Changes per feedback #2

windows/client-management/mdm/policy-csp-admx-appcompat.md

@@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppCompat Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/20/2022
+ms.date: 01/03/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -54,7 +54,7 @@ If the status is set to Disabled, the MS-DOS subsystem runs for all users on thi
 
 If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 and downlevel, the OS will allow 16-bit applications to run.
 
-Note: This setting appears in only Computer Configuration.
+**Note**: This setting appears in only Computer Configuration.
 <!-- AppCompatPrevent16BitMach-Description-End -->
 
 <!-- AppCompatPrevent16BitMach-Editable-Begin -->
@@ -242,7 +242,7 @@ The Windows Resource Protection and User Account Control features of Windows use
 
 This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
 
-NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes.
+**Note**: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes.
 <!-- AppCompatTurnOffEngine-Description-End -->
 
 <!-- AppCompatTurnOffEngine-Editable-Begin -->
@@ -281,6 +281,62 @@ NOTE: Many system processes cache the value of this setting for performance reas
 
 <!-- AppCompatTurnOffEngine-End -->
 
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Begin -->
+## AppCompatTurnOffProgramCompatibilityAssistant_1
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Applicability-End -->
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
+```
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-OmaUri-End -->
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Description-End -->
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Editable-End -->
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-DFProperties-End -->
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AppCompatTurnOffProgramCompatibilityAssistant_1 |
+| Friendly Name | Turn off Program Compatibility Assistant |
+| Location | User Configuration |
+| Path | Windows Components > Application Compatibility |
+| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
+| Registry Value Name | DisablePCA |
+| ADMX File Name | AppCompat.admx |
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-AdmxBacked-End -->
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Examples-End -->
+
+<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-End -->
+
 <!-- AppCompatTurnOffProgramCompatibilityAssistant_2-Begin -->
 ## AppCompatTurnOffProgramCompatibilityAssistant_2
 
@@ -306,7 +362,7 @@ If you enable this policy setting, the PCA will be turned off. The user will not
 
 If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
 
-Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
+**Note**: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
 <!-- AppCompatTurnOffProgramCompatibilityAssistant_2-Description-End -->
 
 <!-- AppCompatTurnOffProgramCompatibilityAssistant_2-Editable-Begin -->
@@ -330,7 +386,7 @@ Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Se
 
 | Name | Value |
 |:--|:--|
-| Name | AppCompatTurnOffProgramCompatibilityAssistant |
+| Name | AppCompatTurnOffProgramCompatibilityAssistant_2 |
 | Friendly Name | Turn off Program Compatibility Assistant |
 | Location | Computer Configuration |
 | Path | Windows Components > Application Compatibility |
@@ -370,7 +426,7 @@ If you enable this policy setting, the Inventory Collector will be turned off an
 
 If you disable or do not configure this policy setting, the Inventory Collector will be turned on.
 
-Note: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
+**Note**: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off.
 <!-- AppCompatTurnOffProgramInventory-Description-End -->
 
 <!-- AppCompatTurnOffProgramInventory-Editable-Begin -->
@@ -537,62 +593,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e
 
 <!-- AppCompatTurnOffUserActionRecord-End -->
 
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Begin -->
-## AppCompatTurnOffProgramCompatibilityAssistant_1
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Applicability-End -->
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-OmaUri-Begin -->
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1
-```
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-OmaUri-End -->
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Description-Begin -->
-<!-- Description-Source-ADMX -->
-This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Description-End -->
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Editable-End -->
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-DFProperties-End -->
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-AdmxBacked-Begin -->
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | AppCompatTurnOffProgramCompatibilityAssistant |
-| Friendly Name | Turn off Program Compatibility Assistant |
-| Location | User Configuration |
-| Path | Windows Components > Application Compatibility |
-| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat |
-| Registry Value Name | DisablePCA |
-| ADMX File Name | AppCompat.admx |
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-AdmxBacked-End -->
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-Examples-End -->
-
-<!-- AppCompatTurnOffProgramCompatibilityAssistant_1-End -->
-
 <!-- ADMX_AppCompat-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- ADMX_AppCompat-CspMoreInfo-End -->

windows/client-management/mdm/policy-csp-admx-userprofiles.md

@@ -4,7 +4,7 @@ description: Learn more about the ADMX_UserProfiles Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 01/03/2023
+ms.date: 01/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - ADMX_UserProfiles
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -44,9 +42,10 @@ ms.topic: reference
 
 <!-- CleanupProfiles-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days.
+This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days
 
-**Note**:  One day is interpreted as 24 hours after a specific user profile was accessed.
+> [!NOTE]
+> One day is interpreted as 24 hours after a specific user profile was accessed.
 
 If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days.
 
@@ -68,7 +67,7 @@ If you disable or do not configure this policy setting, User Profile Service wil
 
 <!-- CleanupProfiles-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -107,7 +106,8 @@ If you disable or do not configure this policy setting, User Profile Service wil
 <!-- Description-Source-ADMX -->
 This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys.
 
-Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
+> [!NOTE]
+> This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
 
 If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed.
 
@@ -129,7 +129,7 @@ If you disable or do not configure this policy setting, Windows will always unlo
 
 <!-- DontForceUnloadHive-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -175,7 +175,8 @@ If you enable this policy setting, Windows will not delete Windows Installer or
 
 If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted.
 
-Note: If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
+> [!NOTE]
+> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
 <!-- LeaveAppMgmtData-Description-End -->
 
 <!-- LeaveAppMgmtData-Editable-Begin -->
@@ -193,7 +194,7 @@ Note: If this policy setting is enabled for a machine, local administrator actio
 
 <!-- LeaveAppMgmtData-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -214,6 +215,75 @@ Note: If this policy setting is enabled for a machine, local administrator actio
 
 <!-- LeaveAppMgmtData-End -->
 
+<!-- LimitSize-Begin -->
+## LimitSize
+
+<!-- LimitSize-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- LimitSize-Applicability-End -->
+
+<!-- LimitSize-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize
+```
+<!-- LimitSize-OmaUri-End -->
+
+<!-- LimitSize-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
+
+If you disable this policy setting or do not configure it, the system does not limit the size of user profiles.
+
+If you enable this policy setting, you can:
+
+- Set a maximum permitted user profile size.
+- Determine whether the registry files are included in the calculation of the profile size.
+- Determine whether users are notified when the profile exceeds the permitted maximum size.
+- Specify a customized message notifying users of the oversized profile.
+- Determine how often the customized message is displayed.
+
+> [!NOTE]
+> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.
+<!-- LimitSize-Description-End -->
+
+<!-- LimitSize-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LimitSize-Editable-End -->
+
+<!-- LimitSize-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- LimitSize-DFProperties-End -->
+
+<!-- LimitSize-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LimitSize |
+| Friendly Name | Limit profile size |
+| Location | User Configuration |
+| Path | System > User Profiles |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | EnableProfileQuota |
+| ADMX File Name | UserProfiles.admx |
+<!-- LimitSize-AdmxBacked-End -->
+
+<!-- LimitSize-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- LimitSize-Examples-End -->
+
+<!-- LimitSize-End -->
+
 <!-- ProfileErrorAction-Begin -->
 ## ProfileErrorAction
 
@@ -257,7 +327,7 @@ Also, see the "Delete cached copies of roaming profiles" policy setting.
 
 <!-- ProfileErrorAction-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -303,9 +373,10 @@ This policy setting and related policy settings in this folder together define t
 
 If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow.
 
-If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.
+If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections
 
-**Important**:  If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
+> [!IMPORTANT]
+> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
 <!-- SlowLinkTimeOut-Description-End -->
 
 <!-- SlowLinkTimeOut-Editable-Begin -->
@@ -323,7 +394,7 @@ If you disable or do not configure this policy setting, Windows considers the ne
 
 <!-- SlowLinkTimeOut-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -364,15 +435,16 @@ This policy setting allows you to specify the location and root (file share or l
 
 If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name.
 
-To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box.
+To use this policy setting, in the Location list, choose the location for the home folder. If you choose "On the network," enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose "On the local computer," enter a local path (for example, C:\HomeFolder) in the Path box.
 
 Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon.
 
-Note: The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter.
+> [!NOTE]
+> The Drive letter box is ignored if you choose "On the local computer" from the Location list. If you choose "On the local computer" and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter.
 
 If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account.
 
-If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect.
+If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the "Set user home folder" policy setting has no effect.
 <!-- USER_HOME-Description-End -->
 
 <!-- USER_HOME-Editable-Begin -->
@@ -390,7 +462,7 @@ If the "Set Remote Desktop Services User Home Directory" policy setting is enabl
 
 <!-- USER_HOME-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -453,13 +525,13 @@ If you do not configure or disable this policy the user will have full control o
 
 <!-- UserInfoAccessAction-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | UserInfoAccessAction_Name |
+| Name | UserInfoAccessAction |
 | Friendly Name | User management of sharing user name, account picture, and domain information with apps (not desktop apps) |
 | Location | Computer Configuration |
 | Path | System > User Profiles |
@@ -474,74 +546,6 @@ If you do not configure or disable this policy the user will have full control o
 
 <!-- UserInfoAccessAction-End -->
 
-<!-- LimitSize-Begin -->
-## LimitSize
-
-<!-- LimitSize-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-<!-- LimitSize-Applicability-End -->
-
-<!-- LimitSize-OmaUri-Begin -->
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize
-```
-<!-- LimitSize-OmaUri-End -->
-
-<!-- LimitSize-Description-Begin -->
-<!-- Description-Source-ADMX -->
-This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
-
-If you disable this policy setting or do not configure it, the system does not limit the size of user profiles.
-
-If you enable this policy setting, you can:
-
--- Set a maximum permitted user profile size.
--- Determine whether the registry files are included in the calculation of the profile size.
--- Determine whether users are notified when the profile exceeds the permitted maximum size.
--- Specify a customized message notifying users of the oversized profile.
--- Determine how often the customized message is displayed.
-
-Note: In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.
-<!-- LimitSize-Description-End -->
-
-<!-- LimitSize-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- LimitSize-Editable-End -->
-
-<!-- LimitSize-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-<!-- LimitSize-DFProperties-End -->
-
-<!-- LimitSize-AdmxBacked-Begin -->
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LimitSize |
-| Friendly Name | Limit profile size |
-| Location | User Configuration |
-| Path | System > User Profiles |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
-| Registry Value Name | EnableProfileQuota |
-| ADMX File Name | UserProfiles.admx |
-<!-- LimitSize-AdmxBacked-End -->
-
-<!-- LimitSize-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- LimitSize-Examples-End -->
-
-<!-- LimitSize-End -->
-
 <!-- ADMX_UserProfiles-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- ADMX_UserProfiles-CspMoreInfo-End -->

windows/client-management/mdm/policy-csp-applicationmanagement.md

@@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/09/2022
+ms.date: 01/04/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -674,6 +674,8 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 This policy allows the IT admin to specify a list of applications that users can run after logging on to the device.
 
+> [!NOTE]
+> This policy only works on modern apps.
 <!-- LaunchAppAfterLogOn-Editable-End -->
 
 <!-- LaunchAppAfterLogOn-DFProperties-Begin -->
@@ -688,18 +690,15 @@ This policy allows the IT admin to specify a list of applications that users can
 
 <!-- LaunchAppAfterLogOn-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. 
+For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task.
-Example of the declaration here:
 
 **Example**:
+
 ```xml
 <desktop:Extension Category="windows.startupTask">
    <desktop:StartupTask TaskId="CoffeeStartupTask" Enabled="true" DisplayName="ms-resource:Description" />
 </desktop:Extension>
 ```
-
-> [!NOTE]
-> This policy only works on modern apps.
 <!-- LaunchAppAfterLogOn-Examples-End -->
 
 <!-- LaunchAppAfterLogOn-End -->
@@ -802,9 +801,10 @@ If you enable this policy setting, privileges are extended to all programs. Thes
 
 If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.
 
-Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
+**Note**: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.
 
-Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.
+> [!CAUTION]
+> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders.
 
 **Note** that the User Configuration version of this policy setting is not guaranteed to be secure.
 <!-- MSIAlwaysInstallWithElevatedPrivileges-Description-End -->
@@ -1091,7 +1091,7 @@ To ensure apps are up-to-date, this policy allows the admins to set a recurring
 <!-- ScheduleForceRestartForUpdateFailures-DFProperties-End -->
 
 <!-- ScheduleForceRestartForUpdateFailures-AllowedValues-Begin -->
-https://github.com/vinaypamnani-msft/windows-docs-pr
+**Allowed values**:
 
 <br>
 <details>
@@ -1136,15 +1136,7 @@ https://github.com/vinaypamnani-msft/windows-docs-pr
 <!-- ScheduleForceRestartForUpdateFailures-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 
-> [!NOTE]
+**Example**:
-> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute.
-
-
-<!--/SupportedValues-->
-<!--Example-->
-**Examples**:
-
-Sample SyncML:
 
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.1">
@@ -1171,6 +1163,9 @@ Sample SyncML:
   </SyncBody>
 </SycnML>
 ```
+
+> [!NOTE]
+> The check for recurrence is done in a case sensitive manner. For instance the value needs to be "Daily" instead of "daily". The wrong case will cause SmartRetry to fail to execute.
 <!-- ScheduleForceRestartForUpdateFailures-Examples-End -->
 
 <!-- ScheduleForceRestartForUpdateFailures-End -->

windows/client-management/mdm/policy-csp-appruntime.md

@@ -4,7 +4,7 @@ description: Learn more about the AppRuntime Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/12/2022
+ms.date: 01/04/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - AppRuntime
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, users will need to sign
 
 <!-- AllowMicrosoftAccountsToBeOptional-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 

windows/client-management/mdm/policy-csp-bitlocker.md

@@ -18,6 +18,8 @@ ms.topic: reference
 
 <!-- Bitlocker-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> To manage encryption of PCs and devices, use [BitLocker CSP](./bitlocker-csp.md).
 <!-- Bitlocker-Editable-End -->
 
 <!-- EncryptionMethod-Begin -->
@@ -42,6 +44,12 @@ This policy specifies the BitLocker Drive Encryption method and cipher strength.
 
 <!-- EncryptionMethod-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The following list shows the supported values:
+
+- 3 - AES-CBC 128-bit
+- 4 - AES-CBC 256-bit
+- 6 - XTS-AES 128-bit
+- 7 - XTS-AES 256-bit
 <!-- EncryptionMethod-Editable-End -->
 
 <!-- EncryptionMethod-DFProperties-Begin -->

windows/client-management/mdm/policy-csp-bits.md

@@ -4,7 +4,7 @@ description: Learn more about the BITS Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/24/2022
+ms.date: 01/04/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
 
 <!-- BandwidthThrottlingEndTime-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
 
 **Note**:  You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
 <!-- BandwidthThrottlingEndTime-Description-End -->
@@ -94,7 +94,7 @@ This policy specifies the bandwidth throttling end time that Background Intellig
 
 <!-- BandwidthThrottlingStartTime-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
+This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
 
 **Note**:  You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
 <!-- BandwidthThrottlingStartTime-Description-End -->
@@ -342,7 +342,7 @@ This policy setting defines the default behavior that the foreground Intelligent
 <!-- Description-Source-DDF -->
 This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
 
-**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
+**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
 <!-- JobInactivityTimeout-Description-End -->
 
 <!-- JobInactivityTimeout-Editable-Begin -->

windows/client-management/mdm/policy-csp-browser.md

@@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/24/2022
+ms.date: 01/04/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
 
 <!-- Browser-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm).
 <!-- Browser-Editable-End -->
 
 <!-- AllowAddressBarDropdown-Begin -->
@@ -43,7 +45,7 @@ ms.topic: reference
 <!-- Description-Source-ADMX -->
 This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
 
-Note: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
+**Note**: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting.
 
 If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge.
 
@@ -165,10 +167,10 @@ If you don't configure this setting, employees can choose whether to use Autofil
 **Verify**:
 To verify AllowAutofill is set to 0 (not allowed):
 
-1.  Open Microsoft Edge.
+1. Open Microsoft Edge.
-2.  In the upper-right corner of the browser, click **…**.
+2. In the upper-right corner of the browser, click **…**.
-3.  Click **Settings** in the dropdown list, and select **View Advanced Settings**.
+3. Click **Settings** in the dropdown list, and select **View Advanced Settings**.
-4.  Verify the setting **Save form entries** is grayed out.
+4. Verify the setting **Save form entries** is grayed out.
 <!-- AllowAutofill-Examples-End -->
 
 <!-- AllowAutofill-End -->
@@ -1323,7 +1325,7 @@ If disabled, the browsing history stops saving and is not visible in the History
 <!-- Description-Source-ADMX -->
 This policy setting lets you decide whether users can change their search engine. If you disable this setting, users can't add new search engines or change the default used in the address bar.
 
-Important
+**Important**:
 This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
 
 If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
@@ -2118,7 +2120,7 @@ The Home button loads either the default Start page, the New tab page, or a URL
 
 <!-- ConfigureKioskMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (<https://aka.ms/E489vw)>. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
+Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (<https://aka.ms/E489. vw)>. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
 <!-- ConfigureKioskMode-Description-End -->
 
 <!-- ConfigureKioskMode-Editable-Begin -->
@@ -2586,7 +2588,7 @@ This setting lets you configure whether your company uses Enterprise Mode and th
 
 <!-- EnterpriseSiteListServiceUrl-Description-Begin -->
 <!-- Description-Source-DDF -->
-Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead.
+**Important**: . Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead.
 <!-- EnterpriseSiteListServiceUrl-Description-End -->
 
 <!-- EnterpriseSiteListServiceUrl-Editable-Begin -->
@@ -2673,7 +2675,7 @@ Configure first run URL.
 
 <!-- HomePages-Description-Begin -->
 <!-- Description-Source-DDF -->
-When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `<support.contoso.com>` `<support.microsoft.com>` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `<about:blank>` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages
+When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format:  `<support.contoso.com>` `<support.microsoft.com>` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `<about:blank>` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages
 <!-- HomePages-Description-End -->
 
 <!-- HomePages-Editable-Begin -->
@@ -2734,7 +2736,7 @@ This policy setting lets you decide whether employees can add, import, sort, or
 
 If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
 
-Important
+**Important**:
 Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
 
 If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
@@ -3230,7 +3232,7 @@ If you disable or don't configure this setting, employees can ignore Windows Def
 
 <!-- PreventTurningOffRequiredExtensions-Description-Begin -->
 <!-- Description-Source-DDF -->
-You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN (<https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)> - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (<https://docs.microsoft.com/intune/windows-store-for-business)> - How to assign apps to groups with Microsoft Intune (<https://docs.microsoft.com/intune/apps-deploy)> - Manage apps from the Microsoft Store for Business with System Center Configuration Manager (<https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)> - How to add Windows line-of-business (LOB) apps to Microsoft Intune (<https://docs.microsoft.com/intune/lob-apps-windows)>
+You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8. wekyb3. d8. bbwe;Microsoft.OfficeOnline_8. wekyb3. d8. bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN (<https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)> - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (<https://docs.microsoft.com/intune/windows-store-for-business)> - How to assign apps to groups with Microsoft Intune (<https://docs.microsoft.com/intune/apps-deploy)> - Manage apps from the Microsoft Store for Business with System Center Configuration Manager (<https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)> - How to add Windows line-of-business (LOB) apps to Microsoft Intune (<https://docs.microsoft.com/intune/lob-apps-windows)>
 <!-- PreventTurningOffRequiredExtensions-Description-End -->
 
 <!-- PreventTurningOffRequiredExtensions-Editable-Begin -->

windows/client-management/mdm/policy-csp-connectivity.md

@@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/27/2022
+ms.date: 01/04/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - Connectivity
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -194,13 +192,12 @@ If this policy setting is not configured or is disabled, clients are allowed to
 <!-- AllowCellularDataRoaming-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Validate**:
-To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
 
-To validate on devices, perform the following steps:
+To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. To validate on a device, perform the following steps:
 
-1.  Go to Cellular & SIM.
+1. Go to Cellular & SIM.
-2.  Click on the SIM (next to the signal strength icon) and select **Properties**.
+2. Click on the SIM (next to the signal strength icon) and select **Properties**.
-3.  On the Properties page, select **Data roaming options**.
+3. On the Properties page, select **Data roaming options**.
 <!-- AllowCellularDataRoaming-Examples-End -->
 
 <!-- AllowCellularDataRoaming-End -->
@@ -222,7 +219,7 @@ To validate on devices, perform the following steps:
 
 <!-- AllowConnectedDevices-Description-Begin -->
 <!-- Description-Source-DDF -->
-Note This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+**Note**: This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
 <!-- AllowConnectedDevices-Description-End -->
 
 <!-- AllowConnectedDevices-Editable-Begin -->
@@ -373,7 +370,6 @@ If you do not configure this policy setting, the default behavior depends on the
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Validate**:
 
-
 If the Connectivity/AllowPhonePCLinking policy is configured to value 0, add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number.
 
 Device that has previously opt-in to MMX will also stop showing on the device list.
@@ -398,7 +394,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
 
 <!-- AllowUSBConnection-Description-Begin -->
 <!-- Description-Source-DDF -->
-NoteCurrently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0.
+**Note**: Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0.
 <!-- AllowUSBConnection-Description-End -->
 
 <!-- AllowUSBConnection-Editable-Begin -->
@@ -549,7 +545,7 @@ This policy setting specifies whether to allow printing over HTTP from this clie
 
 Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
 
-Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+**Note**: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
 
 If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
 
@@ -573,13 +569,13 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi
 
 <!-- DiablePrintingOverHTTP-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | DisableHTTPPrinting |
+| Name | DisableHTTPPrinting_2 |
 | Friendly Name | Turn off printing over HTTP |
 | Location | Computer Configuration |
 | Path | InternetManagement > Internet Communication settings |
@@ -615,7 +611,7 @@ This policy setting specifies whether to allow this client to download print dri
 
 To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
 
-Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
+**Note**: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally.
 
 If you enable this policy setting, print drivers cannot be downloaded over HTTP.
 
@@ -637,13 +633,13 @@ If you disable or do not configure this policy setting, users can download print
 
 <!-- DisableDownloadingOfPrintDriversOverHTTP-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | DisableWebPnPDownload |
+| Name | DisableWebPnPDownload_2 |
 | Friendly Name | Turn off downloading of print drivers over HTTP |
 | Location | Computer Configuration |
 | Path | InternetManagement > Internet Communication settings |
@@ -701,13 +697,13 @@ See the documentation for the web publishing and online ordering wizards for mor
 
 <!-- DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | ShellPreventWPWDownload |
+| Name | ShellPreventWPWDownload_2 |
 | Friendly Name | Turn off Internet download for Web publishing and online ordering wizards |
 | Location | Computer Configuration |
 | Path | InternetManagement > Internet Communication settings |
@@ -828,7 +824,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
 
 <!-- HardenedUNCPaths-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -867,7 +863,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths
 <!-- Description-Source-ADMX -->
 Determines whether a user can install and configure the Network Bridge.
 
-Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
+**Important**: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
 
 The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder.
 
@@ -889,7 +885,7 @@ If you disable this setting or do not configure it, the user will be able to cre
 
 <!-- ProhibitInstallationAndConfigurationOfNetworkBridge-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 

windows/client-management/mdm/policy-csp-dataprotection.md

@@ -4,7 +4,7 @@ description: Learn more about the DataProtection Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/27/2022
+ms.date: 01/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -37,7 +37,7 @@ ms.topic: reference
 
 <!-- AllowDirectMemoryAccess-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker Device Encryption is enabled. Most restricted value is 0.
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. Most restricted value is 0.
 <!-- AllowDirectMemoryAccess-Description-End -->
 
 <!-- AllowDirectMemoryAccess-Editable-Begin -->

windows/client-management/mdm/policy-csp-datausage.md

@@ -59,6 +59,8 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti
 
 <!-- SetCost3G-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> This policy is deprecated.
 <!-- SetCost3G-Editable-End -->
 
 <!-- SetCost3G-DFProperties-Begin -->

windows/client-management/mdm/policy-csp-deliveryoptimization.md

@@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/27/2022
+ms.date: 01/05/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - DeliveryOptimization
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -102,10 +100,8 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the
 <!-- DOAllowVPNPeerCaching-OmaUri-End -->
 
 <!-- DOAllowVPNPeerCaching-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network.
+Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
-This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
 <!-- DOAllowVPNPeerCaching-Description-End -->
 
 <!-- DOAllowVPNPeerCaching-Editable-Begin -->
@@ -239,6 +235,8 @@ If this policy is not configured, the client will attempt to automatically find
 
 <!-- DOCacheHostSource-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#docachehost) policy value if that value has been set.
 <!-- DOCacheHostSource-Editable-End -->
 
 <!-- DOCacheHostSource-DFProperties-Begin -->
@@ -293,7 +291,7 @@ This policy allows you to delay the use of an HTTP source in a background downlo
 
 After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
 
-Note that a download that is waiting for peer sources, will appear to be stuck for the end user.
+**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user.
 
 The recommended value is 1 hour (3600).
 <!-- DODelayBackgroundDownloadFromHttp-Description-End -->
@@ -349,10 +347,10 @@ The recommended value is 1 hour (3600).
 <!-- DODelayCacheServerFallbackBackground-OmaUri-End -->
 
 <!-- DODelayCacheServerFallbackBackground-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds.
+Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download.
 
-Note: if you set the policy to delay background download from http, it will apply first (to allow downloads from peers first).
+**Note** that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
 <!-- DODelayCacheServerFallbackBackground-Description-End -->
 
 <!-- DODelayCacheServerFallbackBackground-Editable-Begin -->
@@ -406,10 +404,10 @@ Note: if you set the policy to delay background download from http, it will appl
 <!-- DODelayCacheServerFallbackForeground-OmaUri-End -->
 
 <!-- DODelayCacheServerFallbackForeground-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds.
+Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download.
 
-Note: if you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first).
+**Note** that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
 <!-- DODelayCacheServerFallbackForeground-Description-End -->
 
 <!-- DODelayCacheServerFallbackForeground-Editable-Begin -->
@@ -468,7 +466,7 @@ This policy allows you to delay the use of an HTTP source in a foreground (inter
 
 After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers.
 
-Note that a download that is waiting for peer sources, will appear to be stuck for the end user.
+**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user.
 
 The recommended value is 1 minute (60).
 <!-- DODelayForegroundDownloadFromHttp-Description-End -->
@@ -583,22 +581,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
 <!-- DODownloadMode-OmaUri-End -->
 
 <!-- DODownloadMode-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
-
-The following list shows the supported values:
-
-0 = HTTP only, no peering.
-
-1 = HTTP blended with peering behind the same NAT.
-
-2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
-
-3 = HTTP blended with Internet Peering.
-
-99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
-
-100 = Bypass mode. Windows 10: Do not use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead.
 <!-- DODownloadMode-Description-End -->
 
 <!-- DODownloadMode-Editable-Begin -->
@@ -669,7 +653,7 @@ Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that
 
 Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN.
 
-Note: this is a best effort optimization and should not be relied on for an authentication of identity.
+**Note** this is a best effort optimization and should not be relied on for an authentication of identity.
 <!-- DOGroupId-Description-End -->
 
 <!-- DOGroupId-Editable-Begin -->
@@ -721,30 +705,14 @@ Note: this is a best effort optimization and should not be relied on for an auth
 <!-- DOGroupIdSource-OmaUri-End -->
 
 <!-- DOGroupIdSource-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Set this policy to restrict peer selection to a specific source.
+Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
-
-Options available are:
-
-1 = AD Site.
-
-2 = Authenticated domain SID.
-
-3 = DHCP Option ID.
-
-4 = DNS Suffix.
-
-5 = AAD Tenant ID.
-
-When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set.
-
-The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored.
-
-For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
 <!-- DOGroupIdSource-Description-End -->
 
 <!-- DOGroupIdSource-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
 <!-- DOGroupIdSource-Editable-End -->
 
 <!-- DOGroupIdSource-DFProperties-Begin -->
@@ -863,10 +831,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
 <!-- DOMaxCacheAge-OmaUri-End -->
 
 <!-- DOMaxCacheAge-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
-
-The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded.
 <!-- DOMaxCacheAge-Description-End -->
 
 <!-- DOMaxCacheAge-Editable-Begin -->
@@ -920,8 +886,8 @@ The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files
 <!-- DOMaxCacheSize-OmaUri-End -->
 
 <!-- DOMaxCacheSize-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specifies the maximum cache size that Delivery Optimization uses as a percentage of available disk size (1-100).
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
 <!-- DOMaxCacheSize-Description-End -->
 
 <!-- DOMaxCacheSize-Editable-Begin -->
@@ -1032,10 +998,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
 <!-- DOMinBackgroundQos-OmaUri-End -->
 
 <!-- DOMinBackgroundQos-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specifies the minimum download QoS (Quality of Service or speed) for background downloads in KiloBytes/second.
+Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
-
-This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from HTTP source to achieve the specified minimum QoS value.
 <!-- DOMinBackgroundQos-Description-End -->
 
 <!-- DOMinBackgroundQos-Editable-Begin -->
@@ -1207,10 +1171,8 @@ Note: If the DOModifyCacheDrive policy is set, the disk size check will apply to
 <!-- DOMinFileSizeToCache-OmaUri-End -->
 
 <!-- DOMinFileSizeToCache-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specifies the minimum content file size in MB enabled to use Peer Caching.
+Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
-
-Recommended values: 1 MB to 100000 MB.
 <!-- DOMinFileSizeToCache-Description-End -->
 
 <!-- DOMinFileSizeToCache-Editable-Begin -->
@@ -1264,12 +1226,8 @@ Recommended values: 1 MB to 100000 MB.
 <!-- DOMinRAMAllowedToPeer-OmaUri-End -->
 
 <!-- DOMinRAMAllowedToPeer-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specifies the minimum RAM size in GB required to use Peer Caching.
+Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
-
-For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching.
-
-Recommended values: 1 GB to 4 GB.
 <!-- DOMinRAMAllowedToPeer-Description-End -->
 
 <!-- DOMinRAMAllowedToPeer-Editable-Begin -->
@@ -1378,10 +1336,8 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
 <!-- DOMonthlyUploadDataCap-OmaUri-End -->
 
 <!-- DOMonthlyUploadDataCap-Description-Begin -->
-<!-- Description-Source-ADMX -->
+<!-- Description-Source-DDF-Forced -->
-Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
+Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit is applied if 0 is set. The default value is 5120 (5 TB).
-
-The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
 <!-- DOMonthlyUploadDataCap-Description-End -->
 
 <!-- DOMonthlyUploadDataCap-Editable-Begin -->
@@ -1566,6 +1522,9 @@ These options apply to both Download Mode LAN (1) and Group (2).
 
 <!-- DORestrictPeerSelectionBy-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
+
+In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. The default value in Windows 11 is set to 'Local Peer Discovery'. The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds.
 <!-- DORestrictPeerSelectionBy-Editable-End -->
 
 <!-- DORestrictPeerSelectionBy-DFProperties-Begin -->
@@ -1643,7 +1602,7 @@ Specifies the maximum background download bandwidth that Delivery Optimization u
 
 <!-- DOSetHoursToLimitBackgroundDownloadBandwidth-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -1703,7 +1662,7 @@ This policy allows an IT Admin to define the following details:
 
 <!-- DOSetHoursToLimitForegroundDownloadBandwidth-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 

windows/client-management/mdm/policy-csp-desktopappinstaller.md

@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - DesktopAppInstaller
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -46,11 +44,11 @@ ms.topic: reference
 <!-- Description-Source-ADMX -->
 This policy controls additional sources provided by the enterprise IT administrator.
 
-If you do not configure this policy, no additional sources will be configured for the Windows Package Manager.
+If you do not configure this policy, no additional sources will be configured for the [Windows Package Manager](/windows/package-manager/).
 
-If you enable this policy, the additional sources will be added to the Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using 'winget source export'.
+If you enable this policy, the additional sources will be added to the [Windows Package Manager](/windows/package-manager/) and cannot be removed. The representation for each additional source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'.
 
-If you disable this policy, no additional sources can be configured for the Windows Package Manager.
+If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/).
 <!-- EnableAdditionalSources-Description-End -->
 
 <!-- EnableAdditionalSources-Editable-Begin -->
@@ -68,7 +66,7 @@ If you disable this policy, no additional sources can be configured for the Wind
 
 <!-- EnableAdditionalSources-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -110,9 +108,9 @@ This policy controls additional sources allowed by the enterprise IT administrat
 
 If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy.
 
-If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using 'winget source export'.
+If you enable this policy, only the sources specified can be added or removed from the [Windows Package Manager](/windows/package-manager/). The representation for each allowed source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'.
 
-If you disable this policy, no additional sources can be configured for the Windows Package Manager.
+If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/).
 <!-- EnableAllowedSources-Description-End -->
 
 <!-- EnableAllowedSources-Editable-Begin -->
@@ -130,7 +128,7 @@ If you disable this policy, no additional sources can be configured for the Wind
 
 <!-- EnableAllowedSources-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -168,11 +166,11 @@ If you disable this policy, no additional sources can be configured for the Wind
 
 <!-- EnableAppInstaller-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy controls whether the Windows Package Manager can be used by users.
+This policy controls whether the [Windows Package Manager](/windows/package-manager/) can be used by users.
 
-If you enable or do not configure this setting, users will be able to use the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/).
 
-If you disable this setting, users will not be able to use the Windows Package Manager.
+If you disable this setting, users will not be able to use the [Windows Package Manager](/windows/package-manager/).
 <!-- EnableAppInstaller-Description-End -->
 
 <!-- EnableAppInstaller-Editable-Begin -->
@@ -191,7 +189,7 @@ Users will still be able to execute the *winget* command. The default help will
 
 <!-- EnableAppInstaller-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -229,13 +227,13 @@ Users will still be able to execute the *winget* command. The default help will
 
 <!-- EnableDefaultSource-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy controls the default source included with the Windows Package Manager.
+This policy controls the default source included with the [Windows Package Manager](/windows/package-manager/).
 
-If you do not configure this setting, the default source for the Windows Package Manager will be available and can be removed.
+If you do not configure this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and can be removed.
 
-If you enable this setting, the default source for the Windows Package Manager will be available and cannot be removed.
+If you enable this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed.
 
-If you disable this setting the default source for the Windows Package Manager will not be available.
+If you disable this setting the default source for the [Windows Package Manager](/windows/package-manager/) will not be available.
 <!-- EnableDefaultSource-Description-End -->
 
 <!-- EnableDefaultSource-Editable-Begin -->
@@ -253,7 +251,7 @@ If you disable this setting the default source for the Windows Package Manager w
 
 <!-- EnableDefaultSource-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -291,11 +289,11 @@ If you disable this setting the default source for the Windows Package Manager w
 
 <!-- EnableExperimentalFeatures-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy controls whether users can enable experimental features in the Windows Package Manager.
+This policy controls whether users can enable experimental features in the [Windows Package Manager](/windows/package-manager/).
 
-If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/).
 
-If you disable this setting, users will not be able to enable experimental features for the Windows Package Manager.
+If you disable this setting, users will not be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/).
 <!-- EnableExperimentalFeatures-Description-End -->
 
 <!-- EnableExperimentalFeatures-Editable-Begin -->
@@ -314,7 +312,7 @@ Experimental features are used during Windows Package Manager development cycle
 
 <!-- EnableExperimentalFeatures-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -352,11 +350,11 @@ Experimental features are used during Windows Package Manager development cycle
 
 <!-- EnableHashOverride-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
+This policy controls whether or not the [Windows Package Manager](/windows/package-manager/) can be configured to enable the ability override the SHA256 security validation in settings.
 
-If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
+If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings.
 
-If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
+If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings.
 <!-- EnableHashOverride-Description-End -->
 
 <!-- EnableHashOverride-Editable-Begin -->
@@ -374,7 +372,7 @@ If you disable this policy, users will not be able to enable the ability overrid
 
 <!-- EnableHashOverride-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -414,9 +412,9 @@ If you disable this policy, users will not be able to enable the ability overrid
 <!-- Description-Source-ADMX -->
 This policy controls whether users can install packages with local manifest files.
 
-If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/).
 
-If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager.
+If you disable this setting, users will not be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/).
 <!-- EnableLocalManifestFiles-Description-End -->
 
 <!-- EnableLocalManifestFiles-Editable-Begin -->
@@ -434,7 +432,7 @@ If you disable this setting, users will not be able to install packages with loc
 
 <!-- EnableLocalManifestFiles-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -472,13 +470,13 @@ If you disable this setting, users will not be able to install packages with loc
 
 <!-- EnableMicrosoftStoreSource-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy controls the Microsoft Store source included with the Windows Package Manager.
+This policy controls the Microsoft Store source included with the [Windows Package Manager](/windows/package-manager/).
 
 If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
 
-If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and cannot be removed.
+If you enable this setting, the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed.
 
-If you disable this setting the Microsoft Store source for the Windows Package Manager will not be available.
+If you disable this setting the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will not be available.
 <!-- EnableMicrosoftStoreSource-Description-End -->
 
 <!-- EnableMicrosoftStoreSource-Editable-Begin -->
@@ -496,7 +494,7 @@ If you disable this setting the Microsoft Store source for the Windows Package M
 
 <!-- EnableMicrosoftStoreSource-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -556,7 +554,7 @@ If you disable this setting, users will not be able to install packages from web
 
 <!-- EnableMSAppInstallerProtocol-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -596,9 +594,9 @@ If you disable this setting, users will not be able to install packages from web
 <!-- Description-Source-ADMX -->
 This policy controls whether users can change their settings.
 
-If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager.
+If you enable or do not configure this setting, users will be able to change settings for the [Windows Package Manager](/windows/package-manager/).
 
-If you disable this setting, users will not be able to change settings for the Windows Package Manager.
+If you disable this setting, users will not be able to change settings for the [Windows Package Manager](/windows/package-manager/).
 <!-- EnableSettings-Description-End -->
 
 <!-- EnableSettings-Editable-Begin -->
@@ -617,7 +615,7 @@ The settings are stored inside of a .json file on the user’s system. It may be
 
 <!-- EnableSettings-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -657,13 +655,14 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- Description-Source-ADMX -->
 This policy controls the auto update interval for package-based sources.
 
-If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the Windows Package Manager.
+If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/).
 
-If you enable this setting, the number of minutes specified will be used by the Windows Package Manager.
+If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/).
 <!-- SourceAutoUpdateInterval-Description-End -->
 
 <!-- SourceAutoUpdateInterval-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
 <!-- SourceAutoUpdateInterval-Editable-End -->
 
 <!-- SourceAutoUpdateInterval-DFProperties-Begin -->
@@ -677,7 +676,7 @@ If you enable this setting, the number of minutes specified will be used by the
 
 <!-- SourceAutoUpdateInterval-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/05/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - DeviceInstallation
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -76,7 +74,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
 
 <!-- AllowInstallationOfMatchingDeviceIDs-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -176,7 +174,7 @@ Peripherals can be specified by their [device instance ID](/windows-hardware/dri
 
 <!-- AllowInstallationOfMatchingDeviceInstanceIDs-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -215,7 +213,11 @@ To enable this policy, use the following SyncML.
     </SyncBody>
 </SyncML>
 ```
+
+**Verify**:
+
 To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
+
 ``` txt
 >>>  [Device Installation Restrictions Policy Check]
 >>>  Section start 2018/11/15 12:26:41.659
@@ -276,7 +278,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
 
 <!-- AllowInstallationOfMatchingDeviceSetupClasses-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -303,7 +305,6 @@ To enable this policy, use the following SyncML. This example allows Windows to
 
 Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter.
 
-
 ```xml
 <SyncML>
     <SyncBody>
@@ -322,11 +323,11 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
     </SyncBody>
 </SyncML>
 ```
+
 **Verify**:
 
 To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
 
-
 ```txt
 >>>  [Device Installation Restrictions Policy Check]
 >>>  Section start 2018/11/15 12:26:41.659
@@ -359,18 +360,22 @@ This policy setting will change the evaluation order in which Allow and Prevent
 Device instance IDs > Device IDs > Device setup class > Removable devices
 
 Device instance IDs
+
 1. Prevent installation of devices using drivers that match these device instance IDs
 2. Allow installation of devices using drivers that match these device instance IDs
 
 Device IDs
+
 3. Prevent installation of devices using drivers that match these device IDs
 4. Allow installation of devices using drivers that match these device IDs
 
 Device setup class
+
 5. Prevent installation of devices using drivers that match these device setup classes
 6. Allow installation of devices using drivers that match these device setup classes
 
 Removable devices
+
 7. Prevent installation of removable devices
 
 NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
@@ -393,7 +398,7 @@ If you disable or do not configure this policy setting, the default evaluation i
 
 <!-- EnableInstallationPolicyLayering-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -430,6 +435,7 @@ If you disable or do not configure this policy setting, the default evaluation i
     </SyncBody>
 </SyncML>
 ```
+
 **Verify**:
 
 To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
@@ -444,8 +450,6 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
 You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
 
 :::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image.":::
-
-
 <!-- EnableInstallationPolicyLayering-Examples-End -->
 
 <!-- EnableInstallationPolicyLayering-End -->
@@ -489,7 +493,7 @@ If you disable or do not configure this policy setting, the setting in the Devic
 
 <!-- PreventDeviceMetadataFromNetwork-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -551,7 +555,7 @@ If you disable or do not configure this policy setting, Windows is allowed to in
 
 <!-- PreventInstallationOfDevicesNotDescribedByOtherPolicySettings-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -651,7 +655,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
 
 <!-- PreventInstallationOfMatchingDeviceIDs-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -670,8 +674,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 **Example**:
 
-To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use <code>&amp;#xF000;</code> as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
+To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `&amp;#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
-
 
 ```xml
 <SyncML>
@@ -752,7 +755,7 @@ Peripherals can be specified by their [device instance ID](/windows-hardware/dri
 
 <!-- PreventInstallationOfMatchingDeviceInstanceIDs-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -792,7 +795,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
 </SyncML>
 ```
 
-**Verify**
+**Verify**:
 
 To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log:
 
@@ -812,15 +815,12 @@ For example, this custom profile prevents installation of devices with matching
 To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
 
 1. Locate the device instance ID.
-2. Replace `&` in the device instance IDs with `&amp;`.
+1. Replace `&` in the device instance IDs with `&amp;`. For example: Replace `USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0` with `USBSTOR\DISK&amp;VEN_SAMSUNG&amp;PROD_FLASH_DRIVE&amp;REV_1100\0376319020002347&amp;0`.
-For example:
+
-Replace
+    > [!NOTE]
-```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0```
+    > Don't use spaces in the value.
-with
+
-```USBSTOR\DISK&amp;VEN_SAMSUNG&amp;PROD_FLASH_DRIVE&amp;REV_1100\0376319020002347&amp;0```
+1. Replace the device instance IDs with `&amp;` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile.
-    > [!Note]
-    > don't use spaces in the value.
-3. Replace the device instance IDs with `&amp;` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile.
 
 <!-- PreventInstallationOfMatchingDeviceInstanceIDs-Examples-End -->
 
@@ -868,7 +868,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv
 
 <!-- PreventInstallationOfMatchingDeviceSetupClasses-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 

windows/client-management/mdm/policy-csp-devicelock.md

@@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,15 +17,13 @@ ms.topic: reference
 # Policy CSP - DeviceLock
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
 <!-- DeviceLock-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-[!Important]
+> [!IMPORTANT]
 > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types).
 
 <!-- DeviceLock-Editable-End -->
@@ -156,10 +154,10 @@ Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the de
 
 <!-- AllowSimpleDevicePassword-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+
 > [!NOTE]
 > This policy must be wrapped in an Atomic command.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
 <!-- AllowSimpleDevicePassword-Editable-End -->
 
 <!-- AllowSimpleDevicePassword-DFProperties-Begin -->
@@ -211,16 +209,11 @@ Determines the type of PIN or password required. This policy only applies if the
 <!-- AlphanumericDevicePasswordRequired-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> This policy must be wrapped in an Atomic command.
+> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
->
+> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
-
-
 
 > [!NOTE]
-> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
->
-> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
 <!-- AlphanumericDevicePasswordRequired-Editable-End -->
 
 <!-- AlphanumericDevicePasswordRequired-DFProperties-Begin -->
@@ -246,48 +239,6 @@ Determines the type of PIN or password required. This policy only applies if the
 
 <!-- AlphanumericDevicePasswordRequired-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-
-
-Max policy value is the most restricted.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-<!--/Description-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   An integer X where 4 &lt;= X &lt;= 16 for client devices. However, local accounts will always enforce a minimum password length of 6.
--   Not enforced.
--   The default value is 4 for client devices.
-
-<!--/SupportedValues-->
-<!--Example-->
-The following example shows how to set the minimum password length to 4 characters.
-
-```xml
-<SyncML xmlns="SYNCML:SYNCML1.2">
-    <SyncBody>
-        <Replace>
-            <CmdID>$CmdID$</CmdID>
-            <Item>
-                <Target>
-                    <LocURI>./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength</LocURI>
-                </Target>
-                <Meta>
-                    <Format xmlns="syncml:metinf">int</Format>
-                </Meta>
-                <Data>4</Data>
-            </Item>
-        </Replace>
-        <Final/>
-    </SyncBody>
-</SyncML>
-```
 <!-- AlphanumericDevicePasswordRequired-Examples-End -->
 
 <!-- AlphanumericDevicePasswordRequired-End -->
@@ -309,7 +260,8 @@ The following example shows how to set the minimum password length to 4 characte
 
 <!-- ClearTextPassword-Description-Begin -->
 <!-- Description-Source-DDF -->
-Store passwords using reversible encryption This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).
+Store passwords using reversible encryption
+This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).
 <!-- ClearTextPassword-Description-End -->
 
 <!-- ClearTextPassword-Editable-Begin -->
@@ -365,43 +317,38 @@ Specifies whether device lock is enabled.
 <!-- DevicePasswordEnabled-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> This policy must be wrapped in an Atomic command.
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
 
 > [!IMPORTANT]
 > The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
 >
-> -   AllowSimpleDevicePassword
+> - AllowSimpleDevicePassword
-> -   MinDevicePasswordLength
+> - MinDevicePasswordLength
-> -   AlphanumericDevicePasswordRequired
+> - AlphanumericDevicePasswordRequired
-> -   MaxDevicePasswordFailedAttempts
+> - MaxDevicePasswordFailedAttempts
-> -   MaxInactivityTimeDeviceLock
+> - MaxInactivityTimeDeviceLock
-> -   MinDevicePasswordComplexCharacters
+> - MinDevicePasswordComplexCharacters
-&nbsp;
+>
-
-> [!IMPORTANT]
 > If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
 >
-> -   MinDevicePasswordLength is set to 4
+> - MinDevicePasswordLength is set to 4
-> -   MinDevicePasswordComplexCharacters is set to 1
+> - MinDevicePasswordComplexCharacters is set to 1
 >
 > If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
 >
-> -   MinDevicePasswordLength
+> - MinDevicePasswordLength
-> -   MinDevicePasswordComplexCharacters
+> - MinDevicePasswordComplexCharacters
-
+>
-> [!Important]
+> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for backward compatibility with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1), it should be the only policy set from the DeviceLock group of policies listed below:
-> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
+>
-> - **DevicePasswordEnabled** is the parent policy of the following:
+> - AllowSimpleDevicePassword
->   - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
->   - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
->   - AlphanumericDevicePasswordRequired
+> - MinDevicePasswordComplexCharacters
->   - MinDevicePasswordComplexCharacters
+> - DevicePasswordExpiration
->   - DevicePasswordExpiration
+> - DevicePasswordHistory
->   - DevicePasswordHistory
+> - MaxDevicePasswordFailedAttempts
->   - MaxDevicePasswordFailedAttempts
+> - MaxInactivityTimeDeviceLock
->   - MaxInactivityTimeDeviceLock
 
 <!-- DevicePasswordEnabled-Editable-End -->
 
@@ -452,6 +399,10 @@ Specifies when the password expires (in days).
 
 <!-- DevicePasswordExpiration-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
+
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
+
 > [!NOTE]
 > This policy must be wrapped in an Atomic command.
 <!-- DevicePasswordExpiration-Editable-End -->
@@ -470,20 +421,6 @@ Specifies when the password expires (in days).
 
 <!-- DevicePasswordExpiration-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-If all policy values = 0, then 0; otherwise, Min policy value is the most secure value.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
-
-<!--/Description-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   An integer X where 0 &lt;= X &lt;= 730.
--   0 (default) - Passwords don't expire.
 <!-- DevicePasswordExpiration-Examples-End -->
 
 <!-- DevicePasswordExpiration-End -->
@@ -510,21 +447,14 @@ Specifies how many passwords can be stored in the history that can’t be used.
 
 <!-- DevicePasswordHistory-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
 The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords.
 
 Max policy value is the most restricted.
 
 For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
 
-<!--/Description-->
+> [!NOTE]
-<!--SupportedValues-->
+> This policy must be wrapped in an Atomic command.
-The following list shows the supported values:
-
--   An integer X where 0 &lt;= X &lt;= 50.
--   0 (default)
 <!-- DevicePasswordHistory-Editable-End -->
 
 <!-- DevicePasswordHistory-DFProperties-Begin -->
@@ -641,15 +571,11 @@ Specifies the default lock screen and logon image shown when no user is signed i
 <!-- Description-Source-DDF -->
 The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
 
-**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see Exchange ActiveSync Policy Engine Overview.
+**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
 <!-- MaxDevicePasswordFailedAttempts-Description-End -->
 
 <!-- MaxDevicePasswordFailedAttempts-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The following list shows the supported values:
-
--   An integer X where 4 &lt;= X &lt;= 16 for client devices.
--   0 (default) - The device is never wiped after an incorrect PIN or password is entered.
 <!-- MaxDevicePasswordFailedAttempts-Editable-End -->
 
 <!-- MaxDevicePasswordFailedAttempts-DFProperties-Begin -->
@@ -687,9 +613,7 @@ The following list shows the supported values:
 
 <!-- MaximumPasswordAge-Description-Begin -->
 <!-- Description-Source-DDF -->
-This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
+This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42.
-
-**Note**:  It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42.
 <!-- MaximumPasswordAge-Description-End -->
 
 <!-- MaximumPasswordAge-Editable-Begin -->
@@ -744,6 +668,12 @@ The number of authentication failures allowed before the device will be wiped. A
 
 <!-- MaxInactivityTimeDeviceLock-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
+
+On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
 <!-- MaxInactivityTimeDeviceLock-Editable-End -->
 
 <!-- MaxInactivityTimeDeviceLock-DFProperties-Begin -->
@@ -827,45 +757,32 @@ The number of complex element types (uppercase and lowercase letters, numbers, a
 
 <!-- MinDevicePasswordComplexCharacters-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!NOTE]
+The following list shows the supported values and actual enforced values:
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-PIN enforces the following behavior for client devices:
-
--   1 - Digits only
--   2 - Digits and lowercase letters are required
--   3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
--   4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens.
-
-The default value is 1. The following list shows the supported values and actual enforced values:
-
-|Account Type|Supported Values|Actual Enforced Values|
-|--- |--- |--- |
-|Local Accounts|1,2,3|3|
-|Microsoft Accounts|1,2|&lt;p2|
-|Domain Accounts|Not supported|Not supported|
 
+| Account Type       | Supported Values | Actual Enforced Values |
+|--------------------|------------------|------------------------|
+| Local Accounts     | 1,2,3            | 3                      |
+| Microsoft Accounts | 1,2              | &lt;p2                 |
+| Domain Accounts    | Not supported    | Not supported          |
 
 Enforced values for Local and Microsoft Accounts:
 
--   Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
+- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
--   Passwords for local accounts must meet the following minimum requirements:
+- Passwords for local accounts must meet the following minimum requirements:
-
+  - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
-    -   Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+  - Be at least six characters in length
-    -   Be at least six characters in length
+  - Contain characters from three of the following four categories:
-    -   Contain characters from three of the following four categories:
+    - English uppercase characters (A through Z)
-
+    - English lowercase characters (a through z)
-        -   English uppercase characters (A through Z)
+    - Base 10 digits (0 through 9)
-        -   English lowercase characters (a through z)
+    - Special characters (!, $, \#, %, etc.)
-        -   Base 10 digits (0 through 9)
-        -   Special characters (!, $, \#, %, etc.)
 
 The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
 
 For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
 
+> [!NOTE]
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
 <!-- MinDevicePasswordComplexCharacters-Editable-End -->
 
 <!-- MinDevicePasswordComplexCharacters-DFProperties-Begin -->
@@ -918,7 +835,12 @@ Specifies the minimum number or characters required in the PIN or password.
 
 <!-- MinDevicePasswordLength-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Max policy value is the most restricted.
 
+For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions.
 <!-- MinDevicePasswordLength-Editable-End -->
 
 <!-- MinDevicePasswordLength-DFProperties-Begin -->
@@ -935,27 +857,6 @@ Specifies the minimum number or characters required in the PIN or password.
 
 <!-- MinDevicePasswordLength-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
-
-
-
-Max policy value is the most restricted.
-
-For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-<!--/Description-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   An integer X where 4 &lt;= X &lt;= 16 for client devices. However, local accounts will always enforce a minimum password length of 6.
--   Not enforced.
--   The default value is 4 for client devices.
-
-<!--/SupportedValues-->
-<!--Example-->
 **Example**:
 
 The following example shows how to set the minimum password length to 4 characters.
@@ -1050,11 +951,23 @@ This security setting determines the period of time (in days) that a password mu
 
 <!-- PasswordComplexity-Description-Begin -->
 <!-- Description-Source-DDF -->
-Password must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.
+Password must meet complexity requirements
+This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created.
 <!-- PasswordComplexity-Description-End -->
 
 <!-- PasswordComplexity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Password must meet complexity requirements. This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements:
+
+- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+- Be at least six characters in length
+- Contain characters from three of the following four categories:
+  - English uppercase characters (A through Z)
+  - English lowercase characters (a through z)
+  - Base 10 digits (0 through 9)
+  - Non-alphabetic characters (for example, !, $, #, %)
+
+Complexity requirements are enforced when passwords are changed or created.
 <!-- PasswordComplexity-Editable-End -->
 
 <!-- PasswordComplexity-DFProperties-Begin -->
@@ -1100,9 +1013,8 @@ Password must meet complexity requirements This security setting determines whet
 
 <!-- PasswordHistorySize-Description-Begin -->
 <!-- Description-Source-DDF -->
-Minimum password length This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
+Minimum password length
-
+This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. Note: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting.
-**Note**:  By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting.
 <!-- PasswordHistorySize-Description-End -->
 
 <!-- PasswordHistorySize-Editable-Begin -->
@@ -1174,7 +1086,7 @@ If you enable this setting, users will no longer be able to enable or disable lo
 
 <!-- PreventEnablingLockScreenCamera-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -1234,7 +1146,7 @@ If you enable this setting, users will no longer be able to modify slide show se
 
 <!-- PreventLockScreenSlideShow-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 

windows/client-management/mdm/policy-csp-eventlogservice.md

@@ -4,7 +4,7 @@ description: Learn more about the EventLogService Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 12/29/2022
+ms.date: 01/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - EventLogService
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -50,7 +48,7 @@ If you enable this policy setting and a log file reaches its maximum size, new e
 
 If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
 
-Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+**Note**: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
 <!-- ControlEventLogBehavior-Description-End -->
 
 <!-- ControlEventLogBehavior-Editable-Begin -->
@@ -68,13 +66,13 @@ Note: Old events may or may not be retained according to the "Backup log automat
 
 <!-- ControlEventLogBehavior-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | Channel_Log_Retention |
+| Name | Channel_Log_Retention_1 |
 | Friendly Name | Control Event Log behavior when the log file reaches its maximum size |
 | Location | Computer Configuration |
 | Path | Windows Components > Event Log Service > Application |
@@ -128,13 +126,13 @@ If you disable or do not configure this policy setting, the maximum size of the
 
 <!-- SpecifyMaximumFileSizeApplicationLog-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | Channel_LogMaxSize |
+| Name | Channel_LogMaxSize_1 |
 | Friendly Name | Specify the maximum log file size (KB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Event Log Service > Application |
@@ -187,13 +185,13 @@ If you disable or do not configure this policy setting, the maximum size of the
 
 <!-- SpecifyMaximumFileSizeSecurityLog-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | Channel_LogMaxSize |
+| Name | Channel_LogMaxSize_2 |
 | Friendly Name | Specify the maximum log file size (KB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Event Log Service > Security |
@@ -246,13 +244,13 @@ If you disable or do not configure this policy setting, the maximum size of the
 
 <!-- SpecifyMaximumFileSizeSystemLog-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | Channel_LogMaxSize |
+| Name | Channel_LogMaxSize_4 |
 | Friendly Name | Specify the maximum log file size (KB) |
 | Location | Computer Configuration |
 | Path | Windows Components > Event Log Service > System |

windows/client-management/mdm/policy-csp-handwriting.md

@@ -42,6 +42,9 @@ The handwriting panel has 2 modes - floats near the text box, or, attached to th
 
 <!-- PanelDefaultModeDocked-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel, to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction.
+
+The docked mode is especially useful in Kiosk mode, where you don't expect the end-user to drag the flying-in panel out of the way.
 <!-- PanelDefaultModeDocked-Editable-End -->
 
 <!-- PanelDefaultModeDocked-DFProperties-Begin -->

windows/client-management/mdm/policy-csp-kerberos.md

@@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 01/02/2023
+ms.date: 01/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
 # Policy CSP - Kerberos
 
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
@@ -66,13 +64,13 @@ If you disable or do not configure this policy setting, the Kerberos client does
 
 <!-- AllowForestSearchOrder-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
 | Name | Value |
 |:--|:--|
-| Name | forestsearch |
+| Name | ForestSearch |
 | Friendly Name | Use forest search order |
 | Location | Computer Configuration |
 | Path | System > Kerberos |
@@ -192,7 +190,7 @@ If you disable or do not configure this policy setting, the client devices will
 
 <!-- KerberosClientSupportsClaimsCompoundArmor-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -307,12 +305,19 @@ Events generated by this configuration: 205, 206, 207, 208.
 <!-- PKInitHashAlgorithmSHA1-OmaUri-End -->
 
 <!-- PKInitHashAlgorithmSHA1-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-Manual-Forced -->
-Configure SHA-1 hash algorithm for certificate logon
 <!-- PKInitHashAlgorithmSHA1-Description-End -->
 
 <!-- PKInitHashAlgorithmSHA1-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA1 algorithm will assume the **Default** state.
 <!-- PKInitHashAlgorithmSHA1-Editable-End -->
 
 <!-- PKInitHashAlgorithmSHA1-DFProperties-Begin -->
@@ -368,12 +373,19 @@ Configure SHA-1 hash algorithm for certificate logon
 <!-- PKInitHashAlgorithmSHA256-OmaUri-End -->
 
 <!-- PKInitHashAlgorithmSHA256-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-Manual-Forced -->
-Configure SHA-256 hash algorithm for certificate logon
 <!-- PKInitHashAlgorithmSHA256-Description-End -->
 
 <!-- PKInitHashAlgorithmSHA256-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA256 algorithm will assume the **Default** state.
 <!-- PKInitHashAlgorithmSHA256-Editable-End -->
 
 <!-- PKInitHashAlgorithmSHA256-DFProperties-Begin -->
@@ -429,12 +441,19 @@ Configure SHA-256 hash algorithm for certificate logon
 <!-- PKInitHashAlgorithmSHA384-OmaUri-End -->
 
 <!-- PKInitHashAlgorithmSHA384-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-Manual-Forced -->
-Configure SHA-384 hash algorithm for certificate logon
 <!-- PKInitHashAlgorithmSHA384-Description-End -->
 
 <!-- PKInitHashAlgorithmSHA384-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA384 algorithm will assume the **Default** state.
 <!-- PKInitHashAlgorithmSHA384-Editable-End -->
 
 <!-- PKInitHashAlgorithmSHA384-DFProperties-Begin -->
@@ -490,12 +509,19 @@ Configure SHA-384 hash algorithm for certificate logon
 <!-- PKInitHashAlgorithmSHA512-OmaUri-End -->
 
 <!-- PKInitHashAlgorithmSHA512-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-Manual-Forced -->
-Configure SHA-512 hash algorithm for certificate logon
 <!-- PKInitHashAlgorithmSHA512-Description-End -->
 
 <!-- PKInitHashAlgorithmSHA512-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm:
+
+- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+- 1 - **Default**: This state sets the algorithm to the recommended state.
+- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
+- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
+
+If you don't configure this policy, the SHA512 algorithm will assume the **Default** state.
 <!-- PKInitHashAlgorithmSHA512-Editable-End -->
 
 <!-- PKInitHashAlgorithmSHA512-DFProperties-Begin -->
@@ -554,11 +580,13 @@ Configure SHA-512 hash algorithm for certificate logon
 <!-- Description-Source-ADMX -->
 This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
 
-Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+> [!WARNING]
+> When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
 
 If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
 
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+> [!NOTE]
+> The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
 
 If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
 <!-- RequireKerberosArmoring-Description-End -->
@@ -578,7 +606,7 @@ If you disable or do not configure this policy setting, the client computers in
 
 <!-- RequireKerberosArmoring-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -638,7 +666,7 @@ If you disable or do not configure this policy setting, the Kerberos client requ
 
 <!-- RequireStrictKDCValidation-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -684,7 +712,8 @@ If you enable this policy setting, the Kerberos client or server uses the config
 
 If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
 
-Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+> [!NOTE]
+> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
 <!-- SetMaximumContextTokenSize-Description-End -->
 
 <!-- SetMaximumContextTokenSize-Editable-Begin -->
@@ -702,7 +731,7 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
 
 <!-- SetMaximumContextTokenSize-AdmxBacked-Begin -->
 > [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 
 **ADMX mapping**:
 
@@ -740,7 +769,8 @@ Note: This policy setting configures the existing MaxTokenSize registry value in
 
 <!-- UPNNameHints-Description-Begin -->
 <!-- Description-Source-DDF -->
-Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.
+Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
+This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.
 <!-- UPNNameHints-Description-End -->
 
 <!-- UPNNameHints-Editable-Begin -->

windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md

@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 01/03/2023
+ms.date: 01/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -98,9 +98,10 @@ This policy setting prevents users from adding new Microsoft accounts on this co
 
 <!-- Accounts_EnableAdministratorAccountStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-This security setting determines whether the local Administrator account is enabled or disabled.
+This security setting determines whether the local Administrator account is enabled or disabled
 
-**Note** s If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled.
+> [!NOTE]
+> If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default Disabled.
 <!-- Accounts_EnableAdministratorAccountStatus-Description-End -->
 
 <!-- Accounts_EnableAdministratorAccountStatus-Editable-Begin -->
@@ -158,9 +159,10 @@ This security setting determines whether the local Administrator account is enab
 
 <!-- Accounts_EnableGuestAccountStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-This security setting determines if the Guest account is enabled or disabled. Default: Disabled.
+This security setting determines if the Guest account is enabled or disabled. Default Disabled
 
-**Note**:  If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
+> [!NOTE]
+> If the Guest account is disabled and the security option Network Access Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
 <!-- Accounts_EnableGuestAccountStatus-Description-End -->
 
 <!-- Accounts_EnableGuestAccountStatus-Editable-Begin -->
@@ -218,11 +220,13 @@ This security setting determines if the Guest account is enabled or disabled. De
 
 <!-- Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly-Description-Begin -->
 <!-- Description-Source-DDF -->
-Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled.
+Accounts Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default Enabled
 
-**Warning**:  Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
+> [!WARNING]
+> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services
 
-**Note** s This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting.
+> [!NOTE]
+> This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting.
 <!-- Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly-Description-End -->
 
 <!-- Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly-Editable-Begin -->
@@ -427,7 +431,10 @@ Devices: Allowed to format and eject removable media This security setting deter
 
 <!-- Devices_AllowUndockWithoutHavingToLogon-Description-Begin -->
 <!-- Description-Source-DDF -->
-Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. Caution Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
+Devices Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default Enabled
+
+> [!CAUTION]
+> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
 <!-- Devices_AllowUndockWithoutHavingToLogon-Description-End -->
 
 <!-- Devices_AllowUndockWithoutHavingToLogon-Editable-Begin -->
@@ -976,9 +983,10 @@ Interactive logon: Message title for users attempting to log on This security se
 
 <!-- InteractiveLogon_SmartCardRemovalBehavior-Description-Begin -->
 <!-- Description-Source-DDF -->
-Interactive logon: Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+Interactive logon Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation
 
-**Note**:  Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+> [!NOTE]
+> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default This policy is not defined, which means that the system treats it as No action. On Windows Vista and above For this setting to work, the Smart Card Removal Policy service must be started.
 <!-- InteractiveLogon_SmartCardRemovalBehavior-Description-End -->
 
 <!-- InteractiveLogon_SmartCardRemovalBehavior-Editable-Begin -->
@@ -1038,11 +1046,13 @@ Interactive logon: Smart card removal behavior This security setting determines
 
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsAlways-Description-Begin -->
 <!-- Description-Source-DDF -->
-Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled.
+Microsoft network client Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default Disabled
 
-**Important**: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+> [!IMPORTANT]
+> For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client Digitally sign communications (if server agrees)
 
-**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: <https://go.microsoft.com/fwlink/?LinkID=787136>.
+> [!NOTE]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference <https//go.microsoft.com/fwlink/?LinkID=787136>.
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsAlways-Description-End -->
 
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsAlways-Editable-Begin -->
@@ -1100,9 +1110,10 @@ Microsoft network client: Digitally sign communications (always) This security s
 
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Description-Begin -->
 <!-- Description-Source-DDF -->
-Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled.
+Microsoft network client Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled
 
-**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: <https://go.microsoft.com/fwlink/?LinkID=787136>.
+> [!NOTE]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference <https//go.microsoft.com/fwlink/?LinkID=787136>.
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Description-End -->
 
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Editable-Begin -->
@@ -1218,11 +1229,13 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
 
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsAlways-Description-Begin -->
 <!-- Description-Source-DDF -->
-Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers.
+Microsoft network server Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default Disabled for member servers. Enabled for domain controllers
 
-**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+> [!NOTE]
+> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors
 
-**Important**: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference: <https://go.microsoft.com/fwlink/?LinkID=787136>.
+> [!IMPORTANT]
+> For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy Microsoft network server Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference <https//go.microsoft.com/fwlink/?LinkID=787136>.
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsAlways-Description-End -->
 
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsAlways-Editable-Begin -->
@@ -1280,9 +1293,10 @@ Microsoft network server: Digitally sign communications (always) This security s
 
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Description-Begin -->
 <!-- Description-Source-DDF -->
-Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only.
+Microsoft network server Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled on domain controllers only
 
-**Important**: For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: <https://go.microsoft.com/fwlink/?LinkID=787136>.
+> [!IMPORTANT]
+> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000 HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference <https//go.microsoft.com/fwlink/?LinkID=787136>.
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Description-End -->
 
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Editable-Begin -->
@@ -1398,9 +1412,10 @@ Network access: Allow anonymous SID/name translation This policy setting determi
 
 <!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network access: Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled.
+Network access Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows Enabled Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled No additional restrictions. Rely on default permissions. Default on workstations Enabled. Default on serverEnabled
 
-**Important**: This policy has no impact on domain controllers.
+> [!IMPORTANT]
+> This policy has no impact on domain controllers.
 <!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts-Description-End -->
 
 <!-- NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts-Editable-Begin -->
@@ -1622,13 +1637,16 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
 
 <!-- NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network security: Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008.
+Network security Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008
 
-**Note**:  Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
+> [!NOTE]
+> Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
 <!-- NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM-Description-End -->
 
 <!-- NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+- When a service connects with the device identity, signing and encryption are supported to provide data protection.
+- When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.
 <!-- NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM-Editable-End -->
 
 <!-- NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM-DFProperties-Begin -->
@@ -1743,9 +1761,10 @@ Network security: Allow PKU2U authentication requests to this computer to use on
 
 <!-- NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network security: Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled Default on Windows XP: Disabled.
+Network security Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above Enabled Default on Windows XP Disabled
 
-**Important**: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+> [!IMPORTANT]
+> Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
 <!-- NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange-Description-End -->
 
 <!-- NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange-Editable-Begin -->
@@ -1803,9 +1822,10 @@ Network security: Do not store LAN Manager hash value on next password change Th
 
 <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network security: Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default: Enabled.
+Network security Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default Enabled
 
-**Note**:  This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.
+> [!NOTE]
+> This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.
 <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Description-End -->
 
 <!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-Editable-Begin -->
@@ -1863,9 +1883,10 @@ Network security: Force logoff when logon hours expire This security setting det
 
 <!-- NetworkSecurity_LANManagerAuthenticationLevel-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows Send LM and NTLM responses Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication)
 
-**Important**: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: Windows 2000 and windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+> [!IMPORTANT]
+> This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default Windows 2000 and windows XP send LM and NTLM responses Windows Server 2003 Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 Send NTLMv2 response only
 <!-- NetworkSecurity_LANManagerAuthenticationLevel-Description-End -->
 
 <!-- NetworkSecurity_LANManagerAuthenticationLevel-Editable-Begin -->
@@ -2096,9 +2117,10 @@ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentic
 
 <!-- NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+Network security Restrict NTLM Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2
 
-**Note**:  Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
 <!-- NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic-Description-End -->
 
 <!-- NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic-Editable-Begin -->
@@ -2157,9 +2179,10 @@ Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting
 
 <!-- NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+Network security Restrict NTLM Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2
 
-**Note**:  Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
 <!-- NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic-Description-End -->
 
 <!-- NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic-Editable-Begin -->
@@ -2218,9 +2241,10 @@ Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allow
 
 <!-- NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers-Description-Begin -->
 <!-- Description-Source-DDF -->
-Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
+Network security Restrict NTLM Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security Restrict NTLM Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2
 
-**Note**:  Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
+> [!NOTE]
+> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.
 <!-- NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers-Description-End -->
 
 <!-- NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers-Editable-Begin -->
@@ -2453,9 +2477,10 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou
 
 <!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Description-Begin -->
 <!-- Description-Source-DDF -->
-User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.
+User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are • Elevate without prompting Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials
 
-**Note**:  Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
+> [!NOTE]
+> Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
 <!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Description-End -->
 
 <!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-Editable-Begin -->
@@ -2750,9 +2775,10 @@ User Account Control: Only elevate UIAccess applications that are installed in s
 
 <!-- UserAccountControl_RunAllAdministratorsInAdminApprovalMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
+User Account Control Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are • Enabled (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled Admin Approval Mode and all related UAC policy settings are disabled
 
-**Note**:  If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
+> [!NOTE]
+> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
 <!-- UserAccountControl_RunAllAdministratorsInAdminApprovalMode-Description-End -->
 
 <!-- UserAccountControl_RunAllAdministratorsInAdminApprovalMode-Editable-Begin -->