Merge branch 'master' into 4872174-WindowsFileProtectionphase3-policy

2025-05-12 21:37:22 +00:00 · 2021-03-16 08:12:04 -07:00 · 2021-03-16 08:12:04 -07:00 · 932aa05d29
commit 932aa05d29
parent 4971293b00 6b02e3bd49
40 changed files with 1947 additions and 182 deletions
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -202,6 +202,7 @@
 #### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
 #### [ADMX_EventLog](policy-csp-admx-eventlog.md)
 #### [ADMX_Explorer](policy-csp-admx-explorer.md)
 #### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md)
 #### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
 #### [ADMX_FileSys](policy-csp-admx-filesys.md)
 #### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -26,9 +26,39 @@ The following are the links to different versions of the DiagnosticLog CSP DDF f
 -   [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
-The following diagram shows the DiagnosticLog CSP in tree format.
+The following shows the DiagnosticLog CSP in tree format.
-![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png)
+```
-
+./Vendor/MSFT
 DiagnosticLog
 ----EtwLog
 --------Collectors
 ------------CollectorName
 ----------------TraceStatus
 ----------------TraceLogFileMode
 ----------------TraceControl
 ----------------LogFileSizeLimitMB
 ----------------Providers
 --------------------ProviderGuid
 ------------------------Keywords
 ------------------------TraceLevel
 ------------------------State
 --------Channels
 ------------ChannelName
 ----------------Export
 ----------------State
 ----------------Filter
 ----DeviceStateData
 --------MdmConfiguration
 ----FileDownload
 --------DMChannel
 ------------FileContext
 ----------------BlockSizeKB
 ----------------BlockCount
 ----------------BlockIndexToRead
 ----------------BlockData
 ----------------DataBlocks
 --------------------BlockNumber
 ```
 <a href="" id="--vendor-msft-diagnosticlog"></a>**./Vendor/MSFT/DiagnosticLog**  
 The root node for the DiagnosticLog CSP.
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@ -23,10 +23,46 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve
 For the DMAcc CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
 ![dmacc csp (dm)](images/provisioning-csp-dmacc-dm.png)
 ```
 ./SyncML
 DMAcc
 ----*
 --------AppID
 --------ServerID
 --------Name
 --------PrefConRef
 --------AppAddr
 ------------*
 ----------------Addr
 ----------------AddrType
 ----------------Port
 --------------------*
 ------------------------PortNbr
 --------AAuthPref
 --------AppAuth
 ------------*
 ----------------AAuthLevel
 ----------------AAuthType
 ----------------AAuthName
 ----------------AAuthSecret
 ----------------AAuthData
 --------Ext
 ------------Microsoft
 ----------------Role
 ----------------ProtoVer
 ----------------DefaultEncoding
 ----------------UseHwDevID
 ----------------ConnRetryFreq
 ----------------InitialBackOffTime
 ----------------MaxBackOffTime
 ----------------BackCompatRetryDisabled
 ----------------UseNonceResync
 ----------------CRLCheck
 ----------------DisableOnRoaming
 ----------------SSLCLIENTCERTSEARCHCRITERIA
 ```
 <a href="" id="dmacc"></a>**DMAcc**  
 Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol.
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -17,11 +17,50 @@ ms.date: 11/01/2017
 The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
-The following diagram shows the DMClient CSP in tree format.
+The following shows the DMClient CSP in tree format.
-
+```
-![dmclient csp](images/provisioning-csp-dmclient-th2.png)
+./Vendor/MSFT
-
+DMClient
-
+----Provider
 --------
 ------------EntDeviceName
 ------------ExchangeID
 ------------EntDMID
 ------------SignedEntDMID
 ------------CertRenewTimeStamp
 ------------PublisherDeviceID
 ------------ManagementServiceAddress
 ------------UPN
 ------------HelpPhoneNumber
 ------------HelpWebsite
 ------------HelpEmailAddress
 ------------RequireMessageSigning
 ------------SyncApplicationVersion
 ------------MaxSyncApplicationVersion
 ------------Unenroll
 ------------AADResourceID
 ------------AADDeviceID
 ------------EnrollmentType
 ------------EnableOmaDmKeepAliveMessage
 ------------HWDevID
 ------------ManagementServerAddressList
 ------------CommercialID
 ------------Push
 ----------------PFN
 ----------------ChannelURI
 ----------------Status
 ------------Poll
 ----------------IntervalForFirstSetOfRetries
 ----------------NumberOfFirstRetries
 ----------------IntervalForSecondSetOfRetries
 ----------------NumberOfSecondRetries
 ----------------IntervalForRemainingScheduledRetries
 ----------------NumberOfRemainingScheduledRetries
 ----------------PollOnLogin
 ----------------AllUsersPollOnFirstLogin
 ----Unenroll
 ----UpdateManagementServiceAddress
 ```
 <a href="" id="msft"></a>**./Vendor/MSFT**  
 All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@ -1,6 +1,6 @@
 ---
 title: DMSessionActions CSP
-description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state.
+description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@ -16,20 +16,57 @@ manager: dansimp
 The DMSessionActions configuration service provider (CSP) is used to manage:  
- the number of sessions the client skips if the device is in a low power state
+- the number of sessions the client skips if the device is in a low-power state
 - which CSP nodes should send an alert back to the server if there were any changes.
 This CSP was added in Windows 10, version 1703.
-The following diagram shows the DMSessionActions configuration service provider in tree format.
+The following shows the DMSessionActions configuration service provider in tree format.
 ```
 ./User/Vendor/MSFT
 DMSessionActions
 ----ProviderID
 --------CheckinAlertConfiguration
 ------------Nodes
 ----------------NodeID
 --------------------NodeURI
 --------AlertData
 --------PowerSettings
 ------------MaxSkippedSessionsInLowPowerState
 ------------MaxTimeSessionsSkippedInLowPowerState
 ![dmsessionactions csp](images/provisioning-csp-dmsessionactions.png)
 ./Device/Vendor/MSFT
 DMSessionActions
 ----ProviderID
 --------CheckinAlertConfiguration
 ------------Nodes
 ----------------NodeID
 --------------------NodeURI
 --------AlertData
 --------PowerSettings
 ------------MaxSkippedSessionsInLowPowerState
 ------------MaxTimeSessionsSkippedInLowPowerState
 ./User/Vendor/MSFT
 ./Device/Vendor/MSFT
 DMSessionActions
 ----ProviderID
 --------CheckinAlertConfiguration
 ------------Nodes
 ----------------NodeID
 --------------------NodeURI
 --------AlertData
 --------PowerSettings
 ------------MaxSkippedSessionsInLowPowerState
 ------------MaxTimeSessionsSkippedInLowPowerState
 ```
 <a href="" id="vendor-msft-dmsessionactions"></a>**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**  
 <p style="margin-left: 20px">Defines the root node for the DMSessionActions configuration service provider.</p>
 <a href="" id="providerid"></a>***ProviderID***  
-<p style="margin-left: 20px">Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache. </p>
+<p style="margin-left: 20px">Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. </p>
 <p style="margin-left: 20px">Scope is dynamic. Supported operations are Get, Add, and Delete.</p>
@ -55,12 +92,12 @@ The following diagram shows the DMSessionActions configuration service provider
 <p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
 <a href="" id="powersettings"></a>**PowerSettings**  
-<p style="margin-left: 20px">Node for power related configrations</p>
+<p style="margin-left: 20px">Node for power-related configrations</p>
 <a href="" id="maxskippedsessionsinlowpowerstate"></a>**PowerSettings/MaxSkippedSessionsInLowPowerState**  
-<p style="margin-left: 20px">Maximum number of continuous skipped sync sessions when the device is in low power state.</p>
+<p style="margin-left: 20px">Maximum number of continuous skipped sync sessions when the device is in low-power state.</p>
 <p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
 <a href="" id="maxtimesessionsskippedinlowpowerstate"></a>**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**  
-<p style="margin-left: 20px">Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state. </p>
+<p style="margin-left: 20px">Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. </p>
 <p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@ -17,10 +17,21 @@ Windows 10 allows you to manage devices differently depending on location, netwo
 This CSP was added in Windows 10, version 1703.
-The following diagram shows the DynamicManagement configuration service provider in tree format.
+The following shows the DynamicManagement configuration service provider in tree format.
-
+```
-![dynamicmanagement csp](images/provisioning-csp-dynamicmanagement.png)
+./Device/Vendor/MSFT
-
+DynamicManagement
 ----NotificationsEnabled
 ----ActiveList
 ----Contexts
 --------ContextID
 ------------SignalDefinition
 ------------SettingsPack
 ------------SettingsPackResponse
 ------------ContextStatus
 ------------Altitude
 ----AlertsEnabled
 ```
 <a href="" id="dynamicmanagement"></a>**DynamicManagement**  
 <p style="margin-left: 20px">The root node for the DynamicManagement configuration service provider.</p>
@ -53,7 +64,7 @@ The following diagram shows the DynamicManagement configuration service provider
 <p style="margin-left: 20px">Supported operation is Get.</p>
 <a href="" id="contextid"></a>***ContextID***  
-<p style="margin-left: 20px">Node created by the server to define a context.  Maximum amount of characters allowed is 38.</p>
+<p style="margin-left: 20px">Node created by the server to define a context.  Maximum number of characters allowed is 38.</p>
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.</p>
 <a href="" id="signaldefinition"></a>**SignalDefinition**  
@ -65,15 +76,15 @@ The following diagram shows the DynamicManagement configuration service provider
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
 <a href="" id="settingspackresponse"></a>**SettingsPackResponse**  
-<p style="margin-left: 20px">Response from applying a Settings Pack that contains information on each individual action..</p>
+<p style="margin-left: 20px">Response from applying a Settings Pack that contains information on each individual action.</p>
 <p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
 <a href="" id="contextstatus"></a>**ContextStatus**  
-<p style="margin-left: 20px">Reports status of the context.  If there was a failure, SettingsPackResponse should be checked for what exactly failed..</p>
+<p style="margin-left: 20px">Reports status of the context.  If there was a failure, SettingsPackResponse should be checked for what exactly failed.</p>
 <p style="margin-left: 20px">Value type is integer. Supported operation is Get.</p>
 <a href="" id="altitude"></a>**Altitude**  
-<p style="margin-left: 20px">A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities..</p>
+<p style="margin-left: 20px">A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.</p>
 <p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Delete, and Replace.</p>
 <a href="" id="alertsenabled"></a>**AlertsEnabled**  
@ -82,7 +93,7 @@ The following diagram shows the DynamicManagement configuration service provider
 ## Examples
-Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude
+Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
 ```xml
    <Replace>
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@ -22,10 +22,44 @@ On the desktop, only per user configuration is supported.
-The following diagram shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
+The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
-
+```
-![email2 csp (dm,cp)](images/provisioning-csp-email2.png)
+./Vendor/MSFT
-
+EMAIL2
 ----Account GUID
 --------ACCOUNTICON
 --------ACCOUNTTYPE
 --------AUTHNAME
 --------AUTHREQUIRED
 --------AUTHSECRET
 --------DOMAIN
 --------DWNDAY
 --------INSERVER
 --------LINGER
 --------KEEPMAX
 --------NAME
 --------OUTSERVER
 --------REPLYADDR
 --------SERVICENAME
 --------SERVICETYPE
 --------RETRIEVE
 --------SERVERDELETEACTION
 --------CELLULARONLY
 --------SYNCINGCONTENTTYPES
 --------CONTACTSSERVER
 --------CALENDARSERVER
 --------CONTACTSSERVERREQUIRESSL
 --------CALENDARSERVERREQUIRESSL
 --------CONTACTSSYNCSCHEDULE
 --------CALENDARSYNCSCHEDULE
 --------SMTPALTAUTHNAME
 --------SMTPALTDOMAIN
 --------SMTPALTENABLED
 --------SMTPALTPASSWORD
 --------TAGPROPS
 ------------8128000B
 ------------812C000B
 ```
 In Windows 10 Mobile, after the user’s out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operator’s proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
 Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@ -18,10 +18,72 @@ ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track t
 The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
-The following diagram shows the EnrollmentStatusTracking CSP in tree format.
+The following shows the EnrollmentStatusTracking CSP in tree format.
 ```
 ./User/Vendor/MSFT
 EnrollmentStatusTracking
 ----Setup
 --------Apps
 ------------PolicyProviders
 ----------------ProviderName
 --------------------TrackingPoliciesCreated
 ------------Tracking
 ----------------ProviderName
 --------------------AppName
 ------------------------TrackingUri
 ------------------------InstallationState
 ------------------------RebootRequired
 --------HasProvisioningCompleted
 ![tree diagram for enrollmentstatustracking csp](images/provisioning-csp-enrollmentstatustracking.png)
 ./Device/Vendor/MSFT
 EnrollmentStatusTracking
 ----DevicePreparation
 --------PolicyProviders
 ------------ProviderName
 ----------------InstallationState
 ----------------LastError
 ----------------Timeout
 ----------------TrackedResourceTypes
 --------------------Apps
 ----Setup
 --------Apps
 ------------PolicyProviders
 ----------------ProviderName
 --------------------TrackingPoliciesCreated
 ------------Tracking
 ----------------ProviderName
 --------------------AppName
 ------------------------TrackingUri
 ------------------------InstallationState
 ------------------------RebootRequired
 --------HasProvisioningCompleted
 ./User/Vendor/MSFT
 ./Device/Vendor/MSFT
 EnrollmentStatusTracking
 ----DevicePreparation
 --------PolicyProviders
 ------------ProviderName
 ----------------InstallationState
 ----------------LastError
 ----------------Timeout
 ----------------TrackedResourceTypes
 --------------------Apps
 ----Setup
 --------Apps
 ------------PolicyProviders
 ----------------ProviderName
 --------------------TrackingPoliciesCreated
 ------------Tracking
 ----------------ProviderName
 --------------------AppName
 ------------------------TrackingUri
 ------------------------InstallationState
 ------------------------RebootRequired
 --------HasProvisioningCompleted
 ```
 <a href="" id="vendor-msft"></a>**./Vendor/MSFT**  
 For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.
--- a/windows/client-management/mdm/enterpriseapn-csp.md
+++ b/windows/client-management/mdm/enterpriseapn-csp.md
@ -19,10 +19,25 @@ The EnterpriseAPN configuration service provider (CSP) is used by the enterprise
 > [!Note]
 > Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
-The following image shows the EnterpriseAPN configuration service provider in tree format.
+The following shows the EnterpriseAPN configuration service provider in tree format.
-
+```
-![enterpriseapn csp](images/provisioning-csp-enterpriseapn-rs1.png)
+./Vendor/MSFT
-
+EnterpriseAPN
 ----ConnectionName
 --------APNName
 --------IPType
 --------IsAttachAPN
 --------ClassId
 --------AuthType
 --------UserName
 --------Password
 --------IccId
 --------AlwaysOn
 --------Enabled
 ----Settings
 --------AllowUserControl
 --------HideView
 ```
 <a href="" id="enterpriseapn"></a>**EnterpriseAPN**  
 <p style="margin-left: 20px">The root node for the EnterpriseAPN configuration service provider.</p>
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@ -15,10 +15,35 @@ manager: dansimp
 The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
-The following diagram shows the EnterpriseAppVManagement configuration service provider in tree format.
+The following shows the EnterpriseAppVManagement configuration service provider in tree format.
-
+```
-![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
+./Vendor/MSFT
-
+EnterpriseAppVManagement
 ----AppVPackageManagement
 --------EnterpriseID
 ------------PackageFamilyName
 ----------------PackageFullName
 --------------------Name
 --------------------Version
 --------------------Publisher
 --------------------InstallLocation
 --------------------InstallDate
 --------------------Users
 --------------------AppVPackageId
 --------------------AppVVersionId
 --------------------AppVPackageUri
 ----AppVPublishing
 --------LastSync
 ------------LastError
 ------------LastErrorDescription
 ------------SyncStatusDescription
 ------------SyncProgress
 --------Sync
 ------------PublishXML
 ----AppVDynamicPolicy
 --------ConfigurationId
 ------------Policy
 ```
 **./Vendor/MSFT/EnterpriseAppVManagement**  
 <p style="margin-left: 20px">Root node for the EnterpriseAppVManagement configuration service provider.</p>
--- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md
+++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md
@ -22,10 +22,23 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
 To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
-The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
+The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
-
+```
-![enterpriseassignedaccess csp](images/provisioning-csp-enterpriseassignedaccess.png)
+./Vendor/MSFT
-
+EnterpriseAssignedAccess
 ----AssignedAccess
 --------AssignedAccessXml
 ----LockScreenWallpaper
 --------BGFileName
 ----Theme
 --------ThemeBackground
 --------ThemeAccentColorID
 --------ThemeAccentColorValue
 ----Clock
 --------TimeZone
 ----Locale
 --------Language
 ```
 The following list shows the characteristics and parameters.
 <a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**./Vendor/MSFT/EnterpriseAssignedAccess/**
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@ -29,10 +29,22 @@ To learn more about WIP, see the following articles:
 -   [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
 -   [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
-The following diagram shows the EnterpriseDataProtection CSP in tree format.
+The following shows the EnterpriseDataProtection CSP in tree format.
-
+```
-![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png)
+./Device/Vendor/MSFT
-
+EnterpriseDataProtection
 ----Settings
 --------EDPEnforcementLevel
 --------EnterpriseProtectedDomainNames
 --------AllowUserDecryption
 --------RequireProtectionUnderLockConfig
 --------DataRecoveryCertificate
 --------RevokeOnUnenroll
 --------RMSTemplateIDForEDP
 --------AllowAzureRMSForEDP
 --------EDPShowIcons
 ----Status
 ```
 <a href="" id="--device-vendor-msft-enterprisedataprotection"></a>**./Device/Vendor/MSFT/EnterpriseDataProtection**  
 The root node for the CSP.
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@ -19,10 +19,24 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han
 Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
-The following diagram shows the EnterpriseDesktopAppManagement CSP in tree format.
+The following shows the EnterpriseDesktopAppManagement CSP in tree format.
-
+```
-![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png)
+./Device/Vendor/MSFT
-
+EnterpriseDesktopAppManagement
 ----MSI
 --------ProductID
 ------------Version
 ------------Name
 ------------Publisher
 ------------InstallPath
 ------------InstallDate
 ------------DownloadInstall
 ------------Status
 ------------LastError
 ------------LastErrorDesc
 --------UpgradeCode
 ------------Guid
 ```
 <a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
 The root node for the EnterpriseDesktopAppManagement configuration service provider.
--- a/windows/client-management/mdm/enterpriseext-csp.md
+++ b/windows/client-management/mdm/enterpriseext-csp.md
@ -21,10 +21,23 @@ The EnterpriseExt configuration service provider allows OEMs to set their own un
-The following diagram shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
+The following shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
-
+```
-![enterpriseext csp](images/provisioning-csp-enterpriseext.png)
+./Vendor/MSFT
-
+EnterpriseExt
 ----DeviceCustomData
 --------CustomID
 --------CustomString
 ----Brightness
 --------Default
 --------MaxAuto
 ----LedAlertNotification
 --------State
 --------Intensity
 --------Period
 --------DutyCycle
 --------Cyclecount
 ```
 The following list shows the characteristics and parameters.
 <a href="" id="--vendor-msft-enterpriseext"></a>**./Vendor/MSFT/EnterpriseExt**  
--- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md
+++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md
@ -23,10 +23,20 @@ The EnterpriseExtFileSystem configuration service provider (CSP) allows IT admin
 File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**.
-The following diagram shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
+The following shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
-
+```
-![enterpriseextfilesystem csp](images/provisioning-csp-enterpriseextfilesystem.png)
+./Vendor/MSFT
-
+EnterpriseExtFileSystem
 ----Persistent
 --------Files_abc1
 --------Directory_abc2
 ----NonPersistent
 --------Files_abc3
 --------Directory_abc4
 ----OemProfile
 --------Directory_abc5
 --------Files_abc6
 ```
 The following list describes the characteristics and parameters.
 <a href="" id="--vendor-msft-enterpriseextfilesystem"></a>**./Vendor/MSFT/EnterpriseExtFileSystem**  
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@ -19,10 +19,51 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f
 > [!Note]
 > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
-The following image shows the EnterpriseModernAppManagement configuration service provider in tree format.
+The following shows the EnterpriseModernAppManagement configuration service provider in tree format.
-
+```
-![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png)
+./Vendor/MSFT
-
+EnterpriseModernAppManagement
 ----AppManagement
 --------EnterpriseID
 ------------PackageFamilyName
 ----------------PackageFullName
 --------------------Name
 --------------------Version
 --------------------Publisher
 --------------------Architecture
 --------------------InstallLocation
 --------------------IsFramework
 --------------------IsBundle
 --------------------InstallDate
 --------------------ResourceID
 --------------------PackageStatus
 --------------------RequiresReinstall
 --------------------Users
 --------------------IsProvisioned
 ----------------DoNotUpdate
 ----------------AppSettingPolicy
 --------------------SettingValue
 --------UpdateScan
 --------LastScanError
 --------AppInventoryResults
 --------AppInventoryQuery
 ----AppInstallation
 --------PackageFamilyName
 ------------StoreInstall
 ------------HostedInstall
 ------------LastError
 ------------LastErrorDesc
 ------------Status
 ------------ProgressStatus
 ----AppLicenses
 --------StoreLicenses
 ------------LicenseID
 ----------------LicenseCategory
 ----------------LicenseUsage
 ----------------RequesterID
 ----------------AddLicense
 ----------------GetLicenseFromStore
 ```
 <a href="" id="device-or-user-context"></a>**Device or User context**  
 For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@ -16,10 +16,30 @@ manager: dansimp
 The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
-The following diagram shows the eUICCs configuration service provider in tree format.
+The following shows the eUICCs configuration service provider in tree format.
-
+```
-![euiccs csp](images/provisioning-csp-euiccs.png)
+./Device/Vendor/MSFT
-
+eUICCs
 ----eUICC
 --------Identifier
 --------IsActive
 --------PPR1Allowed
 --------PPR1AlreadySet
 --------Profiles
 ------------ICCID
 ----------------ServerName
 ----------------MatchingID
 ----------------State
 ----------------IsEnabled
 ----------------PPR1Set
 ----------------PPR2Set
 ----------------ErrorDetail
 --------Policies
 ------------LocalUIEnabled
 --------Actions
 ------------ResetToFactoryState
 ------------Status
 ```
 <a href="" id="--vendor-msft-euiccs"></a>**./Vendor/MSFT/eUICCs**  
 Root node. 
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@ -20,10 +20,88 @@ Firewall rules in the FirewallRules section must be wrapped in an Atomic block i
 For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/library/mt620101.aspx).
-The following diagram shows the Firewall configuration service provider in tree format. 
+The following shows the Firewall configuration service provider in tree format. 
-
+```
-![firewall csp](images/provisioning-csp-firewall.png)
+./Vendor/MSFT
-
+Firewall
 ----
 --------Global
 ------------PolicyVersionSupported
 ------------CurrentProfiles
 ------------DisableStatefulFtp
 ------------SaIdleTime
 ------------PresharedKeyEncoding
 ------------IPsecExempt
 ------------CRLcheck
 ------------PolicyVersion
 ------------BinaryVersionSupported
 ------------OpportunisticallyMatchAuthSetPerKM
 ------------EnablePacketQueue
 --------DomainProfile
 ------------EnableFirewall
 ------------DisableStealthMode
 ------------Shielded
 ------------DisableUnicastResponsesToMulticastBroadcast
 ------------DisableInboundNotifications
 ------------AuthAppsAllowUserPrefMerge
 ------------GlobalPortsAllowUserPrefMerge
 ------------AllowLocalPolicyMerge
 ------------AllowLocalIpsecPolicyMerge
 ------------DefaultOutboundAction
 ------------DefaultInboundAction
 ------------DisableStealthModeIpsecSecuredPacketExemption
 --------PrivateProfile
 ------------EnableFirewall
 ------------DisableStealthMode
 ------------Shielded
 ------------DisableUnicastResponsesToMulticastBroadcast
 ------------DisableInboundNotifications
 ------------AuthAppsAllowUserPrefMerge
 ------------GlobalPortsAllowUserPrefMerge
 ------------AllowLocalPolicyMerge
 ------------AllowLocalIpsecPolicyMerge
 ------------DefaultOutboundAction
 ------------DefaultInboundAction
 ------------DisableStealthModeIpsecSecuredPacketExemption
 --------PublicProfile
 ------------EnableFirewall
 ------------DisableStealthMode
 ------------Shielded
 ------------DisableUnicastResponsesToMulticastBroadcast
 ------------DisableInboundNotifications
 ------------AuthAppsAllowUserPrefMerge
 ------------GlobalPortsAllowUserPrefMerge
 ------------AllowLocalPolicyMerge
 ------------AllowLocalIpsecPolicyMerge
 ------------DefaultOutboundAction
 ------------DefaultInboundAction
 ------------DisableStealthModeIpsecSecuredPacketExemption
 --------FirewallRules
 ------------FirewallRuleName
 ----------------App
 --------------------PackageFamilyName
 --------------------FilePath
 --------------------Fqbn
 --------------------ServiceName
 ----------------Protocol
 ----------------LocalPortRanges
 ----------------RemotePortRanges
 ----------------LocalAddressRanges
 ----------------RemoteAddressRanges
 ----------------Description
 ----------------Enabled
 ----------------Profiles
 ----------------Action
 --------------------Type
 ----------------Direction
 ----------------InterfaceTypes
 ----------------EdgeTraversal
 ----------------LocalUserAuthorizationList
 ----------------FriendlyName
 ----------------IcmpTypesAndCodes
 ----------------Status
 ----------------Name
 ```
 <a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
 <p style="margin-left: 20px">Root node for the Firewall configuration service provider.</p>
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@ -37,7 +37,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 **DHA-Session (Device HealthAttestation session)**
 <p style="margin-left: 20px">The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.</p>
-<p style="margin-left: 20px">The following list of transactions are performed in one DHA-Session:</p>
+<p style="margin-left: 20px">The following list of transactions is performed in one DHA-Session:</p>
 <ul>
 <li>DHA-CSP and DHA-Service communication:
 <ul><li>DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service</li>
@ -75,7 +75,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 <strong>DHA-Enabled MDM (Device HealthAttestation enabled device management solution)</strong>
 <p style="margin-left: 20px">Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.</p>
 <p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.</p>
-<p style="margin-left: 20px">The following list of operations are performed by DHA-Enabled-MDM:</p>
+<p style="margin-left: 20px">The following list of operations is performed by DHA-Enabled-MDM</p>
 <ul>
 <li>Enables the DHA feature on a DHA-Enabled device</li>
 <li>Issues device health attestation requests to enrolled/managed devices</li>
@ -85,7 +85,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 <strong>DHA-CSP (Device HealthAttestation Configuration Service Provider)</strong>
 <p style="margin-left: 20px">The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.</p>
-<p style="margin-left: 20px">The following list of operations are performed by DHA-CSP:</p>
+<p style="margin-left: 20px">The following list of operations is performed by DHA-CSP:</p>
 <ul>
 <li>Collects device boot data (DHA-BootData) from a managed device</li>
 <li>Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)</li>
@ -97,7 +97,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 <p style="margin-left: 20px">Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.</p>
 <p style="margin-left: 20px">DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.</p>
-<p style="margin-left: 20px">The following list of operations are performed by DHA-Service:</p>
+<p style="margin-left: 20px">The following list of operations is performed by DHA-Service:</p>
 - Receives device boot data (DHA-BootData) from a DHA-Enabled device</li>
 - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) </li>
@ -126,7 +126,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 <li>Available in Windows for free</li>
 <li>Running on a high-availability and geo-balanced cloud infrastructure </li>
 <li>Supported by most DHA-Enabled device management solutions as the default device attestation service provider</li>
-<li>Accessible to all enterprise managed devices via following:
+<li>Accessible to all enterprise-managed devices via following:
 <ul>
 <li>FQDN = has.spserv.microsoft.com) port</li>
 <li>Port = 443</li>
@ -144,7 +144,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 <li>Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) </li>
 <li>Hosted on an enterprise owned and managed server device/hardware</li>
 <li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
-<li><p>Accessible to all enterprise managed devices via following:</p>
+<li><p>Accessible to all enterprise-managed devices via following:</p>
 <ul>
 <li>FQDN = (enterprise assigned)</li>
 <li>Port = (enterprise assigned)</li>
@ -155,12 +155,12 @@ The following is a list of functions performed by the Device HealthAttestation C
 <td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on-premises.</td>
 </tr>
 <tr class="even">
-<td style="vertical-align:top">Device Health Attestation - Enterprise Managed Cloud<p>(DHA-EMC)</p></td>
+<td style="vertical-align:top">Device Health Attestation - Enterprise-Managed Cloud<p>(DHA-EMC)</p></td>
-<td style="vertical-align:top"><p>DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.</p>
+<td style="vertical-align:top"><p>DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.</p>
 <ul>
 <li>Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)</li>
 <li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
-<li><p>Accessible to all enterprise managed devices via following:</p>
+<li><p>Accessible to all enterprise-managed devices via following:</p>
 <ul>
 <li>FQDN = (enterprise assigned)</li>
 <li>Port = (enterprise assigned)</li>
@ -176,10 +176,22 @@ The following is a list of functions performed by the Device HealthAttestation C
 ## CSP diagram and node descriptions  
-The following diagram shows the Device HealthAttestation configuration service provider in tree format.  
+The following shows the Device HealthAttestation configuration service provider in tree format.  
-
+```
-![healthattestation csp](images/provisioning-csp-healthattestation.png)
+./Vendor/MSFT
-
+HealthAttestation
 ----VerifyHealth
 ----Status
 ----ForceRetrieve
 ----Certificate
 ----Nonce
 ----CorrelationID
 ----HASEndpoint
 ----TpmReadyStatus
 ----CurrentProtocolVersion
 ----PreferredMaxProtocolVersion
 ----MaxSupportedProtocolVersion
 ```
 <a href="" id="healthattestation"></a>**./Vendor/MSFT/HealthAttestation**  
 <p style="margin-left: 20px">The root node for the device HealthAttestation configuration service provider.</p>
@ -306,13 +318,13 @@ SSL-Session:
 There are three types of DHA-Service:
 - Device Health Attestation – Cloud (owned and operated by Microsoft)
 - Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
- Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud)
+- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud)
 DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider.
 For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint node to instruct a managed device to communicate with the enterprise trusted DHA-Service. 
-The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service.
+The following example shows a sample call that instructs a managed device to communicate with an enterprise-managed DHA-Service.
 ```xml
 <Replace>
--- a/windows/client-management/mdm/maps-csp.md
+++ b/windows/client-management/mdm/maps-csp.md
@ -21,10 +21,14 @@ The Maps configuration service provider (CSP) is used to configure the maps to d
-The following diagram shows the Maps configuration service provider in tree format.
+The following shows the Maps configuration service provider in tree format.
-
+```
-![maps csp diagram](images/provisioning-csp-maps.png)
+./Vendor/MSFT
-
+Maps
 ----Packages
 --------Package
 ------------Status
 ```
 <a href="" id="maps"></a>**Maps**  
 Root node.
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@ -17,10 +17,22 @@ manager: dansimp
 The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.
-The following diagram shows the MultiSIM configuration service provider in tree format.
+The following shows the MultiSIM configuration service provider in tree format.
-
+```
-![MultiSIM CSP diagram](images/provisioning-csp-multisim.png) 
+./Device/Vendor/MSFT
-
+MultiSIM
 ----ModemID
 --------Identifier
 --------IsEmbedded
 --------Slots
 ------------SlotID
 ----------------Identifier
 ----------------IsEmbedded
 ----------------IsSelected
 ----------------State
 --------Policies
 ------------SlotSelectionEnabled
 ```
 <a href="" id="multisim"></a>**./Device/Vendor/MSFT/MultiSIM**  
 Root node.
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@ -266,6 +266,7 @@ ms.date: 10/08/2020
 - [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit)
 - [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder)
 - [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations)
 - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
 - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
 - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
 - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -1053,6 +1053,13 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>
 ### ADMX_FileRecovery policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy" id="admx-filerecovery-wdiscenarioexecutionpolicy">ADMX_FileRecovery/WdiScenarioExecutionPolicy</a>
  </dd>
 </dl>
 ### ADMX_FileServerVSSProvider policies
 <dl>
  <dd>
--- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@ -0,0 +1,125 @@
 ---
 title: Policy CSP - ADMX_FileRecovery
 description: Policy CSP - ADMX_FileRecovery
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.date: 03/02/2021
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - ADMX_FileRecovery
 > [!WARNING]
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
 <!--Policies-->
 ## ADMX_FileRecovery policies  
 <dl>
  <dd>
    <a href="#admx-filerecovery-wdiscenarioexecutionpolicy">ADMX_FileRecovery/WdiScenarioExecutionPolicy</a>
  </dd>
 </dl>
 <hr/>
 <!--Policy-->
 <a href="" id="admx-filerecovery-wdiscenarioexecutionpolicy"></a>**ADMX_FileRecovery/WdiScenarioExecutionPolicy**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Machine
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Available in the latest Windows 10 Insider Preview Build. This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. 
 If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. 
 If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. 
 No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. 
 This policy setting only takes effect if the Disk Diagnostic scenario policy setting  is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. 
 > [!NOTE]
 > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
 > [!NOTE]
 > This policy setting applies to all sites in Trusted zones.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Disk Diagnostic: Configure execution level*
 -   GP name: *WdiScenarioExecutionPolicy*
 -   GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
 -   GP ADMX file name: *FileRecovery.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 Footnotes:
 - 1 - Available in Windows 10, version 1607
 - 2 - Available in Windows 10, version 1703
 - 3 - Available in Windows 10, version 1709
 - 4 - Available in Windows 10, version 1803
 - 5 - Available in Windows 10, version 1809
 - 6 - Available in Windows 10, version 1903
 - 7 - Available in Windows 10, version 1909
 - 8 - Available in Windows 10, version 2004
 - 9 - Available in Windows 10, version 20H2
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@ -3224,8 +3224,10 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 <!--Policy--> 
 <a href="" id="admx-microsoftdefenderantivirus-reporting-disablegenericreports"></a>**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts**  
 <!--SupportedSKUs-->
 <table>
 <tr>
@ -3357,6 +3359,7 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 <!--Policy--> 
 <a href="" id="admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout"></a>**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout**  
 <!--SupportedSKUs-->
@ -4249,7 +4252,11 @@ ADMX Info:
 <!--/Policy-->
 <hr/>
 <!--Policy-->
-<a href="" id="admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan"></a>**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**  
+
 <a href="" 
 id="admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan"></a>**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** 
 <!--SupportedSKUs-->
 <table>
@ -6137,6 +6144,8 @@ ADMX Info:
 <!--Policy-->
 <a href=""id="admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification"></a>**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** 
 <!--SupportedSKUs-->
 <table>
 <tr>
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@ -5,9 +5,8 @@ ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: manikadhiman
+author: dansimp
 ms.localizationpriority: medium
 ms.date: 09/27/2019
 ms.reviewer: 
 manager: dansimp
 ---
@ -85,6 +84,9 @@ manager: dansimp
  <dd>
    <a href="#internetexplorer-allowonewordentry">InternetExplorer/AllowOneWordEntry</a>
  </dd>
  <dd>
    <a href="#internetexplorer-allowsavetargetasinIEmode">InternetExplorer/AllowSaveTargetAsInIEMode</a>
  </dd>
  <dd>
    <a href="#internetexplorer-allowsitetozoneassignmentlist">InternetExplorer/AllowSiteToZoneAssignmentList</a>
  </dd>
@ -112,6 +114,11 @@ manager: dansimp
  <dd>
    <a href="#internetexplorer-consistentmimehandlinginternetexplorerprocesses">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
  </dd>
 <dd>
    <a 
    href="#internetexplorer-configureedgeredirectchannel">InternetExplorer/ConfigureEdgeRedirectChannel</a> 
  </dd>
  <dd>
    <a href="#internetexplorer-disableactivexversionlistautodownload">InternetExplorer/DisableActiveXVersionListAutoDownload</a>
  </dd>
@ -160,6 +167,9 @@ manager: dansimp
  <dd>
    <a href="#internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a>
  </dd>
  <dd>
    <a href="#internetexplorer-disableinternetexplorerapp">InternetExplorer/DisableInternetExplorerApp</a>
  </dd>
  <dd>
    <a href="#internetexplorer-disableignoringcertificateerrors">InternetExplorer/DisableIgnoringCertificateErrors</a>
  </dd>
@ -355,6 +365,9 @@ manager: dansimp
  <dd>
    <a href="#internetexplorer-intranetzonenavigatewindowsandframes">InternetExplorer/IntranetZoneNavigateWindowsAndFrames</a>
  </dd>
 <dd>
    <a href="#internetexplorer-keepintranetsitesininternetexplorer">InternetExplorer/KeepIntranetSitesInInternetExplorer</a> 
  </dd>
  <dd>
    <a href="#internetexplorer-localmachinezoneallowaccesstodatasources">InternetExplorer/LocalMachineZoneAllowAccessToDataSources</a>
  </dd>
@ -739,6 +752,9 @@ manager: dansimp
  <dd>
    <a href="#internetexplorer-securityzonesuseonlymachinesettings">InternetExplorer/SecurityZonesUseOnlyMachineSettings</a>
  </dd>
 <dd>
    <a href="#internetexplorer-sendsitesnotinenterprisesitelisttoedge">InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge</a>
  </dd>
  <dd>
    <a href="#internetexplorer-specifyuseofactivexinstallerservice">InternetExplorer/SpecifyUseOfActiveXInstallerService</a>
  </dd>
@ -2348,6 +2364,88 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-allowsavetargetasinIEmode"></a>**InternetExplorer/AllowSaveTargetAsInIEMode**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode.
 - If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.
 - If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu.
 For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115)
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Allow "Save Target As" in Internet Explorer mode*
 -   GP name: *AllowSaveTargetAsInIEMode*
 -   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 ```xml
 <policy name="AllowSaveTargetAsInIEMode" class="Both" displayName="$(string.AllowSaveTargetAsInIEMode)" explainText="$(string.IE_ExplainAllowSaveTargetAsInIEMode)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="AllowSaveTargetAsInIEMode">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
 ```
 <!--Policy-->
 <a href="" id="internetexplorer-allowsitetozoneassignmentlist"></a>**InternetExplorer/AllowSiteToZoneAssignmentList**  
@ -2978,6 +3076,298 @@ ADMX Info:
 <hr/>
 <a href="" id="internetexplorer-configureedgeredirectchannel"></a>**InternetExplorer/ConfigureEdgeRedirectChannel**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed.
 If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur:
 - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
 1 = Microsoft Edge Stable
 2 = Microsoft Edge Beta version 77 or later
 3 = Microsoft Edge Dev version 77 or later
 4 = Microsoft Edge Canary version 77 or later
 - If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior.
 If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur:
 - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
 0 = Microsoft Edge version 45 or earlier
 1 = Microsoft Edge Stable
 2 = Microsoft Edge Beta version 77 or later
 3 = Microsoft Edge Dev version 77 or later
 4 = Microsoft Edge Canary version 77 or later
 - If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.
 > [!NOTE]
 > For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115). This update applies only to Windows 10 version 1709 and higher.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Configure which channel of Microsoft Edge to use for opening redirected sites*
 -   GP name: *NeedEdgeBrowser*
 -   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 ```xml
 <policy name="NeedEdgeBrowser" class="Both" displayName="$(string.NeedEdgeBrowser)" explainText="$(string.IE_ExplainNeedEdgeBrowser)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" presentation="$(presentation.NeedEdgeBrowser)">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <elements>
        <enum id="NeedEdgeBrowser" valueName="NeedEdgeBrowser">
          <item displayName="$(string.NeedEdgeBrowserChoice_None)">
            <value>
              <delete />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">
            <value>
              <decimal value="1" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">
            <value>
              <decimal value="2" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">
            <value>
              <decimal value="3" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">
            <value>
              <decimal value="4" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">
            <value>
              <decimal value="0" />
            </value>
          </item>
        </enum>
        <enum id="NeedEdgeBrowser2" valueName="NeedEdgeBrowser2">
          <item displayName="$(string.NeedEdgeBrowserChoice_None)">
            <value>
              <delete />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">
            <value>
              <decimal value="1" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">
            <value>
              <decimal value="2" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">
            <value>
              <decimal value="3" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">
            <value>
              <decimal value="4" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">
            <value>
              <decimal value="0" />
            </value>
          </item>
        </enum>
        <enum id="NeedEdgeBrowser3" valueName="NeedEdgeBrowser3">
          <item displayName="$(string.NeedEdgeBrowserChoice_None)">
            <value>
              <delete />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">
            <value>
              <decimal value="1" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">
            <value>
              <decimal value="2" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">
            <value>
              <decimal value="3" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">
            <value>
              <decimal value="4" />
            </value>
          </item>
          <item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">
            <value>
              <decimal value="0" />
            </value>
          </item>
        </enum>
      </elements>
    </policy>
 ```
 <!--Policy-->
 <a href="" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses"></a>**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**  
@ -4250,8 +4640,102 @@ ADMX Info:
 <!--/ADMXBacked-->
 <!--/Policy-->
 <!--Policy-->
 <a href="" id="internetexplorer-disableinternetexplorerapp"></a>**InternetExplorer/DisableInternetExplorerApp**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy lets you restrict launching of Internet Explorer as a standalone browser.
 If you enable this policy, it:
 - Prevents Internet Explorer 11 from launching as a standalone browser.
 - Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'.
 - Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.
 - Overrides any other policies that redirect to Internet Explorer 11.
 If you disable, or do not configure this policy, all sites are opened using the current active browser settings.
 > [!NOTE]
 > Microsoft Edge Stable Channel must be installed for this policy to take effect.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Disable Internet Explorer 11 as a standalone browser*
 -   GP name: *DisableInternetExplorerApp*
 -   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 ```xml
 <policy name="DisableInternetExplorerApp" class="Both" displayName="$(string.DisableInternetExplorerApp)" explainText="$(string.IE_ExplainDisableInternetExplorerApp)" key="Software\Policies\Microsoft\Internet Explorer\Main" valueName="DisableInternetExplorerApp">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
 ```
 <!--Policy-->
 <a href="" id="internetexplorer-disableignoringcertificateerrors"></a>**InternetExplorer/DisableIgnoringCertificateErrors**  
@ -9007,6 +9491,105 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-keepintranetsitesininternetexplorer"></a>**InternetExplorer/KeepIntranetSitesInInternetExplorer**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting prevents intranet sites from being opened in any browser except Internet Explorer.
 > [!NOTE]
 > If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdg](#internetexplorer-policies)e policy is not enabled, then this policy has no effect.
 If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.
 If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge.
 We strongly recommend keeping this policy in sync with the [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.
 Related policies:
 - [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies)
 - [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies)
 For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210)
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Keep all Intranet Sites in Internet Explorer*
 -   GP name: *KeepIntranetSitesInInternetExplorer*
 -   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 ```xml
 <policy name="KeepIntranetSitesInInternetExplorer" class="Both" displayName="$(string.KeepIntranetSitesInInternetExplorer)" explainText="$(string.IE_ExplainKeepIntranetSitesInInternetExplorer)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="KeepIntranetSitesInInternetExplorer">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
 ```
 <!--Policy-->
 <a href="" id="internetexplorer-localmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**  
@ -18428,6 +19011,100 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-sendsitesnotinenterprisesitelisttoedge"></a>**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting and you must include at least one site in the Enterprise Mode Site List.
 If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge.
 If you disable, or not configure this setting, then it opens all sites based on the currently active browser. 
 > [!NOTE]
 > If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge*
 -   GP name: *RestrictInternetExplorer*
 -   GP path: *Windows Components/Internet Explorer*
 -   GP ADMX file name: *inetres.admx*
 > [!NOTE]
 > This MDM policy is still outstanding.
 <!--/ADMXBacked-->
 <!--/Policy-->
 ```xml
  <policy name="RestrictInternetExplorer" class="Both" displayName="$(string.RestrictInternetExplorer)" explainText="$(string.IE_ExplainRestrictInternetExplorer)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="RestrictIE">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11WIN10_1607" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
 ```
 <!--Policy-->
 <a href="" id="internetexplorer-specifyuseofactivexinstallerservice"></a>**InternetExplorer/SpecifyUseOfActiveXInstallerService**  
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@ -1,6 +1,6 @@
 ---
 title: TenantLockdown CSP
-description: 
+description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@ -21,10 +21,12 @@ The TenantLockdown configuration service provider is used by the IT admin to loc
 > [!NOTE]
 > The forced network connection is only applicable to devices after reset (not new).
-The following diagram shows the TenantLockdown configuration service provider in tree format.
+The following shows the TenantLockdown configuration service provider in tree format.
-
+```
-![TenantLockdown CSP diagram](images/provisioning-csp-tenantlockdown.png)
+./Vendor/MSFT
-
+TenantLockdown
 ----RequireNetworkInOOBE
 ```
 <a href="" id="tenantlockdown"></a>**./Vendor/MSFT/TenantLockdown**  
 The root node.
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@ -14,25 +14,27 @@ manager: dansimp
 # TPMPolicy CSP
-The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
 The TPMPolicy CSP was added in Windows 10, version 1703.
-The following diagram shows the TPMPolicy configuration service provider in tree format.
+The following shows the TPMPolicy configuration service provider in tree format.
-
+```
-![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png)
+./Vendor/MSFT
-
+TPMPolicy
 ----IsActiveZeroExhaust
 ```
 <a href="" id="--device-vendor-msft-tpmpolicy"></a>**./Device/Vendor/MSFT/TPMPolicy**  
 <p style="margin-left: 20px">Defines the root node.</p>
 <a href="" id="isactivezeroexhaust"></a>**IsActiveZeroExhaust**  
-<p style="margin-left: 20px">Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:</p>
+<p style="margin-left: 20px">Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:</p>
 <ul>
 <li>There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected. </li>
 <li>There should be no traffic during installation of Windows and first logon when local ID is used.</li>
-<li>Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.</li>
+<li>Launching and using a local app (Notepad, Paint, and so on.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.</li>
-<li>Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, etc.) to Microsoft.</li>
+<li>Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on.) to Microsoft.</li>
 </ul>
 Here is an example:
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@ -22,10 +22,33 @@ The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmwa
 > [!NOTE]
 > The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
-The following diagram shows the UEFI CSP in tree format.
+The following shows the UEFI CSP in tree format.
-
+```
-![Uefi CSP diagram](images/provisioning-csp-uefi.png)
+./Vendor/MSFT
-
+Uefi
 ----DeviceIdentifier
 ----Identity
 --------Current
 --------Apply
 --------Result
 ----Permissions
 --------Current
 --------Apply
 --------Result
 ----Settings
 --------Current
 --------Apply
 --------Result
 ----Identity2
 --------Apply
 --------Result
 ----Permissions2
 --------Apply
 --------Result
 ----Settings2
 --------Apply
 --------Result
 ```
 The following list describes the characteristics and parameters.
 <a href="" id="uefi"></a>**./Vendor/MSFT/Uefi**  
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@ -19,10 +19,37 @@ The Update configuration service provider enables IT administrators to manage an
 > [!Note]
 > The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies. 
-The following diagram shows the Update configuration service provider in tree format.
+The following shows the Update configuration service provider in tree format.
 ![update csp diagram](images/provisioning-csp-update.png)
 ```./Vendor/MSFT
 Update
 ----ApprovedUpdates
 --------Approved Update Guid
 ------------ApprovedTime
 ----FailedUpdates
 --------Failed Update Guid
 ------------HResult
 ------------Status
 ------------RevisionNumber
 ----InstalledUpdates
 --------Installed Update Guid
 ------------RevisionNumber
 ----InstallableUpdates
 --------Installable Update Guid
 ------------Type
 ------------RevisionNumber
 ----PendingRebootUpdates
 --------Pending Reboot Update Guid
 ------------InstalledTime
 ------------RevisionNumber
 ----LastSuccessfulScanTime
 ----DeferUpgrade
 ----Rollback
 --------QualityUpdate
 --------FeatureUpdate
 --------QualityUpdateStatus
 --------FeatureUpdateStatus
 ```
 <a href="" id="update"></a>**Update**
 <p style="margin-left: 20px">The root node.
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@ -33,10 +33,290 @@ The XSDs for all EAP methods are shipped in the box and can be found at the foll
 - `C:\\Windows\\schemas\\EAPHost`
 - `C:\\Windows\\schemas\\EAPMethods`
-The following diagram shows the VPNv2 configuration service provider in tree format.
+The following shows the VPNv2 configuration service provider in tree format.
-![vpnv2 csp diagram](images/provisioning-csp-vpnv2.png)
+```
 ./Vendor/MSFT
 VPNv2
 ----ProfileName
 --------AppTriggerList
 ------------appTriggerRowId
 ----------------App
 --------------------Id
 --------------------Type
 --------RouteList
 ------------routeRowId
 ----------------Address
 ----------------PrefixSize
 ----------------Metric
 ----------------ExclusionRoute
 --------DomainNameInformationList
 ------------dniRowId
 ----------------DomainName
 ----------------DomainNameType
 ----------------DnsServers
 ----------------WebProxyServers
 ----------------AutoTrigger
 ----------------Persistent
 --------TrafficFilterList
 ------------trafficFilterId
 ----------------App
 --------------------Id
 --------------------Type
 ----------------Claims
 ----------------Protocol
 ----------------LocalPortRanges
 ----------------RemotePortRanges
 ----------------LocalAddressRanges
 ----------------RemoteAddressRanges
 ----------------RoutingPolicyType
 ----------------Direction
 --------EdpModeId
 --------RememberCredentials
 --------AlwaysOn
 --------LockDown
 --------DeviceTunnel
 --------RegisterDNS
 --------DnsSuffix
 --------ByPassForLocal
 --------TrustedNetworkDetection
 --------ProfileXML
 --------Proxy
 ------------Manual
 ----------------Server
 ------------AutoConfigUrl
 --------APNBinding
 ------------ProviderId
 ------------AccessPointName
 ------------UserName
 ------------Password
 ------------IsCompressionEnabled
 ------------AuthenticationType
 --------DeviceCompliance
 ------------Enabled
 ------------Sso
 ----------------Enabled
 ----------------IssuerHash
 ----------------Eku
 --------PluginProfile
 ------------ServerUrlList
 ------------CustomConfiguration
 ------------PluginPackageFamilyName
 ------------CustomStoreUrl
 ------------WebAuth
 ----------------Enabled
 ----------------ClientId
 --------NativeProfile
 ------------Servers
 ------------RoutingPolicyType
 ------------NativeProtocolType
 ------------Authentication
 ----------------UserMethod
 ----------------MachineMethod
 ----------------Eap
 --------------------Configuration
 --------------------Type
 ----------------Certificate
 --------------------Issuer
 --------------------Eku
 ------------CryptographySuite
 ----------------AuthenticationTransformConstants
 ----------------CipherTransformConstants
 ----------------EncryptionMethod
 ----------------IntegrityCheckMethod
 ----------------DHGroup
 ----------------PfsGroup
 ------------L2tpPsk
 ------------DisableClassBasedDefaultRoute
 ------------PlumbIKEv2TSAsRoutes
 ./User/Vendor/MSFT
 VPNv2
 ----ProfileName
 --------AppTriggerList
 ------------appTriggerRowId
 ----------------App
 --------------------Id
 --------------------Type
 --------RouteList
 ------------routeRowId
 ----------------Address
 ----------------PrefixSize
 ----------------Metric
 ----------------ExclusionRoute
 --------DomainNameInformationList
 ------------dniRowId
 ----------------DomainName
 ----------------DomainNameType
 ----------------DnsServers
 ----------------WebProxyServers
 ----------------AutoTrigger
 ----------------Persistent
 --------TrafficFilterList
 ------------trafficFilterId
 ----------------App
 --------------------Id
 --------------------Type
 ----------------Claims
 ----------------Protocol
 ----------------LocalPortRanges
 ----------------RemotePortRanges
 ----------------LocalAddressRanges
 ----------------RemoteAddressRanges
 ----------------RoutingPolicyType
 --------EdpModeId
 --------RememberCredentials
 --------AlwaysOn
 --------DnsSuffix
 --------ByPassForLocal
 --------TrustedNetworkDetection
 --------ProfileXML
 --------Proxy
 ------------Manual
 ----------------Server
 ------------AutoConfigUrl
 --------APNBinding
 ------------ProviderId
 ------------AccessPointName
 ------------UserName
 ------------Password
 ------------IsCompressionEnabled
 ------------AuthenticationType
 --------DeviceCompliance
 ------------Enabled
 ------------Sso
 ----------------Enabled
 ----------------IssuerHash
 ----------------Eku
 --------PluginProfile
 ------------ServerUrlList
 ------------CustomConfiguration
 ------------PluginPackageFamilyName
 ------------CustomStoreUrl
 ------------WebAuth
 ----------------Enabled
 ----------------ClientId
 --------NativeProfile
 ------------Servers
 ------------RoutingPolicyType
 ------------NativeProtocolType
 ------------Authentication
 ----------------UserMethod
 ----------------MachineMethod
 ----------------Eap
 --------------------Configuration
 --------------------Type
 ----------------Certificate
 --------------------Issuer
 --------------------Eku
 ------------CryptographySuite
 ----------------AuthenticationTransformConstants
 ----------------CipherTransformConstants
 ----------------EncryptionMethod
 ----------------IntegrityCheckMethod
 ----------------DHGroup
 ----------------PfsGroup
 ------------L2tpPsk
 ------------DisableClassBasedDefaultRoute
 ------------PlumbIKEv2TSAsRoutes
 ./Vendor/MSFT
 ./User/Vendor/MSFT
 VPNv2
 ----ProfileName
 --------AppTriggerList
 ------------appTriggerRowId
 ----------------App
 --------------------Id
 --------------------Type
 --------RouteList
 ------------routeRowId
 ----------------Address
 ----------------PrefixSize
 ----------------Metric
 ----------------ExclusionRoute
 --------DomainNameInformationList
 ------------dniRowId
 ----------------DomainName
 ----------------DomainNameType
 ----------------DnsServers
 ----------------WebProxyServers
 ----------------AutoTrigger
 ----------------Persistent
 --------TrafficFilterList
 ------------trafficFilterId
 ----------------App
 --------------------Id
 --------------------Type
 ----------------Claims
 ----------------Protocol
 ----------------LocalPortRanges
 ----------------RemotePortRanges
 ----------------LocalAddressRanges
 ----------------RemoteAddressRanges
 ----------------RoutingPolicyType
 ----------------Direction
 --------EdpModeId
 --------RememberCredentials
 --------AlwaysOn
 --------LockDown
 --------DeviceTunnel
 --------RegisterDNS
 --------DnsSuffix
 --------ByPassForLocal
 --------TrustedNetworkDetection
 --------ProfileXML
 --------Proxy
 ------------Manual
 ----------------Server
 ------------AutoConfigUrl
 --------APNBinding
 ------------ProviderId
 ------------AccessPointName
 ------------UserName
 ------------Password
 ------------IsCompressionEnabled
 ------------AuthenticationType
 --------DeviceCompliance
 ------------Enabled
 ------------Sso
 ----------------Enabled
 ----------------IssuerHash
 ----------------Eku
 --------PluginProfile
 ------------ServerUrlList
 ------------CustomConfiguration
 ------------PluginPackageFamilyName
 ------------CustomStoreUrl
 ------------WebAuth
 ----------------Enabled
 ----------------ClientId
 --------NativeProfile
 ------------Servers
 ------------RoutingPolicyType
 ------------NativeProtocolType
 ------------Authentication
 ----------------UserMethod
 ----------------MachineMethod
 ----------------Eap
 --------------------Configuration
 --------------------Type
 ----------------Certificate
 --------------------Issuer
 --------------------Eku
 ------------CryptographySuite
 ----------------AuthenticationTransformConstants
 ----------------CipherTransformConstants
 ----------------EncryptionMethod
 ----------------IntegrityCheckMethod
 ----------------DHGroup
 ----------------PfsGroup
 ------------L2tpPsk
 ------------DisableClassBasedDefaultRoute
 ------------PlumbIKEv2TSAsRoutes
 ```
 <a href="" id="device-or-user-profile"></a>**Device or User profile**  
 For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
@ -119,7 +399,7 @@ Supported operations include Get, Add, Replace, and Delete.
 Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
 - FQDN - Fully qualified domain name
- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a **.** to the DNS suffix.
+- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend **.** to the DNS suffix.
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@ -233,7 +513,7 @@ Specifies the routing policy if an App or Claims type is used in the traffic fil
 - SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
 - ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.
-This is only applicable for App ID based Traffic Filter rules.
+This is only applicable for App ID-based Traffic Filter rules.
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@ -248,7 +528,7 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 <a href="" id="vpnv2-profilename-edpmodeid"></a>**VPNv2/**<em>ProfileName</em>**/EdpModeId**  
-Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
 Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
@ -293,7 +573,7 @@ When the DeviceTunnel profile is turned on, it does the following things:
 - First, it automatically becomes an "always on" profile.
 - Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
- Third, no other device tunnel profile maybe be present on the same machine.
+- Third, no other device tunnel profile maybe is present on the same machine.-
 A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
@ -316,7 +596,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 Reserved for future use.
 <a href="" id="vpnv2-profilename-trustednetworkdetection"></a>**VPNv2/**<em>ProfileName</em>**/TrustedNetworkDetection**  
-Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+Optional. Comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@ -387,7 +667,7 @@ Added in Windows 10, version 1607. Hashes for the VPN Client to look for the co
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 <a href="" id="vpnv2-profilename-devicecompliance-sso-eku"></a>**VPNv2/**<em>ProfileName</em>**/DeviceCompliance/Sso/Eku**  
-Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
+Added in Windows 10, version 1607. Comma-Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@ -582,7 +862,7 @@ Added in Windows 10, version 1607. The preshared key used for an L2TP connectio
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 <a href="" id="vpnv2-profilename-nativeprofile-disableclassbaseddefaultroute"></a>**VPNv2/**<em>ProfileName</em>**/NativeProfile/DisableClassBasedDefaultRoute**  
-Added in Windows 10, version 1607. Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+Added in Windows 10, version 1607. Specifies the class-based default routes. For example, if the interface IP begins with 10, it assumes a class an IP and pushes the route to 10.0.0.0/8
 Value type is bool. Supported operations include Get, Add, Replace, and Delete.
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@ -17,10 +17,21 @@ ms.date: 06/26/2017
 The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device.
-The following diagram shows the Win32AppInventory configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+The following shows the Win32AppInventory configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
-
+```
-![win32appinventory csp diagram](images/provisioning-csp-win32appinventory.png)
+./Vendor/MSFT
-
+Win32AppInventory
 ----Win32InstalledProgram
 --------InstalledProgram
 ------------Name
 ------------Publisher
 ------------Version
 ------------Language
 ------------RegKey
 ------------Source
 ------------MsiProductCode
 ------------MsiPackageCode
 ```
 <a href="" id="--vendor-msft-win32appinventory"></a>**./Vendor/MSFT/Win32AppInventory**  
 The root node for the Win32AppInventory configuration service provider.
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@ -1,6 +1,6 @@
 ---
 title: Win32CompatibilityAppraiser CSP
-description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health.
+description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@ -16,12 +16,35 @@ manager: dansimp
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, version 1809.
+The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health. This CSP was added in Windows 10, version 1809.
 The following diagram shows the Win32CompatibilityAppraiser configuration service provider in tree format.
 ![Win32CompatibilityAppraiser CSP diagram](images/provisioning-csp-win32compatibilityappraiser.png)
 The following shows the Win32CompatibilityAppraiser configuration service provider in tree format.
 ```
 ./Device/Vendor/MSFT
 Win32CompatibilityAppraiser
 ----CompatibilityAppraiser
 --------AppraiserConfigurationDiagnosis
 ------------CommercialId
 ------------CommercialIdSetAndValid
 ------------AllTargetOsVersionsRequested
 ------------OsSkuIsValidForAppraiser
 ------------AppraiserCodeAndDataVersionsAboveMinimum
 ------------RebootPending
 --------AppraiserRunResultReport
 ----UniversalTelemetryClient
 --------UtcConfigurationDiagnosis
 ------------TelemetryOptIn
 ------------CommercialDataOptIn
 ------------DiagTrackServiceRunning
 ------------MsaServiceEnabled
 ------------InternetExplorerTelemetryOptIn
 --------UtcConnectionReport
 ----WindowsErrorReporting
 --------WerConfigurationDiagnosis
 ------------WerTelemetryOptIn
 ------------MostRestrictiveSetting
 --------WerConnectionReport
 ```
 <a href="" id="accountmanagement"></a>**./Vendor/MSFT/Win32CompatibilityAppraiser**  
 The root node for the Win32CompatibilityAppraiser configuration service provider.
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@ -15,10 +15,27 @@ manager: dansimp
 The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
-The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
+The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
-
+```
-![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png)
+./Device/Vendor/MSFT
-
+WindowsDefenderApplicationGuard
 ----Settings
 --------AllowWindowsDefenderApplicationGuard
 --------ClipboardFileType
 --------ClipboardSettings
 --------PrintingSettings
 --------BlockNonEnterpriseContent
 --------AllowPersistence
 --------AllowVirtualGPU
 --------SaveFilesToHost
 --------CertificateThumbprints
 --------AllowCameraMicrophoneRedirection
 ----Status
 ----PlatformStatus
 ----InstallWindowsDefenderApplicationGuard
 ----Audit
 --------AuditApplicationGuard
 ```
 <a href="" id="windowsdefenderapplicationguard"></a>**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**  
 Root node. Supported operation is Get.
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@ -19,10 +19,27 @@ ms.date: 08/15/2018
 The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices.
-The following diagram shows the WindowsLicensing configuration service provider in tree format.
+The following shows the WindowsLicensing configuration service provider in tree format.
-
+```
-![windowslicensing csp diagram](images/provisioning-csp-windowslicensing.png)
+./Vendor/MSFT
-
+WindowsLicensing
 ----UpgradeEditionWithProductKey
 ----ChangeProductKey
 ----Edition
 ----Status
 ----UpgradeEditionWithLicense
 ----LicenseKeyType
 ----CheckApplicability
 ----ChangeProductKey (Added in Windows 10, version 1703)
 ----Subscriptions (Added in Windows 10, version 1607)
 --------SubscriptionId (Added in Windows 10, version 1607)
 ------------Status (Added in Windows 10, version 1607)
 ------------Name (Added in Windows 10, version 1607)
 ----SMode (Added in Windows 10, version 1809)
 --------SwitchingPolicy (Added in Windows 10, version 1809)
 --------SwitchFromSMode (Added in Windows 10, version 1809)
 --------Status (Added in Windows 10, version 1809)
 ```
 <a href="" id="--device-vendor-msft-windowslicensing"></a>**./Device/Vendor/MSFT/WindowsLicensing**  
 This is the root node for the WindowsLicensing configuration service provider.
--- a/windows/client-management/mdm/windowssecurityauditing-csp.md
+++ b/windows/client-management/mdm/windowssecurityauditing-csp.md
@ -17,10 +17,13 @@ ms.date: 06/26/2017
 The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation.
-The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format.
+The following shows the WindowsSecurityAuditing configuration service provider in tree format.
-
+```
-![windowssecurityauditing csp diagram](images/provisioning-csp-windowssecurityauditing.png)
+./Vendor/MSFT
-
+WindowsSecurityAuditing
 ----ConfigurationSettings
 --------EnableSecurityAuditing
 ```
 <a href="" id="windowssecurityauditing"></a>**WindowsSecurityAuditing**  
 Root node.
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@ -18,10 +18,26 @@ manager: dansimp
 The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809.
-The following diagram shows the WiredNetwork configuration service provider in tree format.
+The following shows the WiredNetwork configuration service provider in tree format.
 ```
 ./User/Vendor/MSFT
 WiredNetwork
 ----LanXML
 ----EnableBlockPeriod
 ![WiredNetwork CSP diagram](images/provisioning-csp-wirednetwork.png) 
 ./Device/Vendor/MSFT
 WiredNetwork
 ----LanXML
 ----EnableBlockPeriod
 ./User/Vendor/MSFT
 ./Device/Vendor/MSFT
 WiredNetwork
 ----LanXML
 ----EnableBlockPeriod
 ```
 <a href="" id="wirednetwork"></a>**./Device/Vendor/MSFT/WiredNetwork**  
 Root node.
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@ -25,7 +25,7 @@ This topic describes how to install the Volume Activation Management Tool (VAMT)
 You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
 >[!IMPORTANT]
->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
+>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator. 
 >[!NOTE]
 >The VAMT Microsoft Management Console snap-in ships as an x86 package. 
@ -33,16 +33,20 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 ### Requirements
 - [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
+- Latest version of the [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install)
 - Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
 - Alternatively, any supported **full** SQL instance
 ### Install SQL Server Express / alternatively use any full SQL instance
 1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
 2. Select **Basic**.
 3. Accept the license terms.
 4. Enter an install location or use the default path, and then select **Install**.
 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. 
    ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
@ -50,29 +54,37 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 ### Install VAMT using the ADK
 1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
   If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
 2. Enter an install location or use the default path, and then select **Next**.
 3. Select a privacy setting, and then select **Next**.
 4. Accept the license terms.
 5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
 6. On the completion page, select **Close**.
 ### Configure VAMT to connect to SQL Server Express or full SQL Server
 1. Open **Volume Active Management Tool 3.1** from the Start menu.
 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
   ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
-for remote SQL Server use
+   For remote SQL Server, use `servername.yourdomain.com`.
 servername.yourdomain.com
 ## Uninstall VAMT
 To uninstall VAMT using the **Programs and Features** Control Panel:
 1.  Open **Control Panel** and select **Programs and Features**.
 2.  Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
--- a/windows/security/threat-protection/microsoft-defender-atp/gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md
@ -47,9 +47,6 @@ GCC | GCC High | DoD
 Microsoft Defender for Endpoint Server GCC | Microsoft Defender for Endpoint Server for GCC High | Microsoft Defender for Endpoint Server for DOD
 Azure Defender for Servers | Azure Defender for Servers - Government | Azure Defender for Servers - Government
 > [!NOTE]
 > DoD licensing will only be available at DoD general availability.
 <br>
 ## Portal URLs
@ -59,7 +56,7 @@ Customer type | Portal URL
 :---|:---
 GCC | https://gcc.securitycenter.microsoft.us
 GCC High | https://securitycenter.microsoft.us
-DoD (PREVIEW) | https://securitycenter.microsoft.us
+DoD | https://securitycenter.microsoft.us
 <br>
@ -68,7 +65,7 @@ DoD (PREVIEW) | https://securitycenter.microsoft.us
 ### Standalone OS versions
 The following OS versions are supported:
-OS version | GCC | GCC High | DoD (PREVIEW)
+OS version | GCC | GCC High | DoD
 :---|:---|:---|:---
 Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
 Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
@ -100,7 +97,7 @@ iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images
 ### OS versions when using Azure Defender for Servers
 The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp):
-OS version | GCC | GCC High | DoD (PREVIEW)
+OS version | GCC | GCC High | DoD
 :---|:---|:---|:---
 Windows Server 2016 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
 Windows Server 2012 R2 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
@ -143,7 +140,7 @@ You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – US Gov
 ## API
 Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs:
-Endpoint type | GCC | GCC High & DoD (PREVIEW)
+Endpoint type | GCC | GCC High & DoD
 :---|:---|:---
 Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us`
 Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us`
@ -156,7 +153,7 @@ Defender for Endpoint for US Government customers doesn't have complete parity w
 These are the known gaps as of March 2021:
-Feature name | GCC | GCC High | DoD (PREVIEW)
+Feature name | GCC | GCC High | DoD
 :---|:---|:---|:---
 Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
 Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md
@ -26,26 +26,23 @@ Applies to:
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-> [!IMPORTANT]
+Microsoft Defender for Endpoint supports monitoring both VDI and Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
 > Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.
 Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
 ## Before you begin
-See [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
+See [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) doesn't provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
 > [!NOTE]
 > Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either: 
 > - Single entry for each virtual desktop 
 > - Multiple entries for each virtual desktop 
-Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. 
+Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and redeploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. 
-Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. 
+Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It's executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you're using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. 
 > [!NOTE]
-> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is _not_ recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
+> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It's _not_ recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
 ## Scenarios
 There are several ways to onboard a WVD host machine:
@ -104,18 +101,18 @@ This scenario uses a centrally located script and runs it using a domain-based g
 If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) 
 > [!WARNING]
-> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), the rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. 
+> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), the rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it's incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. 
 ## Tagging your machines when building your image 
-As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see 
+As part of your onboarding, you may want to consider setting a machine tag to can differentiate WVD machines more easily in the Microsoft Security Center. For more information, see 
 [Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value). 
 ## Other recommended configuration settings 
 When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). 
-In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection: 
+Also, if you're using FSlogix user profiles, we recommend you exclude the following files from always-on protection: 
 ### Exclude Files