Merge pull request #2750 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
2025-06-19 12:23:37 +00:00 · 2020-05-12 17:17:17 -07:00
parent a0cb7ea095 eb02af4ff7
commit 976601faea
11 changed files with 225 additions and 285 deletions
--- a/mdop/appv-v5/deploying-the-app-v-51-server.md
+++ b/mdop/appv-v5/deploying-the-app-v-51-server.md
@ -13,37 +13,27 @@ ms.prod: w10
 ms.date: 06/16/2016
 ---
 # Deploying the App-V 5.1 Server
 You can install the Microsoft Application Virtualization (App-V) 5.1 server features by using different deployment configurations, which described in this topic. Before you install the server features, review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md).
 For information about deploying the App-V Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51).
-**Important**  
+> [!IMPORTANT]
-Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
+> Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
 ## <a href="" id="---------app-v-5-1-server-overview"></a> App-V 5.1 Server overview
 The App-V 5.1 Server is made up of five components. Each component serves a different purpose within the App-V 5.1 environment. Each of the five components is briefly described here:
 - Management Server – provides overall management functionality for the App-V 5.1 infrastructure.
 - Management Database – facilitates database predeployments for App-V 5.1 management.
 - Publishing Server – provides hosting and streaming functionality for virtual applications.
 - Reporting Server – provides App-V 5.1 reporting services.
 - Reporting Database – facilitates database predeployments for App-V 5.1 reporting.
 ## <a href="" id="---------app-v-5-1-stand-alone-deployment"></a> App-V 5.1 stand-alone deployment
 The App-V 5.1 standalone deployment provides a good topology for a small deployment or a test environment. When you use this type of implementation, all server components are deployed to a single computer. The services and associated databases will compete for the resources on the computer that runs the App-V 5.1 components. Therefore, you should not use this topology for larger deployments.
 [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
@ -52,7 +42,6 @@ The App-V 5.1 standalone deployment provides a good topology for a small deploym
 ## <a href="" id="---------app-v-5-1-server-distributed-deployment"></a> App-V 5.1 Server distributed deployment
 The distributed deployment topology can support a large App-V 5.1 client base and it allows you to more easily manage and scale your environment. When you use this type of deployment, the App-V 5.1 Server components are deployed across multiple computers, based on the structure and requirements of the organization.
 [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md)
@ -67,19 +56,15 @@ The distributed deployment topology can support a large App-V 5.1 client base an
 ## Using an Enterprise Software Distribution (ESD) solution and App-V 5.1
 You can also deploy the App-V 5.1 clients and packages by using an ESD without having to deploy App-V 5.1. The full capabilities for integration will vary depending on the ESD that you use.
-**Note**  
+> [!NOTE]
-The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality.
+> The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality.
 [Deploying App-V 5.1 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md)
 ## <a href="" id="---------app-v-5-1-server-logs"></a> App-V 5.1 Server logs
 You can use App-V 5.1 server log information to help troubleshoot the server installation and operational events while using App-V 5.1. The server-related log information can be reviewed with the **Event Viewer**. The following line displays the specific path for Server-related events:
 **Event Viewer \\ Applications and Services Logs \\ Microsoft \\ App V**
@ -92,13 +77,10 @@ In App-V 5.0 SP3, some logs were consolidated and moved. See [About App-V 5.0 SP
 ## <a href="" id="---------app-v-5-1-reporting"></a> App-V 5.1 reporting
 App-V 5.1 reporting allows App-V 5.1 clients to collect data and then send it back to be stored in a central repository. You can use this information to get a better view of the virtual application usage within your organization. The following list displays some of the types of information the App-V 5.1 client collects:
 - Information about the computer that runs the App-V 5.1 client.
 - Information about virtualized packages on a specific computer that runs the App-V 5.1 client.
 - Information about package open and shutdown for a specific user.
 The reporting information will be maintained until it is successfully sent to the reporting server database. After the data is in the database, you can use Microsoft SQL Server Reporting Services to generate any necessary reports.
@ -111,19 +93,4 @@ Use the following link for more information [About App-V 5.1 Reporting](about-ap
 ## Other resources for the App-V server
 [Deploying App-V 5.1](deploying-app-v-51.md)
--- a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
@ -13,75 +13,42 @@ ms.prod: w10
 ms.date: 06/16/2016
 ---
 # How to Deploy the App-V Databases by Using SQL Scripts
 Use the following instructions to use SQL scripts, rather than the Windows Installer, to:
 - Install the App-V 5.1 databases
 - Upgrade the App-V databases to a later version
-**Note**  
+> [!NOTE]
-If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1.
+> If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1.
-
+## How to install the App-V databases by using SQL scripts
 **How to install the App-V databases by using SQL scripts**
 1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
 1. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
 1. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
-2.  Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
+    Example: appv\_server\_setup.exe /layout c:\\&lt;_temporary location path_&gt;
-3.  From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
+1. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
-    Example: appv\_server\_setup.exe /layout c:\\&lt;temporary location path&gt;
+    | Database | Location of Readme.txt file to use |
    |--|--|
    | Management database | ManagementDatabase subfolder |
    | Reporting database | ReportingDatabase subfolder |
-4.  Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
+> [!CAUTION]
 > The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
-    <table>
+> [!IMPORTANT]
-    <colgroup>
+> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
    <col width="50%" />
    <col width="50%" />
    </colgroup>
    <thead>
    <tr class="header">
    <th align="left">Database</th>
    <th align="left">Location of Readme.txt file to use</th>
    </tr>
    </thead>
    <tbody>
    <tr class="odd">
    <td align="left"><p>Management database</p></td>
    <td align="left"><p>ManagementDatabase subfolder</p></td>
    </tr>
    <tr class="even">
    <td align="left"><p>Reporting database</p></td>
    <td align="left"><p>ReportingDatabase subfolder</p></td>
    </tr>
    </tbody>
    </table>
 ~~~
 **Caution**  
 The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
 **Important**  
 The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
 The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
 ~~~
 ## Updated management database README file content
-
+```plaintext
 **Updated management database README file content**
 ``` syntax
 ******************************************************************
 Before you install and use the Application Virtualization Database Scripts you must:
 1.Review the Microsoft Application Virtualization Server 5.0 license terms.
@ -144,9 +111,9 @@ Steps to install "AppVManagement" schema in SQL SERVER.
 ```
-**Updated reporting database README file content**
+## Updated reporting database README file content
-``` syntax
+```plaintext
 ******************************************************************
 Before you install and use the Application Virtualization Database Scripts you must:
 1.Review the Microsoft Application Virtualization Server 5.0 license terms.
@ -222,20 +189,10 @@ Steps to install "AppVReporting" schema in SQL SERVER.
 ```
-**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 ## Related topics
 [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
 [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
--- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
@ -13,10 +13,8 @@ ms.prod: w10
 ms.date: 06/16/2016
 ---
 # How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell
 Use the following PowerShell procedure to convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by Microsoft SQL Server when running SQL scripts.
 Before attempting this procedure, you should read and understand the information and examples displayed in the following list:
@ -33,13 +31,10 @@ Before attempting this procedure, you should read and understand the information
    **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200**
-    \#&gt;
+## To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)
 **To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)**
 1. Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
-
+1. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
 2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
   ```powershell
   <#
@ -61,7 +56,7 @@ Before attempting this procedure, you should read and understand the information
   function ConvertSIDToHexFormat
   {
-      param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
+      param([System.Security.Principal.SecurityIdentifier]$sidToConvert)
      $sb = New-Object System.Text.StringBuilder
      [int] $binLength = $sidToConvert.BinaryLength
@ -79,7 +74,7 @@ Before attempting this procedure, you should read and understand the information
    [string]::Format("{0}====== Description ======{0}{0}" +
                  "  Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
-                  "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
+                  "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.ps1 DOMAIN\Account1 DOMAIN\Account2 ...'){0}" +
                  "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
                  "  And can be written out to a file using standard PowerShell redirection{0}" +
                  "  Please specify user accounts in the format 'DOMAIN\username'{0}" +
@ -131,17 +126,21 @@ Before attempting this procedure, you should read and understand the information
           Write-Output $SIDs
       }
   }
-3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
+   ```
 1. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
   For example,
-   **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
+   **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**
-   **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
+   or
-   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
   **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200**
 **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 ## Related topics
 [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
--- a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
+++ b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
@ -13,114 +13,74 @@ ms.prod: w10
 ms.date: 06/16/2016
 ---
 # How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services
 Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail.
-**Note**  
+> [!NOTE]
-After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
+> After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
-
+## To install the management database and the management server on separate computers
 **To install the management database and the management server on separate computers**
 1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
 1. On the **Getting Started** page, review and accept the license terms, and click **Next**.
 1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
 1. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**.
 1. On the **Installation Location** page, accept the default location and click **Next**.
 1. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**.
-2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+    If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.\
 3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
 4.  On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**.
 5.  On the **Installation Location** page, accept the default location and click **Next**.
 6.  On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**.
    If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
    If you are using a custom database name, then select **Custom configuration** and type the database name.
-7.  On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
+1. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
-    **Note**  
+    > [!NOTE]
-    If you plan to deploy the management server on the same computer you must select **Use this local computer**.
+    > If you plan to deploy the management server on the same computer you must select **Use this local computer**.
 1. Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 1. To start the installation, click **Install**.
-
+## To install the reporting database and the reporting server on separate computers
 ~~~
 Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 ~~~
 8. To start the installation, click **Install**.
 **To install the reporting database and the reporting server on separate computers**
 1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
-
+1. On the **Getting Started** page, review and accept the license terms, and click **Next**.
-2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
-
+1. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**.
-3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+1. On the **Installation Location** page, accept the default location and click **Next**.
-
+1. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**.
 4.  On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**.
 5.  On the **Installation Location** page, accept the default location and click **Next**.
 6.  On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**.
    If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
    If you are using a custom database name, then select **Custom configuration** and type the database name.
-7.  On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
+1. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
-    **Note**  
+    > [!NOTE]
-    If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
+    > If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
 1. Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 1. To start the installation, click **Install**.
-
+## To install the management and reporting databases using App-V 5.1 database scripts
 ~~~
 Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 ~~~
 8. To start the installation, click **Install**.
 **To install the management and reporting databases using App-V 5.1 database scripts**
 1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on.
 1. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
-2.  To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
+    **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR="InstallationExtractionLocation"**.
-    **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR=”InstallationExtractionLocation”**.
+1. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file:
 3.  After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file:
    - The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**.
    - The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
-4.  For each database, copy the scripts to a share and modify them following the instructions in the readme file.
+1. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
-    **Note**  
+    > [!NOTE]
-    For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md).
+    > For more information about modifying the required SIDs contained in the scripts, see [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md).
 1. Run the scripts on the computer running Microsoft SQL Server.
-
+**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 5.  Run the scripts on the computer running Microsoft SQL Server.
    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 ## Related topics
 [Deploying App-V 5.1](deploying-app-v-51.md)
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@ -15,13 +15,10 @@ ms.topic: article
 # Create mandatory user profiles
 **Applies to**
 - Windows 10
 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
 Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
@ -30,8 +27,6 @@ When the server that stores the mandatory profile is unavailable, such as when t
 User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
 <span id="extension"/>
 ## Profile extension for each Windows version
 The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
@ -45,121 +40,112 @@ The name of the folder in which you store the mandatory profile must use the cor
 | Windows 10, versions 1507 and 1511 | N/A | v5 |
 | Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 |  Windows Server 2016 and Windows Server 2019 | v6 |
-For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
+For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
-## How to create a mandatory user profile
+## Mandatory user profile
 First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory.
-**To create a default user profile**
+### How to create a default user profile
 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
   > [!NOTE]
   > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 
-2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. 
+1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
   > [!NOTE]
   > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
-3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. 
+1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
 3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
 1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
   > [!NOTE]
   > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
-3. At a command prompt, type the following command and press **ENTER**.
+1. At a command prompt, type the following command and press **ENTER**.
-    `sysprep /oobe /reboot /generalize /unattend:unattend.xml` 
+   ```dos
   sysprep /oobe /reboot /generalize /unattend:unattend.xml
   ```
-    (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
+   (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
   > [!TIP]
-   > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following:
+   > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
   >
   > ![Microsoft Bing Translator package](images/sysprep-error.png)
   >
-   > Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
+   > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
-4. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
+1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
-5. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
+1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
-6. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
+1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
   ![Example of UI](images/copy-to.png)
-7. In **Copy To**, under **Permitted to use**, click **Change**.
+1. In **Copy To**, under **Permitted to use**, click **Change**.
   ![Example of UI](images/copy-to-change.png)
-8. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
+1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
-9. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607.
+1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
   - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
   - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
   ![Example of UI](images/copy-to-path.png)
-10. Click **OK** to copy the default user profile.
+1. Click **OK** to copy the default user profile.
 ### How to make the user profile mandatory
-**To make the user profile mandatory**
+1. In File Explorer, open the folder where you stored the copy of the profile.
 3. In File Explorer, open the folder where you stored the copy of the profile.
   > [!NOTE]
   > If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes.
-4. Rename `Ntuser.dat` to `Ntuser.man`. 
+1. Rename `Ntuser.dat` to `Ntuser.man`.
-## How to apply a mandatory user profile to users
+## Apply a mandatory user profile to users
 In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server.
-**To apply a mandatory user profile to users**
+### How to apply a mandatory user profile to users
 1. Open **Active Directory Users and Computers** (dsa.msc).
-2. Navigate to the user account that you will assign the mandatory profile to.
+1. Navigate to the user account that you will assign the mandatory profile to.
-3. Right-click the user name and open **Properties**.
+1. Right-click the user name and open **Properties**.
-4. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\profile.v6, you would enter \\\\*server*\profile.
+1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile.
-5. Click **OK**.
+1. Click **OK**.
 It may take some time for this change to replicate to all domain controllers.
 ## Apply policies to improve sign-in time
 When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
 | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
 | --- | --- | --- | --- | --- |
 | Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
 | Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png)  | ![not supported](images/crossmark.png)  |
 | Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
-> [!Note]
+> [!NOTE]
 > The Group Policy settings above can be applied in Windows 10 Professional edition.
 ## Related topics
 - [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
 - [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
 - [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
 - [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@ -111,6 +111,9 @@ manager: dansimp
  <dd>
    <a href="#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
  </dd>
  <dd>
    <a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
  </dd>
  <dd>
    <a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
  </dd>
@ -2385,6 +2388,74 @@ GP Info:
 <hr/>
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients.
 This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
 - Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
 - Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
 Default:
 Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
 Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
 <!--/Description-->
 <!--RegistryMapped-->
 GP Info:  
 -   GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
 -   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
 <!--/RegistryMapped-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**  
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@ -36,10 +36,11 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
 2.  Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
 3.  In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
 4.  In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
 5.  In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
-    ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp.png)
+    ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png)
-5.  Close the Group Policy Management Console.
+6.  Close the Group Policy Management Console.
 To enforce processing of the group policy, you can run ```gpupdate /force```.
@ -234,5 +235,3 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
--- a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png
+++ b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@ -66,7 +66,7 @@ Key trust deployments do not need client issued certificates for on-premises aut
 The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
 * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
-* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
+* The certificate Subject section should contain the directory path of the server object (the distinguished name).
 * The certificate Key Usage section must contain Digital Signature and Key Encipherment.
 * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
 * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@ -81,7 +81,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
 The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list.  However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
 > [!NOTE]
->The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. 
+> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
 ### Publish Certificate Templates to a Certificate Authority
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@ -143,11 +143,12 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
    ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
 3. Under **Use the following restricted mode**:
-    - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
+   - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
-        > **Note:**  Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
+     > [!NOTE]
     > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
-    - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
+   - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
   - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.