevent malicious attacks
 ## Configuration Flow
-After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
 ## System Requirements
-Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).  
+Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
-## Enabling Config Lock using Microsoft Intune
+## Enabling config lock using Microsoft Intune
-Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
+Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.
 The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
-1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
+The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
 1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
 1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
 1. Select the following and press **Create**:
    - **Platform**: Windows 10 and later
    - **Profile type**: Templates
    - **Template name**: Custom
-    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates":::
+    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates.":::
 1. Name your profile.
-1. When you reach the Configuration Settings step, select “Add” and add the following information:
+1. When you reach the Configuration Settings step, select "Add" and add the following information:
    - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
    - **Data type**: Integer
    - **Value**: 1 </br>
-    To turn off Config Lock, change the value to 0.
+    To turn off config lock, change the value to 0.
-    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1":::
+    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1.":::
-1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
+1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices".
 1. You'll not need to set any applicability rules for test purposes.
-1. Review the Configuration and select “Create” if everything is correct.
+1. Review the Configuration and select "Create" if everything is correct.
-1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
+1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled.
-    :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied":::
+    :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied.":::
-    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending":::
+    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending.":::
-## Configuring Secured-Core PC features
+## Configuring secured-core PC features
-Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured.  IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
 :::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
 :::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off":::
 ## FAQ
-**Can an IT admins disable Config Lock ?** </br>
+- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities.
 	Yes. IT admins can use MDM to turn off Config Lock.</br>
 ### List of locked policies
 |**CSPs**     |
 |-----|
-|[BitLocker ](bitlocker-csp.md)      |
+|[BitLocker](bitlocker-csp.md)      |
 |[PassportForWork](passportforwork-csp.md)       |
 |[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md)       |
-|[ApplicationControl](applicationcontrol-csp.md) 
+|[ApplicationControl](applicationcontrol-csp.md)
 |**MDM policies**     | **Supported by Group Policy** |
 |-----|-----|
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@ -41,7 +41,6 @@ Package Full Name of the application that needs to be launched in the background
 ## SyncML examples
 **Set StartupAppID**
 ```xml
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -14,6 +14,14 @@ ms.date: 02/22/2022
 # Defender CSP
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|Yes|Yes|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@ -354,7 +362,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi
 <a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
-Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
 - Type: Boolean
 - Position: Named
@ -364,7 +372,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to
 <a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
-Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
 - Type: Boolean
 - Position: Named
@ -374,7 +382,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn
 <a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
-Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
 - Type: Boolean
 - Position: Named
@ -384,7 +392,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k
 <a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
-Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
 - Type: Boolean
 - Position: Named
@ -593,11 +601,13 @@ An interior node to group Windows Defender configuration information.
 Supported operation is Get.
 <a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**  
 Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
 Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
-The data type is a Signed blob.
+The data type is a Signed BLOB.
 Supported operations are Add, Delete, Get, Replace.
@ -609,7 +619,7 @@ Intune tamper protection setting UX supports three states:
 When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
 <a href="" id="configuration-disablelocaladminmerge"></a>**Configuration/DisableLocalAdminMerge**<br>
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
 If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
@ -629,6 +639,7 @@ Valid values are:
 - 0 (default) – Disable.
 <a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
 This policy setting controls whether or not exclusions are visible to Local Admins.  For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
 If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
@ -638,22 +649,23 @@ If you enable this setting, Local Admins will no longer be able to see the exclu
 > [!NOTE]
 > Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
-Supported OS versions:  Windows 10
+Supported OS versions: Windows 10
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid values are:  
 - 1 – Enable.
 - 0 (default) – Disable.
 <a href="" id="configuration-disablecputhrottleonidlescans"></a>**Configuration/DisableCpuThrottleOnIdleScans**<br>	
 Indicates whether the CPU will be throttled for scheduled scans while the device is idle.  This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.	
 The data type is integer.	
-Supported operations are Add, Delete, Get, Replace.	
+Supported operations are Add, Delete, Get, and Replace.	
 Valid values are:	
 -	1 (default) – Enable.	
@ -664,7 +676,7 @@ Allow managed devices to update through metered connections. Data charges may ap
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid values are:
 - 1 – Enable.
@ -675,7 +687,7 @@ This settings controls whether Network Protection is allowed to be configured in
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid values are:
 - 1 – Enable.
@ -686,7 +698,7 @@ Allows an administrator to explicitly disable network packet inspection made by
 The data type is string.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 <a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**  
 Enables or disables file hash computation feature.
@ -694,7 +706,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid values are:  
 - 1 – Enable.
@ -705,7 +717,7 @@ The support log location setting allows the administrator to specify where the M
 Data type is string.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Intune Support log location setting UX supports three states:  
@ -713,7 +725,7 @@ Intune Support log location setting UX supports three states:
 - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
 - 0 - Disabled. Turns off the Support log location feature. 
-When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.  
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.  
 More details:  
@ -737,7 +749,7 @@ If you disable or don't configure this policy, the device will stay up to date a
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid values are:
 - 0: Not configured (Default)
@ -770,7 +782,7 @@ If you disable or don't configure this policy, the device will stay up to date a
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid values are:
 - 0: Not configured (Default)
@ -795,7 +807,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
 If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid Values are:
 - 0: Not configured (Default)
@ -818,7 +830,7 @@ If you disable or don't configure this policy, the device will remain in Current
 The data type is integer.
-Supported operations are Add, Delete, Get, Replace.
+Supported operations are Add, Delete, Get, and Replace.
 Valid values are:
 - 1 – Enabled.
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@ -13,6 +13,15 @@ ms.date: 03/27/2020
 # DevDetail CSP
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|Yes|Yes|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically.
 > [!NOTE]
--- a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
+++ b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -8360,6 +8360,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
  <dd>
    <a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
  </dd>
  <dd>
    <a href="./policy-csp-search.md#search-disablesearch" id="search-disablesearch">Search/DisableSearch</a>
  </dd>
  <dd>
    <a href="./policy-csp-search.md#search-donotusewebresults" id="search-donotusewebresults">Search/DoNotUseWebResults</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@ -28,15 +28,129 @@ manager: dansimp
 ## FileExplorer policies  
 <dl>
  <dd>
    <a href="#fileexplorer-allowoptiontoshownetwork">FileExplorer/AllowOptionToShowNetwork</a>
  </dd>
  <dd>
    <a href="#fileexplorer-allowoptiontoshowthispc">FileExplorer/AllowOptionToShowThisPC</a>
  </dd>
  <dd>
    <a href="#fileexplorer-turnoffdataexecutionpreventionforexplorer">FileExplorer/TurnOffDataExecutionPreventionForExplorer</a>
  </dd>
  <dd>
    <a href="#fileexplorer-turnoffheapterminationoncorruption">FileExplorer/TurnOffHeapTerminationOnCorruption</a>
  </dd>
  <dd>
    <a href="#fileexplorer-setallowedfolderlocations">FileExplorer/SetAllowedFolderLocations</a>
  </dd>
  <dd>
    <a href="#fileexplorer-setallowedstoragelocations">FileExplorer/SetAllowedStorageLocations</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="fileexplorer-allowoptiontoshownetwork"></a>**FileExplorer/AllowOptionToShowNetwork**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows the user with an option to show the network folder when restricted.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - 0 - Disabled
 - 1 (default) - Enabled
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow the user the option to show Network folder when restricted*
 -   GP name: *AllowOptionToShowNetwork*
 -   GP path: *File Explorer*
 -   GP ADMX file name: *Explorer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="fileexplorer-allowoptiontoshowthispc"></a>**FileExplorer/AllowOptionToShowThisPC**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows the user with an option to show this PC location when restricted.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - 0 - Disabled
 - 1 (default) - Enabled
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow the user the option to show Network folder when restricted*
 -   GP name: *AllowOptionToShowThisPC*
 -   GP path: *File Explorer*
 -   GP ADMX file name: *Explorer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
@ -109,6 +223,8 @@ ADMX Info:
 <!--Description-->
 Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
 <!--/Description-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Turn off heap termination on corruption*
@ -120,5 +236,114 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="fileexplorer-setallowedfolderlocations"></a>**FileExplorer/SetAllowedFolderLocations**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy configures the folders that the user can enumerate and access in the File Explorer.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - 0: All folders
 - 15:Desktop, Documents, Pictures, and Downloads
 - 31:Desktop, Documents, Pictures, Downloads, and Network
 - 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
 - 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
 -   GP name: *SetAllowedFolderLocations*
 -   GP path: *File Explorer*
 -   GP ADMX file name: *Explorer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="fileexplorer-setallowedstoragelocations"></a>**FileExplorer/SetAllowedStorageLocations**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy configures the folders that the user can enumerate and access in the File Explorer.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 - 0: all storage locations
 - 1: Removable Drives
 - 2: Sync roots
 - 3: Removable Drives, Sync roots, local drive
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
 -   GP name: *SetAllowedStorageLocations*
 -   GP path: *File Explorer*
 -   GP ADMX file name: *Explorer.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@ -14,7 +14,6 @@ manager: dansimp
 # Policy CSP - Search
 <hr/>
 <!--Policies-->
@ -57,6 +56,9 @@ manager: dansimp
  <dd>
    <a href="#search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
  </dd>
  <dd>
    <a href="#search-disablesearch">Search/DisableSearch</a>
  </dd>
  <dd>
    <a href="#search-donotusewebresults">Search/DoNotUseWebResults</a>
  </dd>
@ -629,6 +631,57 @@ The following list shows the supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="search-disablesearch"></a>**Search/DisableSearch**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|Yes|
 |Business|No|Yes|
 |Enterprise|No|Yes|
 |Education|No|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
 It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP Friendly name: *Fully disable Search UI*
 -   GP name: *DisableSearch*
 -   GP path: *Windows Components/Search*
 -   GP ADMX file name: *Search.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) – Do not disable search.
 -   1 – Disable search.
 <!--/SupportedValues-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="search-donotusewebresults"></a>**Search/DoNotUseWebResults**  
@ -761,7 +814,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.
 <!--/Description-->
 <!--ADMXMapped-->
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -411,7 +411,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
 Supported operations are Get and Replace.
-If the policy isn't configured, end-users get the default behavior (Auto install and restart).
+If the policy isn't configured, end-users get the default behavior (Auto download and install).
 <!--/Description-->
 <!--ADMXMapped-->
@ -426,13 +426,13 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
+- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page.
- 5 - Turn off automatic updates.
+- 5: Turn off automatic updates.
-
+- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured.
 > [!IMPORTANT]
 > This option should be used only for systems under regulatory compliance, as you won't get security updates as well.
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@ -13,6 +13,14 @@ ms.date: 09/12/2019
 # SUPL CSP
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The SUPL configuration service provider is used to configure the location client, as shown in the following table:
 - **Location Service**: Connection type
@ -93,7 +101,7 @@ Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z
 <a href="" id="mccmncpairs"></a>**MCCMNCPairs**  
 Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL.
-This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC.
+This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC.
 For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
@ -109,7 +117,6 @@ Optional. Specifies the positioning method that the SUPL client will use for mob
 |4|OTDOA|
 |5|AFLT|
 The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services.
@ -117,7 +124,6 @@ The default is 0. The default method in Windows devices provides high-quality as
 > The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes.
 For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
 <a href="" id="locmasterswitchdependencynii"></a>**LocMasterSwitchDependencyNII**  
@ -132,7 +138,6 @@ This value manages the settings for both SUPL and v2 UPL. If a device is configu
 |Off|0|Yes|
 |Off|1|No (unless privacyOverride is set)|
 When the location toggle is set to Off and this value is set to 1, the following application requests will fail:
 -   `noNotificationNoVerification`
@ -237,7 +242,6 @@ The default is 0. The default method provides high-quality assisted GNSS positio
 > The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes.
 For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
 <a href="" id="locmasterswitchdependencynii"></a>**LocMasterSwitchDependencyNII**  
@ -304,7 +308,6 @@ If a mobile operator requires the communication with the H-SLP to take place ove
 ## OMA Client Provisioning examples
 Adding new configuration information for an H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
 ```xml
@ -329,7 +332,7 @@ Adding new configuration information for an H-SLP server for SUPL. Values in ita
 </wap-provisioningdoc>
 ```
-Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
+Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary BLOB must be included for the root certificate data value.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
@ -360,7 +363,6 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be
 ## OMA DM examples
 Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value.
 ```xml
@ -435,7 +437,6 @@ Adding a SUPL account to a device. Values in italic must be replaced with correc
 ## Microsoft Custom Elements
 The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
 |Elements|Available|
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@ -13,7 +13,7 @@ ms.date: 07/28/2017
 # SurfaceHub CSP
-The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
+The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later.
 The following example shows the SurfaceHub CSP management objects in tree format.
@ -239,7 +239,7 @@ If there's an error calling ValidateAndCommit, there's another context for that
 | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
 | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
 | 5 | Saving account information | Unable to save account details to the system. |
-| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. |
+| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. |
 It performs the following:
 - The data type is integer.
@ -320,7 +320,7 @@ Invitations to collaborate from the Whiteboard app aren't allowed.
 <a href="" id="inboxapps-whiteboard-signindisabled"></a>**InBoxApps/Whiteboard/SigninDisabled**
-Sign-in from the Whiteboard app aren't allowed.
+Sign-ins from the Whiteboard app aren't allowed.
 - The data type is boolean. 
 - Supported operation is Get and Replace.
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@ -13,10 +13,19 @@ manager: dansimp
 # TPMPolicy CSP
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
-The TPMPolicy CSP was added in Windows 10, version 1703.
+The TPMPolicy CSP was added in Windows 10, version 1703, and later.
 The following example shows the TPMPolicy configuration service provider in tree format.
 ```
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@ -13,8 +13,17 @@ manager: dansimp
 # UEFI CSP
 The table below shows the applicability of Windows:
-The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
+|Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later.
 > [!NOTE]
 > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
@ -51,7 +60,7 @@ Uefi
 ```
 The following list describes the characteristics and parameters.
-<a href="" id="uefi"></a>**./Vendor/MSFT/Uefi**  
+<a href="" id="uefi"></a>**./Vendor/MSFT/UEFI**  
 Root node.
 <a href="" id="deviceidentifier"></a>**DeviceIdentifier**  
@ -80,7 +89,7 @@ Retrieves the binary result package of the previous Identity/Apply operation.
 Supported operation is Get.
 <a href="" id="permissions"></a>**Permissions**  
-Node for settings permission operations..
+Node for settings permission operations.
 <a href="" id="permissions-current"></a>**Permissions/Current**  
 Retrieves XML from UEFI that describes the current UEFI settings permissions.
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@ -13,6 +13,15 @@ ms.date: 06/26/2017
 # UnifiedWriteFilter CSP
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|No|No|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
@ -314,7 +323,6 @@ Supported operations are Get and Execute.
 ## Related topics
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@ -13,6 +13,16 @@ ms.date: 02/23/2018
 # Update CSP
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|Yes|Yes|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
 > [!NOTE]
@ -61,7 +71,7 @@ The following example shows the Update configuration service provider in tree fo
 > [!NOTE]
 > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
-<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It&#39;s possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update.
+<p>The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
 <p>The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -13,6 +13,15 @@ ms.date: 09/21/2021
 # VPNv2 CSP
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|Yes|Yes|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
@ -549,7 +558,7 @@ An optional flag to enable Always On mode. This flag will automatically connect
 Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference.  If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.  
+Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.  
 Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
 Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
 Value: AutoTriggerDisabledProfilesList
@ -695,7 +704,7 @@ Supported operations include Get, Add, Replace, and Delete.
 Reserved for future use.
 <a href="" id="vpnv2-profilename-nativeprofile"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile**  
-Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP).
+Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
 <a href="" id="vpnv2-profilename-nativeprofile-servers"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile/Servers**  
 Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. 
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@ -13,6 +13,15 @@ ms.date: 06/26/2017
 # w4 APPLICATION CSP
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|Yes|Yes|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
@ -46,7 +55,7 @@ This parameter takes a string value. The possible values to configure the NAME p
 -   no value specified
 > [!NOTE]
-> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
+> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc.
 If no value is specified, the registry location will default to `<unnamed>`.
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@ -13,11 +13,20 @@ ms.date: 06/26/2017
 # w7 APPLICATION CSP
 The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|Yes|Yes|
 |Pro|Yes|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning.
-> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
+> [!Note]
-
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
@ -50,11 +59,10 @@ APPLICATION
 ---SSLCLIENTCERTSEARCHCRITERIA
 ```
-> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
+> [!Note]
 > All parameter names and characteristic types are case sensitive and must use all uppercase.
 Both APPSRV and CLIENT credentials must be provided in provisioning XML.
 <a href="" id="appaddr"></a>**APPADDR**  
 This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address.
@ -98,9 +106,9 @@ Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get o
 Valid values:
-   BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type.
+-   BASIC - specifies that the SyncML DM `syncml:auth-basic` authentication type.
-   DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type.
+-   DIGEST - specifies that the SyncML DM `syncml:auth-md5` authentication type.
 -   When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST.
@ -110,9 +118,8 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe
 <a href="" id="backcompatretrydisabled"></a>**BACKCOMPATRETRYDISABLED**  
 Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time).
-> **Note**   This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
+> [!Note]
-
+> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
 <a href="" id="connretryfreq"></a>**CONNRETRYFREQ**  
 Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter.
@ -129,11 +136,10 @@ The valid values are:
 <a href="" id="init"></a>**INIT**  
 Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present.
-> **Note**   This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
+> [!Note]
 > This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario.
 This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready.
 <a href="" id="initialbackofftime"></a>**INITIALBACKOFFTIME**  
 Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter.
@ -179,9 +185,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su
 Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
-> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
+> [!Note]
-
+> `%EF%80%80` is the UTF8-encoded character U+F000.
 Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax:
@ -192,15 +197,4 @@ Subject specifies the certificate to search for. For example, to specify that yo
 ## Related topics
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/windowsautopilot-csp.md
+++ b/windows/client-management/mdm/windowsautopilot-csp.md
@ -8,7 +8,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 02/07/2022
+ms.date: 05/09/2022
 ---
 # WindowsAutopilot CSP
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@ -1,29 +1,32 @@
 ---
 title: Use Quick Assist to help users
-description: How IT Pros can use Quick Assist to help users
+description: How IT Pros can use Quick Assist to help users.
 ms.prod: w10
 ms.topic: article
 author: aczechowski
 ms.technology: windows
 ms.localizationpriority: medium
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.reviewer: pmadrigal
 ms.collection: highpri
 ---
 # Use Quick Assist to help users
-Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
+Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
 ## Before you begin
-All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate.
+All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate.
 > [!NOTE]
 > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session.
 ### Authentication
-The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time.
+The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported.
 ### Network considerations
@ -31,18 +34,21 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis
 Both the helper and sharer must be able to reach these endpoints over port 443:
-| Domain/Name                       | Description                                           |
+| Domain/Name | Description |
-|-----------------------------------|-------------------------------------------------------|
+|--|--|
-| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application    |
+| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
-| \*.resources.lync.com             | Required for the Skype framework used by Quick Assist |
+| `*.login.microsoftonline.com` | Required for logging in to the application (MSA) |
-| \*.infra.lync.com                 | Required for the Skype framework used by Quick Assist |
+| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
-| \*.latest-swx.cdn.skype.com        | Required for the Skype framework used by Quick Assist |
+| `*.aria.microsoft.com` | Used for accessibility features within the app |
-| \*.login.microsoftonline.com       | Required for logging in to the application (MSA)      |
+| `*.api.support.microsoft.com` | API access for Quick Assist |
-| \*.channelwebsdks.azureedge.net    | Used for chat services within Quick Assist        |
+| `*.vortex.data.microsoft.com` | Used for diagnostic data |
-| \*.aria.microsoft.com             | Used for accessibility features within the app    |
+| `*.channelservices.microsoft.com` | Required for chat services within Quick Assist |
-| \*.api.support.microsoft.com       | API access for Quick Assist                           |
+| `*.skype.com` | Skype requests may vary based on geography. If connection issues persist, test this endpoint. |
-| \*.vortex.data.microsoft.com      | Used for diagnostic data                                |
+| `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. |
-| \*.channelservices.microsoft.com  | Required for chat services within Quick Assist        |
+| `*.turn.azure.com` | Protocol used to help endpoint. |
 | `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
 | `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
 | `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
 ## How it works
@ -72,9 +78,9 @@ Microsoft logs a small amount of session data to monitor the health of the Quick
 - Features used inside the app such as view only, annotation, and session pause
-No logs are created on either the helper’s or sharer’s device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session.
+No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session.
-The sharer sees only an abbreviated version of the helper’s name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days.
+The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days.
 In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
@ -82,8 +88,7 @@ In some scenarios, the helper does require the sharer to respond to application
 Either the support staff or a user can start a Quick Assist session.
-
+1. Support staff ("helper") starts Quick Assist in any of a few ways:
 1. Support staff (“helper”) starts Quick Assist in any of a few ways:
    - Type *Quick Assist* in the search box and press ENTER.
    - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**.
@ -93,15 +98,15 @@ Either the support staff or a user can start a Quick Assist session.
 3. Helper shares the security code with the user over the phone or with a messaging system.
-4. Quick Assist opens on the sharer’s device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
+4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**.
-5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**.
+5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**.
 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button.
 ## If Quick Assist is missing
-If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it.
+If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it.
 ### Uninstall Quick Assist
@ -121,4 +126,4 @@ If for some reason a user doesn't have Quick Assist on their system or it's not
 ## Next steps
-If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab).
+If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
--- a/windows/deployment/do/images/imcc02.png
+++ b/windows/deployment/do/images/imcc02.png
--- a/windows/deployment/do/images/imcc10.png
+++ b/windows/deployment/do/images/imcc10.png
--- a/windows/deployment/do/images/imcc11.png
+++ b/windows/deployment/do/images/imcc11.png
--- a/windows/deployment/do/images/imcc12.png
+++ b/windows/deployment/do/images/imcc12.png
--- a/windows/deployment/do/images/imcc13.png
+++ b/windows/deployment/do/images/imcc13.png
--- a/windows/deployment/do/images/imcc14.png
+++ b/windows/deployment/do/images/imcc14.png
--- a/windows/deployment/do/images/imcc17.png
+++ b/windows/deployment/do/images/imcc17.png
--- a/windows/deployment/do/images/imcc18.png
+++ b/windows/deployment/do/images/imcc18.png
--- a/windows/deployment/do/images/imcc19.png
+++ b/windows/deployment/do/images/imcc19.png
--- a/windows/deployment/do/images/imcc26.png
+++ b/windows/deployment/do/images/imcc26.png
--- a/windows/deployment/do/images/imcc27.png
+++ b/windows/deployment/do/images/imcc27.png
--- a/windows/deployment/do/images/imcc28.png
+++ b/windows/deployment/do/images/imcc28.png
--- a/windows/deployment/do/images/imcc29.png
+++ b/windows/deployment/do/images/imcc29.png
--- a/windows/deployment/do/images/imcc30.png
+++ b/windows/deployment/do/images/imcc30.png
--- a/windows/deployment/do/images/imcc54.png
+++ b/windows/deployment/do/images/imcc54.png
--- a/windows/deployment/do/images/imcc55.PNG
+++ b/windows/deployment/do/images/imcc55.PNG
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@ -40,7 +40,7 @@ The features described below are no longer being actively developed, and might b
 | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
 | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
 | My People / People in the Shell |  My People is no longer being developed. It may be removed in a future update. | 1909 |
-| Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
+| Package State Roaming (PSR) |  PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user. <br>&nbsp;<br>The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. <br>&nbsp;<br>PSR was removed in Windows 11.| 1909 |
 | XDDM-based remote display driver  | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
 | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
 | Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@ -485,8 +485,8 @@ Any user accessing the system through Terminal Services has the Terminal Server
 | Attribute | Value |
 |  :--: | :--: | 
-| Well-Known SID/RID | |
+| Well-Known SID/RID | S-1-5-90 |
-|Object Class| |
+|Object Class|  Foreign Security Principal|
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege<br> [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege<br>|
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@ -26,6 +26,7 @@ ms.custom:
 - Windows 11
 - Windows Server 2016
 - Windows Server 2019
 - Windows Server 2022
 ## Enable Windows Defender Credential Guard
@ -204,9 +205,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
    - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
-      You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+  - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0.
    - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.  
  - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@ -44,6 +44,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**.
 6. Click **OK** to return to **Active Directory Users and Computers**.
 > [!NOTE]
 > If your Active Directory forest has multiple domains, your ADConnect accounts need to be members of the **Enterprise Key Admins** group. This membership is needed to write the keys to other domain users.
 ### Section Review
 > [!div class="checklist"]
@ -63,4 +66,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@ -265,7 +265,7 @@ The account options on a user account includes an option -- **Smart card is requ
 **SCRIL setting for a user on Active Directory Users and Computers.**
 When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
- the do not know their password.
+- they do not know their password.
 - their password is 128 random bits of data and is likely to include non-typable characters.
 - the user is not asked to change their password
 - domain controllers do not allow passwords for interactive authentication
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@ -12,7 +12,6 @@ manager: kaushika
 audience: ITPro
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
 ms.date: 10/7/2019
 ms.custom: bitlocker
 ---
@ -36,7 +35,11 @@ You can use the following steps on computers that have either x64 or x32 UEFI sy
 1. Open an elevated Command Prompt window and run the following command:
   ```cmd
-   manage-bde protectors get <Drive>
+   manage-bde -protectors -get <Drive>
   ```
   ```cmd
   manage-bde -protectors -get C:
   ```
   where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive.
@ -86,4 +89,4 @@ For more information about DHCP and BitLocker Network Unlock, see [BitLocker: Ho
 ### Resolution
-To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.
+To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@ -17,45 +17,10 @@ metadata:
  ms.topic: faq
  ms.date: 11/10/2021
  ms.technology: mde
 title: Advanced security auditing FAQ
 summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
  -   [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-)
-  -   [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-)
+summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.  
  -   [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
  -   [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-)
  -   [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-)
  -   [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-)
  -   [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-)
  -   [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-)
  -   [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-)
  -   [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-)
  -   [How do I ascertain the purpose for accessing a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-)
  -   [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-)
  -   [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-)
  -   [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-)
  -   [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-)
  -   [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-)
  -   [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-)
  -   [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-)
 sections:
  - name: Ignored
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@ -14,12 +14,18 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 04/30/2022
+ms.date: 05/09/2022
 ms.technology: windows-sec
 ---
 # Understanding Application Control events
 **Applies to**
 - Windows 10
 - Windows 11
 - Windows Server 2016 and later (limited events)
 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
 - Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
@ -15,7 +15,6 @@ ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
 ms.topic: conceptual
 ms.date: 10/14/2020
 ms.technology: windows-sec
 ---
@ -30,26 +29,26 @@ ms.technology: windows-sec
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
+The Windows Defender Application Control (WDAC) policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the wizard and PowerShell cmdlets is identical.
 ## Downloading the application
-The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit).
+The WDAC wizard can be downloaded from the official [WDAC Wizard installer website](https://webapp-wdac-wizard.azurewebsites.net) as an MSIX packaged application. The wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit).
 **Supported Clients**
-As the WDAC Wizard uses the cmdlets in the background, the Wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements: 
+As the WDAC wizard uses the cmdlets in the background, the wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements: 
 -   Windows builds 1909+
 -   For pre-1909 builds, the Enterprise SKU of Windows is installed
-If neither requirement is satisfied, the Wizard will throw an error as the cmdlets are not available.
+If neither requirement is satisfied, the wizard will throw an error as the cmdlets are not available.
-## In this section
+## Resources to learn more
 | Topic | Description |
 | - | - |
 | [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. |
 | [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. |
-| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the Wizard's editing capabilities. |
+| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the wizard's editing capabilities. |
-| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |
+| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |