Merge branch 'main' into do_docs

education/windows/index.yml

@@ -137,4 +137,4 @@ additionalContent:
             - text: Microsoft Intune community
               url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
             - text: Microsoft Support community
-              url: https://answers.microsoft.com/windows/forum
+              url: https://answers.microsoft.com/

windows/client-management/azure-active-directory-integration-with-mdm.md

@@ -5,18 +5,18 @@ ms.topic: conceptual
 ms.collection:
 - highpri
 - tier2
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Microsoft Entra integration with MDM
 
-Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into MDM in an integrated flow.
+Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into Mobile Device Management (MDM) in an integrated flow.
 
 Once a device is enrolled in MDM, the MDM:
 
 - Can enforce compliance with organization policies, add or remove apps, and more.
 - Can report a device's compliance in Microsoft Entra ID.
-- Microsoft Entra ID can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
+- Can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
 
 To support these rich experiences with their MDM product, MDM vendors can integrate with Microsoft Entra ID.
 
@@ -24,23 +24,21 @@ To support these rich experiences with their MDM product, MDM vendors can integr
 
 There are several ways to connect your devices to Microsoft Entra ID:
 
-- [Join device to Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join)
+- [Join device to Microsoft Entra ID](/entra/identity/devices/concept-directory-join)
-- [Join device to on-premises AD and Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+- [Join device to on-premises AD and Microsoft Entra ID](/entra/identity/devices/concept-hybrid-join)
-- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register)
+- [Add a Microsoft work account to Windows](/entra/identity/devices/concept-device-registration)
 
 In each scenario, Microsoft Entra authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
 
 In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Microsoft Entra ID respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
 
-For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
+For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Microsoft Entra multifactor authentication as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
 
 Once a user has a Microsoft Entra account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Microsoft Entra join for organization scenarios or BYOD scenarios is similar.
 
 > [!NOTE]
 > Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Microsoft Entra ID or work account.
 
-<a name='mdm-endpoints-involved-in-azure-ad-integrated-enrollment'></a>
-
 ### MDM endpoints involved in Microsoft Entra integrated enrollment
 
 Microsoft Entra MDM enrollment is a two-step process:
@@ -64,17 +62,15 @@ To support Microsoft Entra enrollment, MDM vendors must host and expose a **Term
 
     The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Microsoft Entra ID using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
 
-<a name='make-mdm-a-reliable-party-of-azure-ad'></a>
-
 ## Make MDM a reliable party of Microsoft Entra ID
 
 To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Microsoft Entra ID. To report compliance with Microsoft Entra ID, the MDM must authenticate itself to Microsoft Entra ID and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
 
 ### Cloud-based MDM
 
-A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
+A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multitenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
 
-The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
+The MDM vendor must first register the application in their home tenant and mark it as a multitenant application. For more information about how to add multitenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multitenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
 
 > [!NOTE]
 > For the MDM provider, if you don't have an existing Microsoft Entra tenant with a Microsoft Entra subscription that you manage, follow these step-by-step guides:
@@ -82,7 +78,7 @@ The MDM vendor must first register the application in their home tenant and mark
 > - [Quickstart: Create a new tenant in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
 > - [Associate or add an Azure subscription to your Microsoft Entra tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
 
-The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
+The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multitenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
 
 > [!NOTE]
 > All MDM apps must implement Microsoft Entra v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Microsoft Entra v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
@@ -107,8 +103,6 @@ For cloud-based MDM, you can roll over the application keys without requiring a
 
 For the on-premises MDM, the Microsoft Entra authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
 
-<a name='publish-your-mdm-app-to-azure-ad-app-gallery'></a>
-
 ## Publish your MDM app to Microsoft Entra app gallery
 
 IT administrators use the Microsoft Entra app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Microsoft Entra ID.
@@ -124,7 +118,7 @@ The following table shows the required information to create an entry in the Mic
 
 | Item                | Description                                                                                                                                                                                                    |
 |---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Application ID**  | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.                                                                               |
+| **Application ID**  | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multitenant app.                                                                               |
 | **Publisher**       | A string that identifies the publisher of the app.                                                                                                                                                             |
 | **Application URL** | A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment. |
 | **Description**     | A brief description of your MDM app, which must be under 255 characters.                                                                                                                                       |
@@ -191,7 +185,7 @@ The following claims are expected in the access token passed by Windows to the T
 |-----------|----------------------------------------------------------------------------------------------|
 | Object ID | Identifier of the user object corresponding to the authenticated user.                       |
 | UPN       | A claim containing the user principal name (UPN) of the authenticated user.                  |
-| TID       | A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.       |
+| TID       | A claim representing the tenant ID of the tenant. In the previous example, it's Fabrikam.       |
 | Resource  | A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
 
 > [!NOTE]
@@ -206,7 +200,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm
 Authorization: Bearer eyJ0eXAiOi
 ```
 
-The MDM is expected to validate the signature of the access token to ensure it is issued by Microsoft Entra ID and that the recipient is appropriate.
+The MDM is expected to validate the signature of the access token to ensure it's issued by Microsoft Entra ID and that the recipient is appropriate.
 
 ### Terms of Use content
 
@@ -260,8 +254,6 @@ The following table shows the error codes.
 | Microsoft Entra token validation failed                                                                 | 302         | unauthorized_client | unauthorized_client         |
 | internal service error                                                                           | 302         | server_error        | internal service error      |
 
-<a name='enrollment-protocol-with-azure-ad'></a>
-
 ## Enrollment protocol with Microsoft Entra ID
 
 With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
@@ -284,8 +276,6 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
 |CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
 
-<a name='management-protocol-with-azure-ad'></a>
-
 ## Management protocol with Microsoft Entra ID
 
 There are two different MDM enrollment types that integrate with Microsoft Entra ID, and use Microsoft Entra user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
@@ -318,8 +308,6 @@ There are two different MDM enrollment types that integrate with Microsoft Entra
   - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
   - Refer to the Microsoft Entra authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
 
-<a name='device-alert-1224-for-azure-ad-user-token'></a>
-
 ## Device Alert 1224 for Microsoft Entra user token
 
 An alert is sent when the DM session starts and there's a Microsoft Entra user logged in. The alert is sent in OMA DM package #1. Here's an example:
@@ -372,15 +360,13 @@ Here's an example.
 </SyncBody>
 ```
 
-<a name='report-device-compliance-to-azure-ad'></a>
-
 ## Report device compliance to Microsoft Entra ID
 
 Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Microsoft Entra ID. This section covers the Graph API call you can use to report a device compliance status to Microsoft Entra ID.
 
 For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
 
-- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
+- **Cloud-based MDM** - If your product is a cloud-based multitenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
 - **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Microsoft Entra ID. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Microsoft Entra ID.
 
 ### Use Microsoft Graph API
@@ -415,8 +401,6 @@ Response:
 - Success - HTTP 204 with No Content.
 - Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
 
-<a name='data-loss-during-unenrollment-from-azure-active-directory-join'></a>
-
 ## Data loss during unenrollment from Microsoft Entra join
 
 When a user is enrolled into MDM through Microsoft Entra join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.

windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md

@@ -2,7 +2,7 @@
 title: Automatic MDM enrollment in the Intune admin center
 description: Automatic MDM enrollment in the Intune admin center
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Automatic MDM enrollment in the Intune admin center

windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md

@@ -1,13 +1,13 @@
 ---
 title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices.
+description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Bulk enrollment using Windows Configuration Designer
 
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
+Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
 
 ## Typical use cases
 
@@ -68,7 +68,7 @@ Using the WCD, create a provisioning package using the enrollment information re
     ![bulk enrollment screenshot.](images/bulk-enrollment.png)
 
 1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. After adding all the settings, select **Save** on the **File** menu.
 1. On the main menu, select **Export** > **Provisioning package**.
 
     ![icd menu for export.](images/bulk-enrollment2.png)
@@ -120,7 +120,7 @@ Using the WCD, create a provisioning package using the enrollment information re
    For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
 
 1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. After adding all the settings, select **Save** on the **File** menu.
 1. Export and build the package (steps 10-13 in previous section).
 1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
 1. Apply the package to your devices.
@@ -142,7 +142,7 @@ Using the WCD, create a provisioning package using the enrollment information re
 - If the provisioning engine receives a failure from a CSP, it retries provisioning three times in a row.
 - If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts are run from the SYSTEM context.
 - It also retries the provisioning each time it's launched, if started from somewhere else as well.
-- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions).
+- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system is idle](/windows/win32/taskschd/task-idle-conditions).
 
 ## Related articles
 

windows/client-management/certificate-authentication-device-enrollment.md

@@ -2,7 +2,7 @@
 title: Certificate authentication device enrollment
 description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Certificate authentication device enrollment

windows/client-management/certificate-renewal-windows-mdm.md

@@ -2,7 +2,7 @@
 title: Certificate Renewal
 description: Learn how to find all the resources that you need to provide continuous access to client certificates.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Certificate Renewal
@@ -19,7 +19,7 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of
 > [!NOTE]
 > Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
-Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
+Auto certificate renewal is the only supported MDM client certificate renewal method for a device enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
 
 For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under `CertificateStore/My/WSTEP/Renew` URL.
 
@@ -89,7 +89,7 @@ In Windows, the renewal period can only be set during the MDM enrollment phase.
 
 For more information about the parameters, see the [CertificateStore configuration service provider](mdm/certificatestore-csp.md).
 
-Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device will try to connect at different days of the week.
+Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device tries to connect at different days of the week.
 
 ## Certificate renewal response
 
@@ -99,7 +99,7 @@ When RequestType is set to Renew, the web service verifies the following (in add
 - The client's certificate is in the renewal period
 - The certificate is issued by the enrollment service
 - The requester is the same as the requester for initial enrollment
-- For standard client's request, the client hasn't been blocked
+- For standard client's request, the client isn't blocked
 
 After validation is completed, the web service retrieves the PKCS#10 content from the PKCS#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
 

windows/client-management/config-lock.md

@@ -2,7 +2,7 @@
 title: Secured-core configuration lock
 description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ---
@@ -63,7 +63,7 @@ The steps to turn on config lock using Microsoft Intune are as follows:
 
 Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
 
-:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of System Guard protects your device from compromised firmware. The setting is set to Off.":::
 
 ## FAQ
 

windows/client-management/declared-configuration-extensibility.md

@@ -1,13 +1,13 @@
 ---
 title: Declared configuration extensibility
 description: Learn more about declared configuration extensibility through native WMI providers.
-ms.date: 09/26/2023
+ms.date: 07/08/2024
 ms.topic: how-to
 ---
 
 # Declared configuration extensibility providers
 
-The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties.
+The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that implements a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and can implement any number of string properties.
 
 > [!NOTE]
 > Only string properties are currently supported by extensibility providers.
@@ -51,7 +51,7 @@ uint32 SetTargetResource(
 
 To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement.
 
-1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
+1. Create a Managed Object Format (MOF) file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
 2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool.
 3. Edit the required files and include the correct file names and class names.
 4. Invoke the provider generator tool to generate the provider's project files.

windows/client-management/declared-configuration.md

@@ -1,7 +1,7 @@
 ---
 title: Declared configuration protocol
 description: Learn more about using declared configuration protocol for desired state management of Windows devices.
-ms.date: 09/26/2023
+ms.date: 07/08/2024
 ms.topic: overview
 ---
 

windows/client-management/device-update-management.md

@@ -2,7 +2,7 @@
 title: Mobile device management MDM for device updates
 description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ms.collection:
 - highpri
 - tier2
@@ -25,7 +25,7 @@ In particular, Windows provides APIs to enable MDMs to:
 - Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
 - Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
 
-This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md).
+This article provides independent software publishers (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md).
 
 > [!NOTE]
 > The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
@@ -88,7 +88,7 @@ This section describes a possible algorithm for using the server-server sync pro
 
 First some background:
 
-- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
+- If you have a multitenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
 - A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
 - The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
 
@@ -130,7 +130,7 @@ The following screenshots of the administrator console show the list of update t
 
 ### SyncML example
 
-Set auto update to notify and defer.
+Set Microsoft AutoUpdate to notify and defer.
 
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.1">

windows/client-management/disconnecting-from-mdm-unenrollment.md

@@ -2,7 +2,7 @@
 title: Disconnecting from the management infrastructure (unenrollment)
 description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Disconnecting from the management infrastructure (unenrollment)
@@ -22,14 +22,14 @@ During disconnection, the client executes the following tasks:
 
 In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built in to ensure the notification is successfully sent to the device.
 
-This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
+This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment can succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
 
 > [!NOTE]
 > The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
 
 The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
 
-After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
+After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DMClient starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
 
 The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) article.
 
@@ -107,15 +107,13 @@ You can only use the Work Access page to unenroll under the following conditions
 - Enrollment was done using bulk enrollment.
 - Enrollment was created using the Work Access page.
 
-<a name='unenrollment-from-azure-active-directory-join'></a>
-
 ## Unenrollment from Microsoft Entra join
 
 When a user is enrolled into MDM through Microsoft Entra join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
 
 ![aadj unenerollment.](images/azure-ad-unenrollment.png)
 
-During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
+During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device can get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
 
 Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Microsoft Entra ID, otherwise the device won't have any admin user after the operation.
 

windows/client-management/enable-admx-backed-policies-in-mdm.md

@@ -3,7 +3,7 @@ title: Enable ADMX policies in MDM
 description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Enable ADMX policies in MDM

windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -2,7 +2,7 @@
 title: Enroll a Windows device automatically using Group Policy
 description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ms.collection:
 - highpri
 - tier2
@@ -12,7 +12,7 @@ ms.collection:
 
 You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
 
-The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
+The group policy created on your local AD triggers enrollment into Intune without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
 
 **Requirements**:
 

windows/client-management/enterprise-app-management.md

@@ -2,7 +2,7 @@
 title: Enterprise app management
 description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Enterprise app management
@@ -116,7 +116,7 @@ There are two basic types of apps you can deploy:
 - Store apps.
 - Enterprise signed apps.
 
-To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
+To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for nonstore app deployment.
 
 ### Unlock the device for non-Store apps
 
@@ -154,7 +154,7 @@ Here's an example:
 
 ### Unlock the device for developer mode
 
-Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of non-packaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP.
+Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of nonpackaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP.
 
 AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
 
@@ -238,8 +238,8 @@ If you purchased an app from the Store for Business, the app license must be dep
 
 In the SyncML, you need to specify the following information in the `Exec` command:
 
-- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
+- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base 64 encoded license download from the Store for Business.
-- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
+- License Content - This content is specified in the data section. The License Content is the Base 64 encoded blob of the license.
 
 Here's an example of an offline license installation.
 
@@ -469,7 +469,7 @@ When an app installation is completed, a Windows notification is sent. You can a
   - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
   - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
   - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
-  - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
+  - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean-up action hasn't completed, then this state may briefly appear.
 - LastError - The last error reported by the app deployment server.
 - LastErrorDescription - Describes the last error reported by the app deployment server.
 - Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.

windows/client-management/esim-enterprise-management.md

@@ -3,7 +3,7 @@ title: eSIM Enterprise Management
 description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # How Mobile Device Management Providers support eSIM Management on Windows
@@ -28,7 +28,7 @@ If you're a Mobile Device Management (MDM) Provider and want to support eSIM Man
 - Assess solution type that you would like to provide your customers
 - Batch/offline solution
 - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
-- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
+- Operator doesn't have visibility over status of the eSIM profiles
 - Real-time solution
 - MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via SIM vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
 - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used

windows/client-management/federated-authentication-device-enrollment.md

@@ -2,7 +2,7 @@
 title: Federated authentication device enrollment
 description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Federated authentication device enrollment
@@ -122,7 +122,7 @@ The discovery response is in the XML format and includes the following fields:
 > [!NOTE]
 > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
-When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage is used by the enrollment client as the device security secret during the client certificate enrollment request call.
+When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an end page is used by the enrollment client as the device security secret during the client certificate enrollment request call.
 
 > [!NOTE]
 > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
@@ -183,7 +183,7 @@ Content-Length: 556
 </html>
 ```
 
-The server has to send a POST to a redirect URL of the form `ms-app://string` (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form its just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string.
+The server has to send a POST to a redirect URL of the form `ms-app://string` (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it's just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string.
 
 The following example shows a response received from the discovery web service that requires authentication via WAB.
 
@@ -367,7 +367,7 @@ The following snippet shows the policy web service response.
 
 ## Enrollment web service
 
-This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
+This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DMClient.
 
 The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully.
 
@@ -471,15 +471,15 @@ Similar to the TokenType in the RST, the RSTR uses a custom ValueType in the Bin
 The provisioning XML contains:
 
 - The requested certificates (required)
-- The DM client configuration (required)
+- The DMClient configuration (required)
 
-The client installs the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
+The client installs the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DMClient calls back to the server.
 
 Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. More root and intermediate CA certificates could be provisioned during an OMA DM session.
 
 When root and intermediate CA certificates are being provisioned, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning.
 
-Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section.
+Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies, and app management section.
 
 The following example shows the enrollment web service response.
 

windows/client-management/implement-server-side-mobile-application-management.md

@@ -2,7 +2,7 @@
 title: Support for Windows Information Protection (WIP) on Windows
 description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Support for Windows Information Protection (WIP) on Windows
@@ -11,8 +11,6 @@ Windows Information Protection (WIP) is a lightweight solution for managing comp
 
 [!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
 
-<a name='integration-with-azure-ad'></a>
-
 ## Integration with Microsoft Entra ID
 
 WIP is integrated with Microsoft Entra identity service. The WIP service supports Microsoft Entra integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Microsoft Entra ID is similar to mobile device management (MDM) integration. See [Microsoft Entra integration with MDM](azure-active-directory-integration-with-mdm.md).
@@ -78,7 +76,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr
 
 ## Supported CSPs
 
-WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
+WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list can change later based on customer feedback:
 
 - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
 - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.

windows/client-management/index.yml

@@ -13,7 +13,7 @@ metadata:
   author: vinaypamnani-msft
   ms.author: vinpa
   manager: aaroncz
-  ms.date: 01/18/2024
+  ms.date: 07/08/2024
   localization_priority: medium
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new

windows/client-management/manage-windows-10-in-your-organization-modern-management.md

@@ -2,13 +2,13 @@
 title: Manage Windows devices in your organization - transitioning to modern management
 description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment.
 ms.localizationpriority: medium
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ms.topic: conceptual
 ---
 
 # Manage Windows devices in your organization - transitioning to modern management
 
-Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization.
+Use of personal devices for work, and users working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization.
 
 Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster.
 
@@ -45,13 +45,13 @@ You can use Windows and services like [Microsoft Entra ID](/azure/active-directo
 
 You can envision user and device management as falling into these two categories:
 
-- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices:
+- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your users can self-provision their devices:
 
   - For corporate devices, they can set up corporate access with [Microsoft Entra join](/azure/active-directory/devices/overview). When you offer them Microsoft Entra join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
 
-    Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+    Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time users. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
 
-  - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
+  - Likewise, for personal devices, users can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
 
 - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
 
@@ -71,7 +71,7 @@ As you review the roles in your organization, you can use the following generali
 
 ## Settings and configuration
 
-Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
+Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, users are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
 
 - **MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
 

windows/client-management/mdm-collect-logs.md

@@ -2,7 +2,7 @@
 title: Collect MDM logs
 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ms.collection:
 - highpri
 - tier2
@@ -40,7 +40,7 @@ mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zi
 
 ### Understanding zip structure
 
-The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub
+The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning, and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub
 
 - DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls
 - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider)

windows/client-management/mdm-diagnose-enrollment.md

@@ -2,7 +2,7 @@
 title: Diagnose MDM enrollment failures
 description: Learn how to diagnose enrollment failures for Windows devices
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Diagnose MDM enrollment

windows/client-management/mdm-enrollment-of-windows-devices.md

@@ -5,12 +5,12 @@ ms.topic: conceptual
 ms.collection:
 - highpri
 - tier2
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # MDM enrollment of Windows devices
 
-In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email.
+In today's cloud-first world, enterprise IT departments increasingly want to let users use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email.
 
 > [!NOTE]
 > When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device.
@@ -24,8 +24,6 @@ You can connect corporate-owned devices to work by either joining the device to
 > [!NOTE]
 > For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md).
 
-<a name='connect-your-device-to-an-azure-ad-domain-join-azure-ad'></a>
-
 ### Connect your device to a Microsoft Entra domain (join Microsoft Entra ID)
 
 All Windows devices can be connected to a Microsoft Entra domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to a Microsoft Entra domain using the Settings app.

windows/client-management/mdm-known-issues.md

@@ -2,7 +2,7 @@
 title: Known issues in MDM
 description: Learn about known issues for Windows devices in MDM
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Known issues
@@ -11,11 +11,11 @@ ms.date: 08/10/2023
 
 A Get command inside an atomic command isn't supported.
 
-## Apps installed using WMI classes are not removed
+## Apps installed using WMI classes aren't removed
 
 Applications installed using WMI classes aren't removed when the MDM account is removed from device.
 
-## Passing CDATA in SyncML does not work
+## Passing CDATA in SyncML doesn't work
 
 Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work.
 
@@ -222,8 +222,6 @@ Alternatively you can use the following procedure to create an EAP Configuration
 
 After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
 
-<a name='user-provisioning-failure-in-azure-active-directory-joined-devices'></a>
-
 ## User provisioning failure in Microsoft Entra joined devices
 
 For Microsoft Entra joined devices, provisioning `.\User` resources fails when the user isn't logged in as a Microsoft Entra user. If you attempt to join Microsoft Entra ID from **Settings** &gt; **System** &gt; **About** user interface, ensure to sign out and sign in with Microsoft Entra credentials to get your organizational configuration from your MDM server. This behavior is by design.
@@ -232,6 +230,6 @@ For Microsoft Entra joined devices, provisioning `.\User` resources fails when t
 
 If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication.
 
-## Device management agent for the push-button reset is not working
+## Device management agent for the push-button reset isn't working
 
 The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.

windows/client-management/mdm-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Mobile Device Management overview
 description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.collection:
@@ -56,8 +56,6 @@ For information about the MDM policies defined in the Intune security baseline,
 
 No. Only one MDM is allowed.
 
-<a name='how-do-i-set-the-maximum-number-of-azure-active-directory-joined-devices-per-user'></a>
-
 ### How do I set the maximum number of Microsoft Entra joined devices per user?
 
 1. Sign in to the portal as tenant admin: <https://portal.azure.com>.

windows/client-management/mdm/policy-csp-admx-windowsstore.md

@@ -1,7 +1,7 @@
 ---
 title: ADMX_WindowsStore Policy CSP
 description: Learn more about the ADMX_WindowsStore Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 07/08/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -200,7 +200,7 @@ Enables or disables the Store offer to update to the latest version of Windows.
 <!-- RemoveWindowsStore_1-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- RemoveWindowsStore_1-Applicability-End -->
 
 <!-- RemoveWindowsStore_1-OmaUri-Begin -->
@@ -220,8 +220,6 @@ Denies or allows access to the Store application.
 
 <!-- RemoveWindowsStore_1-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!NOTE]
-> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
 <!-- RemoveWindowsStore_1-Editable-End -->
 
 <!-- RemoveWindowsStore_1-DFProperties-Begin -->
@@ -261,7 +259,7 @@ Denies or allows access to the Store application.
 <!-- RemoveWindowsStore_2-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- RemoveWindowsStore_2-Applicability-End -->
 
 <!-- RemoveWindowsStore_2-OmaUri-Begin -->
@@ -281,8 +279,6 @@ Denies or allows access to the Store application.
 
 <!-- RemoveWindowsStore_2-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-> [!NOTE]
-> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
 <!-- RemoveWindowsStore_2-Editable-End -->
 
 <!-- RemoveWindowsStore_2-DFProperties-Begin -->

windows/client-management/mdm/policy-csp-search.md

@@ -1,7 +1,7 @@
 ---
 title: Search Policy CSP
 description: Learn more about the Search Area in Policy CSP.
-ms.date: 04/10/2024
+ms.date: 07/08/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -919,7 +919,7 @@ This policy setting configures whether or not locations on removable drives can
 <!-- DoNotUseWebResults-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- DoNotUseWebResults-Applicability-End -->
 
 <!-- DoNotUseWebResults-OmaUri-Begin -->

windows/client-management/mobile-device-enrollment.md

@@ -2,7 +2,7 @@
 title: Mobile device enrollment
 description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ms.collection:
 - highpri
 - tier2
@@ -43,13 +43,13 @@ The certificate enrollment is an implementation of the MS-WSTEP protocol.
 
 ### Management configuration
 
-The server sends provisioning XML that contains a server certificate (for TLS/SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
+The server sends provisioning XML that contains a server certificate (for TLS/SSL server authentication), a client certificate issued by enterprise CA, DMClient bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
 
 The following articles describe the end-to-end enrollment process using various authentication methods:
 
 - [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
 - [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
-- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
+- [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md)
 
 > [!NOTE]
 > As a best practice, don't use hardcoded server-side checks on values such as:
@@ -168,4 +168,4 @@ TraceID is a freeform text node that is logged. It should identify the server si
 - [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
 - [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
 - [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
-- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
+- [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md)

windows/client-management/new-in-windows-mdm-enrollment-management.md

@@ -3,7 +3,7 @@ title: What's new in MDM enrollment and management
 description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices.
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # What's new in mobile device enrollment and management

windows/client-management/oma-dm-protocol-support.md

@@ -2,7 +2,7 @@
 title: OMA DM protocol support
 description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # OMA DM protocol support

windows/client-management/on-premise-authentication-device-enrollment.md

@@ -2,7 +2,7 @@
 title: On-premises authentication device enrollment
 description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # On-premises authentication device enrollment

windows/client-management/push-notification-windows-mdm.md

@@ -2,7 +2,7 @@
 title: Push notification support for device management
 description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Push notification support for device management

windows/client-management/server-requirements-windows-mdm.md

@@ -2,7 +2,7 @@
 title: Server requirements for using OMA DM to manage Windows devices
 description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Server requirements for using OMA DM to manage Windows devices
@@ -11,11 +11,11 @@ The following list shows the general server requirements for using OMA DM to man
 
 - The OMA DM server must support the OMA DM v1.1.2 or later protocol.
 
-- Secure Sockets Layer (TLS/SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is preinstalled in the device, you must provision the enterprise root certificate in the device's Root store.
+- Secure Sockets Layer (TLS/SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a public Certification Authority whose root certificate is preinstalled in the device, you must provision the enterprise root certificate in the device's Root store.
 
 - To authenticate the client at the application level, you must use either Basic or MD5 client authentication.
 
-- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session.
+- The server MD5 nonce must be renewed in each DM session. The DMClient sends the new server nonce for the next session to the server over the Status element in every DM session.
 
 - The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash.
 

windows/client-management/structure-of-oma-dm-provisioning-files.md

@@ -2,7 +2,7 @@
 title: Structure of OMA DM provisioning files
 description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Structure of OMA DM provisioning files

windows/client-management/understanding-admx-backed-policies.md

@@ -2,7 +2,7 @@
 title: Understanding ADMX policies
 description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Understanding ADMX policies

windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md

@@ -2,7 +2,7 @@
 title: Using PowerShell scripting with the WMI Bridge Provider
 description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Using PowerShell scripting with the WMI Bridge Provider

windows/client-management/win32-and-centennial-app-policy-configuration.md

@@ -2,7 +2,7 @@
 title: Win32 and Desktop Bridge app ADMX policy Ingestion
 description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Win32 and Desktop Bridge app ADMX policy Ingestion

windows/client-management/windows-mdm-enterprise-settings.md

@@ -1,17 +1,17 @@
 ---
 title: Enterprise settings and policy management
-description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
+description: The DMClient manages the interaction between a device and a server. Learn more about the client-server management workflow.
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # Enterprise settings and policy management
 
-The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/).
+The actual management interaction between the device and server is done via the DMClient. The DMClient communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/).
 
-Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml).
+Enterprise MDM settings are exposed via various configuration service providers to the DMClient. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml).
 
-Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. During the enrollment process, the task scheduler is configured to invoke the DM client to periodically poll the MDM server.
+Windows currently supports one MDM server. The DMClient that is configured via the enrollment process is granted access to enterprise related settings. During the enrollment process, the task scheduler is configured to invoke the DMClient to periodically poll the MDM server.
 
 The following diagram shows the work flow between server and client.
 
@@ -21,9 +21,9 @@ The following diagram shows the work flow between server and client.
 
 This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure.
 
-To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted TLS/SSL HTTP channel between the DM client and management service. The server and client certificates are provisioned during the enrollment process.
+To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted TLS/SSL HTTP channel between the DMClient and management service. The server and client certificates are provisioned during the enrollment process.
 
-The DM client configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DM client communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device.
+The DMClient configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DMClient communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device.
 
 Here's a summary of the DM tasks supported for enterprise management:
 

windows/client-management/wmi-providers-supported-in-windows.md

@@ -2,7 +2,7 @@
 title: WMI providers supported in Windows
 description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI).
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
 ---
 
 # WMI providers supported in Windows

windows/configuration/provisioning-packages/diagnose-provisioning-packages.md

@@ -2,7 +2,7 @@
 title: Diagnose Provisioning Packages
 description: Diagnose general failures in provisioning.
 ms.topic: troubleshooting
-ms.date: 01/18/2023
+ms.date: 07/09/2024
 ---
 
 # Diagnose Provisioning Packages
@@ -11,22 +11,20 @@ This article helps diagnose common issues with applying provisioning packages. Y
 
 ## Unable to apply power settings
 
-When applying a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used.
+When you apply a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used.
 
 To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings).
 
-<a name='unable-to-perform-bulk-enrollment-in-azure-ad'></a>
-
 ## Unable to perform bulk enrollment in Microsoft Entra ID
 
-When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
+When you [enroll devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
 
 > [!NOTE]
 > When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected.
 
 ## Unable to apply a multivariant provisioning package
 
-When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected.
+When you apply a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may be improperly authored conditions that didn't evaluate as expected.
 
 Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied.
 

windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md

@@ -2,12 +2,12 @@
 title: Configuration service providers for IT pros
 description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
 # Configuration service providers for IT pros
 
-This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference).
+This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Configuration Service Provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
 
 ## What is a CSP?
 
@@ -15,19 +15,15 @@ In the client operating system, a CSP is the interface between configuration set
 
 On the Windows client platform, the management approach for desktop uses CSPs to configure and manage all devices running Windows client.
 
-Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile.
+Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile. CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers.
-
-CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
-
-:::image type="content" source="images/policytocsp.png" alt-text="How intune maps to CSP":::
 
 CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
 
-### Synchronization Markup Language (SyncML)
+## Synchronization Markup Language (SyncML)
 
 The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based SyncML for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
 
-### The WMI-to-CSP Bridge
+## The WMI-to-CSP Bridge
 
 The WMI-to-CSP Bridge is a component allowing configuration of Windows client CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
 
@@ -37,138 +33,20 @@ The WMI-to-CSP Bridge is a component allowing configuration of Windows client CS
 
 Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices.
 
-In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings.
+In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](/windows/client-management/mdm/configuration-service-provider-reference) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings.
 
-### CSPs in Windows Configuration Designer
+## CSPs in Windows Configuration Designer
 
 You can use Windows Configuration Designer to create [provisioning packages](provisioning-packages.md) to apply settings to devices during the out-of-box-experience (OOBE), and after the devices are set up. You can also use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs.
 
-Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
+Many settings in Windows Configuration Designer display documentation for that setting in the center pane, and include a reference to the CSP if the setting uses one.
 
 :::image type="content" source="images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in ICD.":::
 
 [Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
 
-### CSPs in MDM
+## CSPs in MDM
 
-Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
+Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and can't find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
 
-When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](/mem/intune/configuration/custom-settings-configure) to deploy settings. Intune documents [a partial list of settings](/mem/intune/configuration/custom-settings-windows-10) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information.
+When a CSP is available but isn't explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](/mem/intune/configuration/custom-settings-configure) to deploy settings. Intune documents [a partial list of settings](/mem/intune/configuration/custom-settings-windows-10) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information.
-
-### CSPs in Lockdown XML
-
-## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
-
-All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
-
-The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows, and links to the documentation for each individual CSP.
-
-:::image type="content" source="images/csptable.png" alt-text="The CSP reference shows the supported Windows editions":::
-
-The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
-
-The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices' root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path.
-
-The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
-
-:::image type="content" source="images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access CSP tree.":::
-
-The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
-
-```XML
-./Vendor/MSFT/AssignedAccess/KioskModeApp
-```
-
-When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
-
-:::image type="content" source="images/csp-placeholder.png" alt-text="The placeholder in the CSP tree":::
-
-After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
-
-For example, in the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app.
-
-The documentation for most CSPs will also include an XML example.
-
-## CSP examples
-
-CSPs provide access to many settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
-
-- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
-
-    The Policy CSP enables the enterprise to configure policies on Windows client. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
-
-    Some of the settings available in the Policy CSP include the following:
-
-    - **Accounts**, such as whether a non-Microsoft account can be added to the device.
-    - **Application management**, such as whether only Microsoft Store apps are allowed.
-    - **Bluetooth**, such as the services allowed to use it.
-    - **Browser**, such as restricting InPrivate browsing.
-    - **Connectivity**, such as whether the device can be connected to a computer by USB.
-    - **Defender** (for desktop only), such as day and time to scan.
-    - **Device lock**, such as the type of PIN or password required to unlock the device.
-    - **Experience**, such as allowing Cortana.
-    - **Security**, such as whether provisioning packages are allowed.
-    - **Settings**, such as enabling the user to change VPN settings.
-    - **Start**, such as applying a standard Start layout.
-    - **System**, such as allowing the user to reset the device.
-    - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft.
-    - **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
-    - **WiFi**, such as whether Internet sharing is enabled.
-
-Here is a list of CSPs supported on Windows 10 Enterprise:
-
-- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp)
-- [Application CSP](/windows/client-management/mdm/application-csp)
-- [AppLocker CSP](/windows/client-management/mdm/applocker-csp)
-- [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp)
-- [Bootstrap CSP](/windows/client-management/mdm/bootstrap-csp)
-- [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp)
-- [CellularSettings CSP](/windows/client-management/mdm/cellularsettings-csp)
-- [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp)
-- [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp)
-- [CM\_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp)
-- [CM\_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp)
-- [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp)
-- [Defender CSP](/windows/client-management/mdm/defender-csp)
-- [DevDetail CSP](/windows/client-management/mdm/devdetail-csp)
-- [DeviceInstanceService CSP](/windows/client-management/mdm/deviceinstanceservice-csp)
-- [DeviceLock CSP](/windows/client-management/mdm/devicelock-csp)
-- [DeviceStatus CSP](/windows/client-management/mdm/devicestatus-csp)
-- [DevInfo CSP](/windows/client-management/mdm/devinfo-csp)
-- [DiagnosticLog CSP](/windows/client-management/mdm/diagnosticlog-csp)
-- [DMAcc CSP](/windows/client-management/mdm/dmacc-csp)
-- [DMClient CSP](/windows/client-management/mdm/dmclient-csp)
-- [Email2 CSP](/windows/client-management/mdm/email2-csp)
-- [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp)
-- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp)
-- [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp)
-- [EnterpriseExt CSP](/windows/client-management/mdm/enterpriseext-csp)
-- [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp)
-- [FileSystem CSP](/windows/client-management/mdm/filesystem-csp)
-- [HealthAttestation CSP](/windows/client-management/mdm/healthattestation-csp)
-- [HotSpot CSP](/windows/client-management/mdm/hotspot-csp)
-- [Maps CSP](/windows/client-management/mdm/maps-csp)
-- [NAP CSP](/windows/client-management/mdm/filesystem-csp)
-- [NAPDEF CSP](/windows/client-management/mdm/napdef-csp)
-- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265)
-- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp)
-- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
-- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418)
-- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp)
-- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372)
-- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
-- [Registry CSP](/windows/client-management/mdm/registry-csp)
-- [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp)
-- [RemoteWipe CSP](/windows/client-management/mdm/remotewipe-csp)
-- [Reporting CSP](/windows/client-management/mdm/reporting-csp)
-- [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp)
-- [SecurityPolicy CSP](/windows/client-management/mdm/securitypolicy-csp)
-- [Storage CSP](/windows/client-management/mdm/storage-csp)
-- [SUPL CSP](/windows/client-management/mdm/supl-csp)
-- [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp)
-- [Update CSP](/windows/client-management/mdm/update-csp)
-- [VPN CSP](/windows/client-management/mdm/vpn-csp)
-- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
-- [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp)
-- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
-- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)

windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md

@@ -1,63 +1,47 @@
 ---
-title: Provision PCs with common settings
+title: Create a provisioning package (desktop wizard)
-description: Create a provisioning package to apply common settings to a PC running Windows 10.
+description: Create a provisioning package to apply common settings to a PC running Windows.
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
-# Provision PCs with common settings for initial deployment (desktop wizard)
+# Create a provisioning package (desktop wizard)
 
-This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home.
+This article explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home. You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
 
-You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
+The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices:
 
-## Advantages
+- [Instructions for the desktop wizard](#start-a-new-project)
+- [Instructions for the kiosk wizard](../assigned-access/overview.md)
+- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard)
+- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)
 
-- You can configure new devices without reimaging
+In this example, we use the **Provision desktop devices** option which helps you configure the following settings in a provisioning package:
-- Works on desktop devices
-- No network connectivity required
-- Simple to apply
-
-[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md)
-
-## What does the desktop wizard do?
-
-The desktop wizard helps you configure the following settings in a provisioning package:
 
 - Set device name
 - Upgrade product edition
 - Configure the device for shared use
-- Remove pre-installed software
+- Remove preinstalled software
 - Configure Wi-Fi network
 - Enroll device in Active Directory or Microsoft Entra ID
 - Create local administrator account
 - Add applications and certificates
 
->[!WARNING]
+> [IMPORTANT]
->You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
+> You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
-Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
+## Start a new project
 
-> [!TIP]
+1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
-> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
->
-> :::image type="content" source="images/icd-simple-edit.png" alt-text="In the desktop wizard, open the advanced editor.":::
 
-## Create the provisioning package
+1. Select **Provision desktop devices**.
-
-Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
-
-1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
-
-1. Click **Provision desktop devices**.
 
     :::image type="content" source="images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options.":::
 
-1. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
+1. Name your project and select **Finish**. The pages for desktop provisioning walk you through the following steps.
 
     :::image type="content" source="images/icd-desktop-1703.png" alt-text="In Windows Configuration Designer, select Finish, and see the ICD desktop provisioning.":::
 
-
 > [!IMPORTANT]
 > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
@@ -74,6 +58,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
     - **Configure devices for shared use**: Select **Yes** or **No** to optimize the Windows client for shared use scenarios.
     - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
 
+    > [!NOTE]
+    > To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems.
+
 1. Set up the network:
 
     :::image type="content" source="images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
@@ -81,7 +68,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
     If you want to enable network setup, select **Set up network**, and configure the following settings:
 
     - **Set up network**: To enable wireless connectivity, select **On**.
-    - **Network SSID**: Enter the Service Set IDentifier (SSID) of the network.
+    - **Network SSID**: Enter the Service Set Identifier (SSID) of the network.
     - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
 
 1. Enable account management:
@@ -91,10 +78,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
     If you want to enable account management, select **Account Management**, and configure the following settings:
 
     - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
+
       - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
       - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
 
-        If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+        If you select this option, enter a friendly name for the bulk token retrieved using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
 
         You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
 
@@ -123,6 +111,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
     - **Protect your package**: Select **Yes** or **No** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
 
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
+After you're done, select **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
 
- **Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn more about applying a provisioning package:
+>
+> [Apply a provisioning package](provisioning-apply-package.md)

windows/configuration/provisioning-packages/provision-pcs-with-apps.md

@@ -2,21 +2,21 @@
 title: Provision PCs with apps
 description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
 # Provision PCs with apps
 
 You can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This article explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
 
-When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
+When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#add-a-windows-desktop-application-using-advanced-editor).
 
->[!IMPORTANT]
+> [!IMPORTANT]
->If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Microsoft 365 Apps for enterprise). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Microsoft 365 Apps for enterprise 2016 apps using Microsoft Intune.](/intune/apps-add-office365)
+> If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise. Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to add Microsoft 365 Apps to Windows devices with Microsoft Intune.](/intune/apps-add-office365)
 
 ## Settings for UWP apps
 
-- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app.
+- **License Path**: Specify the license file if it's an app from the Microsoft Store. This is optional if you have a certificate for the app.
 - **Package family name**: Specify the package family name if you don't specify a license. This field will be autopopulated after you specify a license.
 - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app
 
@@ -24,32 +24,23 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 ### MSI installer
 
+- **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE
+- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install
+- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app
+- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#extract-from-a-cab-example).
+
 > [!NOTE]
 > You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options).
 
-- **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE
-
-- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install
-
-- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app
-
-- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
-
 ### Exe or other installer
 
 - **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append more flags
-
+- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that isn't listed is interpreted as failure. The text boxes are space delimited.
-- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited.
-
 - **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install
-
 - **Restart required**: Optionally, specify if you want to reboot after a successful install of this app
+- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#extract-from-a-cab-example).
 
-- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
+## Add a Windows desktop application using advanced editor
-
-<span id="adv" />
-
-## Add a Windows desktop application using advanced editor in Windows Configuration Designer
 
 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**.
 
@@ -61,50 +52,32 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
     ![enter settings for first app.](images/wcd-app-commands.png)
 
-## Add a universal app to your package
+## Add a universal app to your package using advanced editor
 
-Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or non-Microsoft apps. This procedure assumes you're distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
 
 1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
-
 1. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
-
 1. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-
 1. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
-
 1. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
-
     - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page.
-
-
-
     - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**.
-
-
 1. In the **Available customizations** pane, select the **LicenseProductId** that you just added.
-
 1. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\<file name>*.**ms-windows-store-license**, and select the license file.
 
 [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
 
-> [!NOTE]
+> [!IMPORTANT]
 > Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
 
-
-
 ## Add a certificate to your package
 
 1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
-
 1. Enter a **CertificateName** and then select **Add**.
-
 1. Enter the **CertificatePassword**.
-
 1. For **CertificatePath**, browse and select the certificate to be used.
-
 1. Set **ExportCertificate** to **False**.
-
 1. For **KeyLocation**, select **Software only**.
 
 ## Add other settings to your package
@@ -113,15 +86,15 @@ For details about the settings you can customize in provisioning packages, see [
 
 ## Build your package
 
-1. When you are done configuring the provisioning package, on the **File** menu, select **Save**.
+1. After you configure the provisioning package, on the **File** menu, select **Save**.
 
 1. Read the warning that project files may contain sensitive information, and select **OK**.
 
-    When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location, and delete the project files when they're no longer needed.
+    When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files aren't encrypted. Store the project files in a secure location, and delete the project files when they're no longer needed.
 
 1. On the **Export** menu, select **Provisioning package**.
 
-1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+1. Change **Owner** to **IT Admin**, which sets the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
 
 1. Set a value for **Package Version**.
 
@@ -130,51 +103,33 @@ For details about the settings you can customize in provisioning packages, see [
 
 1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
 
-   - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+   - **Enable package encryption** - If you select this option, an autogenerated password is shown on the screen.
-
    - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select...** and choosing the certificate you want to use to sign the package.
 
     > [!TIP]
     > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store. Any package signed with that certificate can be applied silently.
 
-1. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
+1. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. Optionally, you can select **Browse** to change the default output location.
-   Optionally, you can select **Browse** to change the default output location.
 
 1. Select **Next**.
 
-1. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
+1. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
-   If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
 
-1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
+1. If your build fails, an error message shows up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory is shown.
-    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
 
     - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
-
+    - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
-
-    - If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**.
 
 1. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
 
     - Shared network folder
-
     - SharePoint site
-
     - Removable media (USB/SD)
-
     - Email
 
-**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+## Next steps
 
-## Related articles
+> [!div class="nextstepaction"]
-
+> Learn more about applying a provisioning package:
-- [Provisioning packages for Windows client](provisioning-packages.md)
+>
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
+> [Apply a provisioning package](provisioning-apply-package.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/configuration/provisioning-packages/provisioning-apply-package.md

@@ -2,7 +2,7 @@
 title: Apply a provisioning package
 description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime).
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
 # Apply a provisioning package
@@ -13,22 +13,20 @@ Provisioning packages can be applied to a device during initial setup (out-of-bo
 >
 > - Applying a provisioning package to a desktop device requires administrator privileges on the device.
 > - You can interrupt a long-running provisioning process by pressing ESC.
-
+> - In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
-> [!TIP]
-> In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation.
 
 ## During initial setup
 
 To apply a provisioning package from a USB drive during initial setup:
 
-1. Start with a device on the initial setup screen. If the device has gone past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**.
+1. Start with a device on the initial setup screen. If the device goes past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**.
 
    :::image type="content" source="images/oobe.png" alt-text="The first screen when setting up a new PC.":::
 
 1. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
 
    - If there's only one provisioning package on the USB drive, the provisioning package is applied. See step 5.
-   - If there's more than one provisioning package on the USB drive, Windows setup recognizes the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**.
+   - If there's more than one provisioning package on the USB drive, Windows setup recognizes the drive and asks how you want to provision the device. Select **Install provisioning package** and select **Next**.
 
    :::image type="content" source="images/provisioning-oobe-choice.png" alt-text="What would you like to do?":::
 
@@ -36,11 +34,11 @@ To apply a provisioning package from a USB drive during initial setup:
 
     :::image type="content" source="images/provisioning-oobe-choose-package.png" alt-text="Choose a package.":::
 
-1. The selected provisioning package will install and apply to the device.
+1. The selected provisioning package is applied to the device.
 
    :::image type="content" source="images/provisioning-oobe-installing.png" alt-text="Setting up your PC.":::
 
-1. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device.
+1. Wait for the device to load and begin applying the provisioning package. After you see "You can remove your removable media now!" you can remove your USB drive. Windows continues to provision the device.
 
 ## After initial setup
 
@@ -60,7 +58,7 @@ Provisioning packages can be applied after initial setup through Windows setting
 
    :::image type="content" source="images/provisioning-runtime-add-package.png" alt-text="Select and add a package.":::
 
-1. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you're installing before accepting the UAC prompt. Select **Yes**.
+1. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you're installing before accepting the User Account Control (UAC) prompt. Select **Yes**.
 
    :::image type="content" source="images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?":::
 
@@ -83,16 +81,3 @@ To apply a provisioning package directly, such as from a USB drive, folder, netw
 1. The provisioning runtime asks if the package is from a source you trust. Verify that you're applying the correct package and that it's trusted. Select **Yes, add it**.
 
    :::image type="content" source="images/provisioning-runtime-trust.png" alt-text="Do you trust this package?":::
-
-## Related articles
-
-- [Provisioning packages for Windows client](provisioning-packages.md)
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/configuration/provisioning-packages/provisioning-command-line.md

@@ -1,20 +1,17 @@
 ---
 title: Windows Configuration Designer command line interface
-description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command line interface for Windows10/11 client devices.
+description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command line interface for Windows devices.
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
-# Windows Configuration Designer command line interface (reference)
+# Windows Configuration Designer command line interface
 
 You can use the Windows Configuration Designer command line interface (CLI) to automate the building of provisioning packages.
 
 - IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
-
 - You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
 
-
-
 ## Syntax
 
 ``` cmd
@@ -29,25 +26,9 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML:<path_to_xml> /PackagePath:
 | Switch | Required? | Arguments |
 | --- | --- | --- |
 | /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. |
-| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. |
+| /PackagePath | Yes | Specifies the path and the package name where the built provisioning package is saved. |
 | /StoreFile | No</br></br></br>See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions is loaded by Windows Configuration Designer.</br></br></br>**Important**  If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. |
 | /Variables | No | Specifies a semicolon separated `<name>` and `<value>` macro pair. The format for the argument must be `<name>=<value>`. |
 | Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer autogenerates the decryption password and includes this information in the output. <br></br>Precede with `+` for encryption, or `-` for no encryption. The default is no encryption. |
 | Overwrite | No | Denotes whether to overwrite an existing provisioning package. </br></br>Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). |
 | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
-
-
-## Related articles
-
-- [Provisioning packages for Windows client](provisioning-packages.md)
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-

windows/configuration/provisioning-packages/provisioning-create-package.md

@@ -1,16 +1,14 @@
 ---
-title: Create a provisioning package
+title: Create a provisioning package (advanced)
-description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image.
+description: Learn how to create a provisioning package for Windows, which lets you quickly configure a device without having to install a new image.
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
-# Create a provisioning package
+# Create a provisioning package (advanced)
 
 You can use Windows Configuration Designer to create a provisioning package (`.ppkg`) that contains customization settings, and then apply the provisioning package to a device running Windows client.
 
->[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
-
 > [!TIP]
 > We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain.
 
@@ -18,26 +16,11 @@ You can use Windows Configuration Designer to create a provisioning package (`.p
 
 1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
 
-1. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
+1. Select **Advanced provisioning** on the start page, which offers multiple options for creating a provisioning package, as shown in the following image:
 
     ![Configuration Designer wizards.](images/icd-create-options-1703.png)
 
-    - The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices:
+    > [!TIP]
-
-        - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
-        - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
-        - [Instructions for HoloLens wizard](/hololens/hololens-provisioning)
-        - [Instructions for Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)
-
-      Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards).
-
-
-      >[!NOTE]
-      >To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems.
-
-    - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.)
-
-        >[!TIP]
     > You can start a project in the simple wizard editor and then switch the project to the advanced editor.
     >
     > ![Switch to advanced editor.](images/icd-switch.png)
@@ -67,7 +50,10 @@ For an advanced provisioning project, Windows Configuration Designer opens the *
 
 ![What the ICD interface looks like.](images/icd-runtime.png)
 
-The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md).
+The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md).
+
+> [!NOTE]
+> To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems.
 
 The process for configuring settings is similar for all settings. The following table shows an example.
 
@@ -83,11 +69,11 @@ The process for configuring settings is similar for all settings. The following
 
     :::image type="content" source="images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate.":::
 
-1. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed:
+1. Some settings, such as this example, require additional information. In **Available customizations**, select the value you created, and more settings are displayed:
 
     :::image type="content" source="images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available.":::
 
-1. When the setting is configured, it is displayed in the **Selected customizations** pane:
+1. When the setting is configured, it's displayed in the **Selected customizations** pane:
 
     :::image type="content" source="images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings.":::
 
@@ -97,27 +83,26 @@ For details on each specific setting, see [Windows Provisioning settings referen
 
  ## Build package
 
-1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
+1. After you configure your customizations, select **Export**, and then select **Provisioning Package**.
 
     ![Export on top bar.](images/icd-export-menu.png)
 
 1. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
-    - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
-    - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field.
 
+    - **Name** - This field is prepopulated with the project name. You can change this value by entering a different name in the **Name** field.
+    - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field.
     - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
     - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
 
 1. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
 
-   - **Encrypt package** -  If you select this option, an autogenerated password will be shown on the screen.
+    - **Encrypt package** -  If you select this option, an autogenerated password is shown on the screen.
     - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package.
 
-     >[!NOTE]
+    > [!NOTE]
-     >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
+    > You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device.
-
     >
-     >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
+    > If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
 
 1. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
 
@@ -125,29 +110,17 @@ For details on each specific setting, see [Windows Provisioning settings referen
 
     If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page.
 
-1. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+1. If your build fails, an error message appears that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
 
-    If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+    If your build is successful, the name of the provisioning package, output directory, and project directory is shown.
 
     If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
 
-1. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page.
+1. When you're done, select **Finish** to close the wizard and go back to the **Customizations** page.
 
-**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
+## Next steps
 
-## Learn more
+> [!div class="nextstepaction"]
-
+> Learn more about applying a provisioning package:
-- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+>
-
+> [Apply a provisioning package](provisioning-apply-package.md)
-## Related articles
-
-- [Provisioning packages for Windows client](provisioning-packages.md)
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/configuration/provisioning-packages/provisioning-how-it-works.md

@@ -1,13 +1,13 @@
 ---
-title: How provisioning works in Windows 10/11
+title: How provisioning works in Windows
 description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
 ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
 # How provisioning works in Windows
 
-Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from <!-- the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or through the --> Microsoft Store.
+Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the Microsoft Store.
 
 ## Provisioning packages
 
@@ -30,15 +30,10 @@ You can  use provisioning packages for runtime device provisioning by accessing
 When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence:
 
 1. Microsoft
-
 1. Silicon Vendor
-
 1. OEM
-
 1. System Integrator
-
 1. Mobile Operator
-
 1. IT Admin
 
 The valid value range of package rank level is 0 to 99.
@@ -130,16 +125,3 @@ When applying provisioning packages from a removable media attached to the devic
 When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device.
 
 After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**.
-
-## Related articles
-
-- [Provisioning packages for Windows client](provisioning-packages.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/configuration/provisioning-packages/provisioning-install-icd.md

@@ -1,15 +1,17 @@
 ---
 title: Install Windows Configuration Designer
-description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
+description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows.
 ms.topic: how-to
 ms.reviewer: kevinsheehan
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
-# Install Windows Configuration Designer, and learn about any limitations
+# Install Windows Configuration Designer
 
 Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
 
+On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store.
+
 ## Supported platforms
 
 Windows Configuration Designer can create provisioning packages for Windows client desktop, including Windows IoT Core, Microsoft Surface Hub, and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems:
@@ -18,32 +20,22 @@ Windows Configuration Designer can create provisioning packages for Windows clie
 
 - Windows 11
 - Windows 10 - x86 and amd64
-- Windows 8.1 Update - x86 and amd64
-- Windows 8.1 - x86 and amd64
-- Windows 8 - x86 and amd64
-- Windows 7 - x86 and amd64
 
 **Server OS**:
 
+- Windows Server 2022
+- Windows Server 2019
 - Windows Server 2016
-- Windows Server 2012 R2 Update
-- Windows Server 2012 R2
-- Windows Server 2012
-- Windows Server 2008 R2
 
->[!WARNING]
+> [!WARNING]
->You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
+> You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
-
-## Install Windows Configuration Designer
-
-On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store.
 
 ## Current Windows Configuration Designer limitations
 
 - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-).
 
 
-- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled.
+- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step displays oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons aren't displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled.
 
 - You can only run one instance of Windows Configuration Designer on your computer at a time.
 
@@ -68,17 +60,10 @@ On devices running Windows client, you can install [the Windows Configuration De
 
 - **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer. Don't use external sources, like network shares or removable drives. Using local files reduces the risk of interrupting the build process from a network issue, or from disconnecting the USB device.
 
-**Next step**: [How to create a provisioning package](provisioning-create-package.md)
+## Next steps
 
-## Related articles
+> [!div class="nextstepaction"]
-
+> Learn more about creating a provisioning package:
-- [Provisioning packages for Windows client](provisioning-packages.md)
+>
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
+> [Create a provisioning package (desktop wizard)](provision-pcs-for-initial-deployment.md)
-- [Create a provisioning package](provisioning-create-package.md)
+> [Create a provisioning package (advanced)](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/configuration/provisioning-packages/provisioning-multivariant.md

@@ -2,18 +2,18 @@
 title: Create a provisioning package with multivariant settings
 description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
 # Create a provisioning package with multivariant settings
 
-In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese.
+In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that apply to devices set up for French and a different set of customization settings for devices set up for Japanese.
 
 To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
 
 Let's begin by learning how to define a **Target**.
 
-## Define a target
+## Target
 
 In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value.
 
@@ -43,9 +43,9 @@ The following table shows the conditions supported in Windows client provisionin
 | PNN | P0 |  Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
 | GID1 | P0 | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
 | ICCID | P0 | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
-| Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
+| Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (nonroaming). |
-| UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:</br></br></br>- 0 - Empty</br>- 1 - Ready</br>- 2 - Locked |
+| UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of these values:<br>0 - Empty<br>1 - Ready<br>2 - Locked |
-| UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:</br></br></br>- 0 - Slot 0</br>- 1 - Slot 1 |
+| UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of these values:<br>0 - Slot 0<br>1 - Slot 1 |
 | ProcessorType | P1 | Supported | String | Use to target settings based on the processor type. |
 | ProcessorName | P1 | Supported | String | Use to target settings based on the processor name. |
 | AoAc ("Always On, Always Connected") | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. |
@@ -53,17 +53,16 @@ The following table shows the conditions supported in Windows client provisionin
 | SocIdentifier | P1 | Supported | String | Use to target settings based on the Soc Identifier. Available since 25301 OS build version. |
 | Architecture | P1 | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
 | Server | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. |
-| Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
+| Region | P1 | Supported | Enumeration | Use to target settings based on region, using the two digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
-| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639).  |
+| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the two digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639).  |
 
 The matching types supported in Windows client are:
 
 | Matching type                     | Syntax                                    | Example                                                                |
-| --- | --- | --- |
+|-----------------------------------|-------------------------------------------|------------------------------------------------------------------------|
-| Straight match | Matching type is specified as-is | &lt;Condition Name="ProcessorName" Value="Barton" /&gt; |
+| Straight match                    | Matching type is specified as-is          | `&lt;Condition Name="ProcessorName" Value="Barton" /&gt;`              |
-| Regular expression (Regex) match | Matching type is prefixed by "Pattern:" | &lt;Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /&gt; |
+| Regular expressions (Regex) match | Matching type is prefixed with `Pattern:` | `&lt;Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /&gt;` |
-| Numeric range match | Matching type is prefixed by "!Range:" | &lt;Condition Name="MNC" Value="!Range:400, 550" /&gt; |
+| Numeric range match               | Matching type is prefixed with `!Range:`  | `&lt;Condition Name="MNC" Value="!Range:400, 550" /&gt;`               |
-
 
 ### TargetState priorities
 
@@ -76,27 +75,18 @@ Settings that match more than one **TargetState** with equal priority are applie
 The **TargetState** priority is assigned based on the condition's priority (see the [Conditions table](#conditions) for priorities). The priority evaluation rules are as followed:
 
 1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions.
-
 1. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions.
-
 1. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched.
-
+1. If the number of P0 conditions matched is equivalent, then the **TargetState** with the most matched P1 conditions has higher priority.
-1. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority.
-
 1. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority.
 
-
-
 ## Create a provisioning package with multivariant settings
 
 Follow these steps to create a provisioning package with multivariant capabilities.
 
 1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md).
-
+1. After you [configure the settings](provisioning-create-package.md#configure-settings), save the project.
-1. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project.
-
 1. Open the project folder and copy the customizations.xml file to any local location.
-
 1. Use an XML or text editor to open the customizations.xml file.
 
     The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings.
@@ -131,10 +121,9 @@ Follow these steps to create a provisioning package with multivariant capabiliti
 
     ```
 
-1. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings.
+1. Edit the customizations.xml file to create a **Targets** section to describe the conditions that handle your multivariant settings.
-
-    The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**.
 
+    The following example shows the customizations.xml, which is modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**.
 
     ```XML
    <?xml version="1.0" encoding="utf-8"?>
@@ -185,18 +174,15 @@ Follow these steps to create a provisioning package with multivariant capabiliti
 1. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this:
 
     a. Define a child **TargetRefs** element.
-
-
     b. Within the **TargetRefs** element, define a **TargetRef** element. You can define multiple **TargetRef** elements for each **Id** that you need to apply to customized settings.
-
     c. Move compliant settings from the **Common** section to the **Variant** section.
 
     If any of the **TargetRef** elements matches the **Target**, all settings in the **Variant** are applied.
 
-    >[!NOTE]
+    > [!NOTE]
-    >You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event.
+    > You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event.
 
-    The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met.
+    The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that are applied if the conditions for the variant are met.
 
     ```XML
    <?xml version="1.0" encoding="utf-8"?>
@@ -249,10 +235,9 @@ Follow these steps to create a provisioning package with multivariant capabiliti
        </Customizations>
      </Settings>
    </WindowsCustomizations>
-
     ```
 
-1. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
+1. Save the updated customizations.xml file and note the path to this updated file. You'll need the path as one of the values for the next step.
 
 1. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml.
 
@@ -262,13 +247,10 @@ Follow these steps to create a provisioning package with multivariant capabiliti
     icd.exe /Build-ProvisioningPackage /CustomizationXML:"C:\CustomProject\customizations.xml" /PackagePath:"C:\CustomProject\output.ppkg" /StoreFile:C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\Microsoft-Common-Provisioning.dat"
     ```
 
+In this example, the **StoreFile** corresponds to the location of the settings store that is used to create the package for the required Windows edition.
 
-In this example, the **StoreFile** corresponds to the location of the settings store that will be used to create the package for the required Windows edition.
+> [!NOTE]
-
+> The provisioning package created during this step contains the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project.
->[!NOTE]
->The provisioning package created during this step will contain the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project.
-
-
 
 ## Events that trigger provisioning
 
@@ -277,25 +259,10 @@ When you install the multivariant provisioning package on a Windows client devic
 The following events trigger provisioning on Windows client devices:
 
 | Event                                                   | Windows client for desktop editions |
-| --- | --- |
+|---------------------------------------------------------|-------------------------------------|
 | System boot                                             | Supported                           |
 | Operating system update                                 | Planned                             |
 | Package installation during device first run experience | Supported                           |
 | Detection of SIM presence or update                     | Supported                           |
 | Package installation at runtime                         | Supported                           |
 | Roaming detected                                        | Not supported                       |
-
-
-## Related articles
-
-- [Provisioning packages for Windows client](provisioning-packages.md)
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-

windows/configuration/provisioning-packages/provisioning-packages.md

@@ -1,9 +1,9 @@
 ---
 title: Provisioning packages overview
-description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
+description: With Windows, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages are and what they do.
 ms.reviewer: kevinsheehan
 ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 07/08/2024
 ---
 
 # Provisioning packages for Windows
@@ -12,29 +12,17 @@ Windows provisioning makes it easy for IT administrators to configure end-user d
 
 A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 
-Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. It can result in a significant reduction in the time required to configure multiple devices in your organization.
+Provisioning packages are simple enough that with a short set of written instructions, a student, or nontechnical users can use them to configure their device. It can result in a significant reduction in the time required to configure multiple devices in your organization.
-
-<!-- The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages.-->
 
 Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
 
-<!--## New in Windows 10, version 1703-->
-
-<!-- - The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Configuration Designer (WCD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only. -->
-<!-- - Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Microsoft Store. -->
-<!-- - Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions. -->
-<!-- - The  Provision desktop devices wizard (previously called Simple provisioning) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning. -->
-<!-- - When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. -->
-<!-- - Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.-->
-<!-- - The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store. -->
-
 ## Benefits of provisioning packages
 
 Provisioning packages let you:
 
 - Quickly configure a new device without going through the process of installing a new image.
 - Save time by configuring multiple devices using one provisioning package.
-- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure.
+- Quickly configure user-owned devices in an organization without a mobile device management (MDM) infrastructure.
 - Set up a device without the device having network connectivity.
 
 Provisioning packages can be:
@@ -44,57 +32,7 @@ Provisioning packages can be:
 - Downloaded from a network share.
 - Deployed in NFC tags or barcodes.
 
-## What you can configure
+## Provisioning scenarios
-
-### Configuration Designer wizards
-
-The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
-
-| Step | Description | Desktop wizard | Kiosk wizard | HoloLens wizard |
-| --- | --- | --- | --- | --- |
-| Set up device | Assign device name, enter product key to upgrade Windows, configure shared use, remove pre-installed software | ✅ | ✅ | ✅ |
-| Set up network | Connect to a Wi-Fi network | ✅ | ✅ | ✅ |
-| Account management | Enroll device in Active Directory, enroll device in Microsoft Entra ID, or create a local administrator account | ✅ | ✅ | ✅ |
-| Bulk Enrollment in Microsoft Entra ID | Enroll device in Microsoft Entra ID using Bulk Token</br></br> [Set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment. | ✅ | ✅ | ✅ |
-| Add applications | Install applications using the provisioning package.  | ✅ | ✅ | ❌ |
-| Add certificates | Include a certificate file in the provisioning package. | ✅ | ✅ | ✅ |
-| Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✅ | ❌ |
-| Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✅ | ❌ |
-| Developer Setup | Enable Developer Mode  | ❌ | ❌ | ✅ |
-
-- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
-- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
-- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard)
-
->[!NOTE]
->After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package.
-
-### Configuration Designer advanced editor
-
-The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages.
-
-| Customization options |  Examples  |
-|---|---|
-| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
-| Applications  |   Windows apps, line-of-business applications  |
-| Bulk enrollment into MDM  | Automatic enrollment into a third-party MDM service <br/><br/>Using a provisioning package for auto-enrollment to Microsoft Intune isn't supported. To enroll devices, use the Configuration Manager console. |
-| Certificates | Root certification authority (CA), client certificates |
-| Connectivity profiles | Wi-Fi, proxy settings, Email   |
-| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
-| Data assets | Documents, music, videos, pictures  |
-| Start menu customization | Start menu layout, application pinning  |
-| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on  |
-
-For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
-
-<!-- ## Changes to provisioning in Windows 10, version 1607 -->
-
-<!-- > [!NOTE] -->
-<!-- > This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1701. -->
-
-WCD, simplified common provisioning scenarios.
-
-:::image type="content" source="images/icd.png" alt-text="Configuration Designer options":::
 
 WCD supports the following scenarios for IT administrators:
 
@@ -111,8 +49,54 @@ WCD supports the following scenarios for IT administrators:
   - MobileIron (password-string based enrollment)
   - Other MDMs (cert-based enrollment)
 
-<!--  > [!NOTE] -->
+> [!NOTE]
-<!--  > Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](/education/windows/). -->
+> The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store.
+
+:::image type="content" source="images/icd.png" alt-text="Configuration Designer options":::
+
+## What you can configure
+
+Windows Configuration Designer provides the following simple provisioning scenarios:
+
+- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
+- [Instructions for the kiosk wizard](../assigned-access/overview.md)
+- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard)
+- [Instructions for the Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub)
+
+The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
+
+| Step | Description | Desktop wizard | Kiosk wizard | HoloLens wizard |
+| --- | --- | --- | --- | --- |
+| Set up device | Assign device name, enter product key to upgrade Windows, configure shared use, remove preinstalled software | ✅ | ✅ | ✅ |
+| Set up network | Connect to a Wi-Fi network | ✅ | ✅ | ✅ |
+| Account management | Enroll device in Active Directory, enroll device in Microsoft Entra ID, or create a local administrator account | ✅ | ✅ | ✅ |
+| Bulk Enrollment in Microsoft Entra ID | Enroll device in Microsoft Entra ID using Bulk Token</br></br> [Set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup), before you use Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment. | ✅ | ✅ | ✅ |
+| Add applications | Install applications using the provisioning package.  | ✅ | ✅ | ❌ |
+| Add certificates | Include a certificate file in the provisioning package. | ✅ | ✅ | ✅ |
+| Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✅ | ❌ |
+| Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✅ | ❌ |
+| Developer Setup | Enable Developer Mode  | ❌ | ❌ | ✅ |
+
+> [!TIP]
+> After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package.
+
+## Configuration Designer advanced editor
+
+The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages.
+
+| Customization options |  Examples  |
+|---|---|
+| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
+| Applications  |   Windows apps, line-of-business applications  |
+| Bulk enrollment into MDM  | Automatic enrollment into a third-party MDM service <br/><br/>Using a provisioning package for autoenrollment to Microsoft Intune isn't supported. To enroll devices, use the Configuration Manager console. |
+| Certificates | Root certification authority (CA), client certificates |
+| Connectivity profiles | Wi-Fi, proxy settings, Email   |
+| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets | Documents, music, videos, pictures  |
+| Start menu customization | Start menu layout, application pinning  |
+| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on  |
+
+For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
 
 ## Related articles
 

windows/configuration/provisioning-packages/provisioning-powershell.md

@@ -1,17 +1,14 @@
 ---
-title: PowerShell cmdlets for provisioning Windows 10/11
+title: PowerShell cmdlets for provisioning packages in Windows
-description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices.
+description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows devices.
 ms.topic: conceptual
-
+ms.date: 07/09/2024
-ms.date: 12/31/2017
 ---
 
-# PowerShell cmdlets for provisioning Windows client (reference)
+# PowerShell cmdlets for provisioning Windows client
 
 Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions.
 
-## cmdlets
-
 - **Add-ProvisioningPackage**: Applies a provisioning package.
 
   Syntax:
@@ -59,7 +56,7 @@ Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it e
 
   - `Uninstall-TrustedProvisioningCertificate <thumbprint>`
 
->[!NOTE]
+> [!NOTE]
 > You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage`
 
 Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes:
@@ -69,20 +66,5 @@ Trace logs are captured when using cmdlets. The following logs are available in
 - ProvTrace.&lt;timestamp&gt;.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file
 - ProvLogReport.&lt;timestamp&gt;.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file
 
-
+> [!NOTE]
-
+> When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts.
->[!NOTE]
->When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts.
-
-## Related articles
-
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
-- [Create a provisioning package](provisioning-create-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-

windows/configuration/provisioning-packages/provisioning-script-to-install-app.md

@@ -1,8 +1,8 @@
 ---
 title: Use a script to install a desktop app in provisioning packages
-description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+description: With Windows, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 ms.topic: how-to
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
 # Use a script to install a desktop app in provisioning packages
@@ -57,14 +57,14 @@ Create a script to perform whatever work is needed to install the application(s)
 
 You don't need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package).
 
->[!NOTE]
+> [!NOTE]
->All actions performed by the script must happen silently, showing no UI and requiring no user interaction.
 >
->The scripts will be run on the device in system context.
+> - All actions performed by the script must happen silently, showing no UI and requiring no user interaction.
+> - The scripts will be run on the device in system context.
 
 ### Debugging example
 
-Granular logging isn't built in, so the logging must be built into the script itself. Here's an example script that logs 'Hello World' to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you'll see in the following examples, it's recommended that you log each action that your script performs.
+Granular logging isn't built in, so the logging must be built into the script itself. Here's an example script that logs `Hello World` to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you'll see in the following examples, it's recommended that you log each action that your script performs.
 
 ```log
 set LOGFILE=%SystemDrive%\HelloWorld.log
@@ -105,8 +105,6 @@ PsExec.exe -accepteula -i -s cmd.exe /c 'powershell.exe my_powershell_script.ps1
 echo result: %ERRORLEVEL% >> %LOGFILE%
 ```
 
-<span id="cab-extract" />
-
 ### Extract from a .CAB example
 
 This example script shows expansion of a .cab from the provisioning commands script, and installation of the expanded setup.exe
@@ -178,20 +176,14 @@ When you're done, [build the package](provisioning-create-package.md#build-packa
 1. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
 1. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and "please wait" will be displayed on the screen.
 
-    >[!NOTE]
+    > [!NOTE]
-    >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time.
+    > There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time.
 
 1. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there's no notification that provisioning or script execution has completed
 
-## Related articles
+## Next steps
 
-- [Provisioning packages for Windows client](provisioning-packages.md)
+> [!div class="nextstepaction"]
-- [How provisioning works in Windows client](provisioning-how-it-works.md)
+> Learn more about applying a provisioning package:
-- [Install Windows Configuration Designer](provisioning-install-icd.md)
+>
-- [Create a provisioning package](provisioning-create-package.md)
+> [Apply a provisioning package](provisioning-apply-package.md)
-- [Apply a provisioning package](provisioning-apply-package.md)
-- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
-- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
-- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

windows/configuration/provisioning-packages/provisioning-uninstall-package.md

@@ -1,19 +1,18 @@
 ---
-title: Uninstall a provisioning package - reverted settings
+title: Settings changed when you uninstall a provisioning package
-description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices.
+description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows desktop client devices.
 ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 07/09/2024
 ---
 
 # Settings changed when you uninstall a provisioning package
 
-When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package.
+When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package. As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**.
-
-As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**.
 
 When a provisioning package is uninstalled, some of its settings are reverted, which means the value for the setting is changed to the next available or default value. Not all settings, however, are revertible.
 
-Only settings in the following lists are revertible.
+> [!IMPORTANT]
+> Only settings in the following lists are revertible.
 
 ## Registry-based settings
 
@@ -21,8 +20,8 @@ The registry-based settings that are revertible when a provisioning package is u
 
 - [Wi-Fi Sense](../wcd/wcd-connectivityprofiles.md#wifisense)
 - [CountryAndRegion](../wcd/wcd-countryandregion.md)
-- DeviceManagement / PGList/ LogicalProxyName
+- [DeviceManagement / PGList / LogicalProxyName](../wcd/wcd-devicemanagement.md#pglist)
-- UniversalAppInstall / LaunchAppAtLogin
+- [UniversalAppInstall](../wcd/wcd-universalappinstall.md) / LaunchAppAtLogin
 - [Power](/previous-versions//dn953704(v=vs.85))
 - [TabletMode](../wcd/wcd-tabletmode.md)
 - [Maps](../wcd/wcd-maps.md)
@@ -33,26 +32,26 @@ The registry-based settings that are revertible when a provisioning package is u
 
 ## CSP-based settings
 
-Here is the list of revertible settings based on configuration service providers (CSPs).
+Here's the list of revertible settings based on configuration service providers (CSPs).
 
-[ActiveSync CSP](/windows/client-management/mdm/activesync-csp)
+- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp)
-[AppLocker CSP](/windows/client-management/mdm/applocker-csp)
+- [AppLocker CSP](/windows/client-management/mdm/applocker-csp)
-[BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp)
+- [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp)
-[CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp)
+- [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp)
-[ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp)
+- [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp)
-[RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp)
+- [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp)
-[CM_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp)
+- [CM_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp)
-[CM_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp)
+- [CM_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp)
-[CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp)
+- [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp)
-[CMPolicyEnterprise CSP](/windows/client-management/mdm/cmpolicyenterprise-csp)
+- [CMPolicyEnterprise CSP](/windows/client-management/mdm/cmpolicyenterprise-csp)
-[EMAIL2 CSP](/windows/client-management/mdm/email2-csp)
+- [EMAIL2 CSP](/windows/client-management/mdm/email2-csp)
-[EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp)
+- [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp)
-[EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp)
+- [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp)
-[EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp)
+- [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp)
-[NAP CSP](/windows/client-management/mdm/nap-csp)
+- [NAP CSP](/windows/client-management/mdm/nap-csp)
-[PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp)
+- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp)
-[Provisioning CSP](/windows/client-management/mdm/provisioning-csp)
+- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp)
-[SecureAssessment CSP](/windows/client-management/mdm/secureassessment-csp)
+- [SecureAssessment CSP](/windows/client-management/mdm/secureassessment-csp)
-[VPN CSP](/windows/client-management/mdm/vpn-csp)
+- [VPN CSP](/windows/client-management/mdm/vpn-csp)
-[VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
+- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
-[WiFi CSP](/windows/client-management/mdm/wifi-csp)
+- [WiFi CSP](/windows/client-management/mdm/wifi-csp)

windows/configuration/provisioning-packages/toc.yml

@@ -1,29 +1,35 @@
 items:
   - name: Overview
     href: provisioning-packages.md
-  - name: How provisioning works in Windows client
+  - name: How provisioning works
     href: provisioning-how-it-works.md
-  - name: Introduction to configuration service providers (CSPs)
+  - name: Quickstarts
-    href: how-it-pros-can-use-configuration-service-providers.md
+    items:
     - name: Install Windows Configuration Designer
       href: provisioning-install-icd.md
-  - name: Create a provisioning package
+    - name: Create a provisioning package (desktop wizard)
+      href: provision-pcs-for-initial-deployment.md
+    - name: Create a provisioning package (advanced)
       href: provisioning-create-package.md
     - name: Apply a provisioning package
       href: provisioning-apply-package.md
-  - name: Settings changed when you uninstall a provisioning package
+  - name: Provision apps
-    href: provisioning-uninstall-package.md
+    items:
-  - name: Provision PCs with common settings for initial deployment (desktop wizard)
+    - name: Provision apps
-    href: provision-pcs-for-initial-deployment.md
-  - name: Provision PCs with apps
       href: provision-pcs-with-apps.md
-  - name: Use a script to install a desktop app in provisioning packages
+    - name: Use a script to install a desktop app
       href: provisioning-script-to-install-app.md
   - name: Create a provisioning package with multivariant settings
     href: provisioning-multivariant.md
-  - name: PowerShell cmdlets for provisioning Windows client (reference)
-    href: provisioning-powershell.md
   - name: Diagnose provisioning packages
     href: diagnose-provisioning-packages.md
-  - name: Windows Configuration Designer command-line interface (reference)
+  - name: Settings changed when you uninstall a provisioning package
+    href: provisioning-uninstall-package.md
+  - name: Reference
+    items:
+    - name: Introduction to configuration service providers (CSPs)
+      href: how-it-pros-can-use-configuration-service-providers.md
+    - name: Windows Configuration Designer command-line interface
       href: provisioning-command-line.md
+    - name: PowerShell cmdlets for provisioning Windows client
+      href: provisioning-powershell.md

windows/deployment/TOC.yml

@@ -29,7 +29,7 @@
     - name: Plan
       items:
         - name: Plan for Windows 11
-          href: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /windows/whats-new/windows-11-plan?context=/windows/deployment/context/context
         - name: Create a deployment plan
           href: update/create-deployment-plan.md
         - name: Define readiness criteria
@@ -41,12 +41,12 @@
         - name: Define your servicing strategy
           href: update/plan-define-strategy.md
         - name: Delivery Optimization for Windows client updates
-          href: do/waas-delivery-optimization.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: do/waas-delivery-optimization.md?context=/windows/deployment/context/context
           items:
             - name: Using a proxy with Delivery Optimization
-              href: do/delivery-optimization-proxy.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+              href: do/delivery-optimization-proxy.md?context=/windows/deployment/context/context
             - name: Delivery Optimization client-service communication
-              href: do/delivery-optimization-workflow.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+              href: do/delivery-optimization-workflow.md?context=/windows/deployment/context/context
         - name: Windows 10 deployment considerations
           href: planning/windows-10-deployment-considerations.md
         - name: Windows 10 infrastructure requirements
@@ -56,17 +56,17 @@
         - name: Features removed or planned for replacement
           items:
             - name: Windows client features lifecycle
-              href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+              href: /windows/whats-new/feature-lifecycle?context=/windows/deployment/context/context
             - name: Deprecated features
-              href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+              href: /windows/whats-new/deprecated-features?context=/windows/deployment/context/context
             - name: Resources for deprecated features
-              href: /windows/whats-new/deprecated-features-resources?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+              href: /windows/whats-new/deprecated-features-resources?context=/windows/deployment/context/context
             - name: Removed features
-              href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+              href: /windows/whats-new/removed-features?context=/windows/deployment/context/context
     - name: Prepare
       items:
         - name: Prepare for Windows 11
-          href: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /windows/whats-new/windows-11-prepare?context=/windows/deployment/context/context
         - name: Prepare to deploy Windows client updates
           href: update/prepare-deploy-windows.md
         - name: Evaluate and update infrastructure
@@ -74,7 +74,7 @@
         - name: Update Baseline
           href: update/update-baseline.md
         - name: Set up Delivery Optimization for Windows client updates
-          href: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: do/waas-delivery-optimization-setup.md?context=/windows/deployment/context/context
         - name: Configure BranchCache for Windows client updates
           href: update/waas-branchcache.md
         - name: Prepare for deployment with Configuration Manager
@@ -324,25 +324,25 @@
         - name: Resolve Windows upgrade errors
           href: upgrade/resolve-windows-upgrade-errors.md
         - name: Quick fixes
-          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?context=/windows/deployment/context/context
         - name: SetupDiag
           href: upgrade/setupdiag.md
         - name: Troubleshooting upgrade errors
-          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?context=/windows/deployment/context/context
         - name: Windows error reporting
           href: upgrade/windows-error-reporting.md
         - name: Upgrade error codes
-          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?context=/windows/deployment/context/context
         - name: Log files
           href: upgrade/log-files.md
         - name: Resolution procedures
-          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?context=/windows/deployment/context/context
         - name: Submit Windows client upgrade errors
           href: upgrade/submit-errors.md
       - name: Troubleshoot Windows Update
         items:
         - name: How to troubleshoot Windows Update
-          href: /troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?context=/windows/deployment/context/context
         - name: Opt out of safeguard holds
           href: update/safeguard-opt-out.md
         - name: Determine the source of Windows Updates
@@ -350,7 +350,7 @@
         - name: Windows Update security
           href: ./update/windows-update-security.md
         - name: Common Windows Update errors
-          href: /troubleshoot/windows-client/deployment/common-windows-update-errors?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /troubleshoot/windows-client/deployment/common-windows-update-errors?context=/windows/deployment/context/context
         - name: Windows Update error code reference
           href: update/windows-update-error-reference.md
         - name: Troubleshoot the Windows Update for Business deployment service
@@ -371,13 +371,13 @@
         - name: Servicing stack updates
           href: update/servicing-stack-updates.md
         - name: Update CSP policies
-          href: /windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context
         - name: Additional Windows Update settings
           href: update/waas-wu-settings.md
         - name: Update other Microsoft products
           href: update/update-other-microsoft-products.md
         - name: Delivery Optimization reference
-          href: do/waas-delivery-optimization-reference.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+          href: do/waas-delivery-optimization-reference.md?context=/windows/deployment/context/context
         - name: FoD and language packs for WSUS and Configuration Manager
           href: update/fod-and-lang-packs.md
         - name: Windows client in S mode

windows/deployment/context/context.yml

@@ -0,0 +1,4 @@
+### YamlMime: ContextObject
+brand: windows
+breadcrumb_path: ../breadcrumb/toc.yml
+toc_rel: ../toc.yml

windows/deployment/update/wufb-reports-configuration-manual.md

@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 12/15/2023
+ms.date: 07/09/2024
 ---
 
 # Manually configure devices for Windows Update for Business reports

windows/deployment/update/wufb-reports-configuration-script.md

@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 07/11/2023
+ms.date: 07/09/2024
 ---
 
 # Configuring devices through the Windows Update for Business reports configuration script
@@ -22,9 +22,9 @@ The Windows Update for Business reports configuration script is the recommended
 
 ## About the script
 
-The configuration script configures registry keys directly. Be aware that registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), device data might not appear in Windows Update for Business reports correctly. 
+The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), device data might not appear in Windows Update for Business reports correctly. 
 
-You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
+You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086).
 
 ## How this script is organized
 
@@ -39,11 +39,11 @@ Edit the `RunConfig.bat` file to configure the following variables, then run the
 
 | Variable | Allowed values and description | Example |
 |---|---|---|
-| runMode | **Pilot** (default): Verbose mode with additional diagnostics with additional logging. Pilot mode is best for a testing run of the script or for troubleshooting. <br> **Deployment**: Doesn't run any additional diagnostics or add extra logging | `runMode=Pilot` |
+| runMode | **Pilot** (default): Verbose mode with additional diagnostics and logging. Pilot mode is best for a testing run of the script or for troubleshooting. <br> **Deployment**: Doesn't run any additional diagnostics or add extra logging | `runMode=Pilot` |
-| logPath | Path where the logs will be saved. The default location of the logs is `.\UCLogs`. | `logPath=C:\temp\logs` |
+| logPath | Path where the logs are saved. The default location of the logs is `.\UCLogs`.| `logPath=C:\temp\logs` |
-| logMode | **0**: Log to the console only </br> **1** (default): Log to file and console. </br> **2**: Log to file only. | `logMode=2` |
+| logMode | **0**: Log to the console only </br> **1** (default): Log to file and console.</br> **2**: Log to file only. | `logMode=2` |
-| DeviceNameOptIn | **true** (default): Device name is sent to Microsoft. </br> **false**: Device name isn't sent to Microsoft. | `DeviceNameOptIn=true` |
+| DeviceNameOptIn | **true** (default): Device name is sent to Microsoft.</br> **false**: Device name isn't sent to Microsoft. | `DeviceNameOptIn=true` |
-| ClientProxy | **Direct** (default): No proxy is used. The connection to the endpoints is direct. </br> **System**: The system proxy, without authentication, is used. This type of proxy is typically configured with [netsh](/windows-server/networking/technologies/netsh/netsh-contexts) and can be verified using `netsh winhttp show proxy`.  </br> **User**: The proxy is configured through IE and it might or might not require user authentication. </br> </br> For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update website](https://support.microsoft.com/en-us/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-website-08612ae5-3722-886c-f1e1-d012516c22a1) | `ClientProxy=Direct` | 
+| ClientProxy | **Direct** (default): No proxy is used. The connection to the endpoints is direct.</br> **System**: The system proxy, without authentication, is used. This type of proxy is typically configured with [netsh](/windows-server/networking/technologies/netsh/netsh-contexts) and can be verified using `netsh winhttp show proxy`.  </br> **User**: The proxy is configured through IE and it might or might not require user authentication. </br> </br> For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update website](https://support.microsoft.com/en-us/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-website-08612ae5-3722-886c-f1e1-d012516c22a1) | `ClientProxy=Direct` | 
 | source | Used by the .bat file and PowerShell script to locate dependencies. It's recommended that you don't change this value. | `source=%~dp0` |
 
 

windows/deployment/update/wufb-reports-enable.md

@@ -11,7 +11,7 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 07/11/2023
+ms.date: 07/09/2024
 ---
 
 # Enable Windows Update for Business reports
@@ -34,7 +34,7 @@ After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you
 
 ## <a name="bkmk_add"></a> Add Windows Update for Business reports to your Azure subscription
 
-Before you configure clients to send data, you'll need to add Windows Update for Business reports to your Azure subscription so the data can be received. First, you'll select or create a new Log Analytics workspace to use. Second, you'll enroll Windows Update for Business reports to the workspace.
+Before you configure clients to send data, you need to add Windows Update for Business reports to your Azure subscription so the data can be received. First, you select or create a new Log Analytics workspace to use. Second, you enroll Windows Update for Business reports to the workspace.
 
 ## <a name="bkmk_workspace"></a> Select or create a new Log Analytics workspace for Windows Update for Business reports
 
@@ -69,7 +69,7 @@ Enroll into Windows Update for Business reports by configuring its settings thro
    > [!Tip]
    > If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports.
 1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**.
-   - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 
+   - Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it takes before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 
 
 ##### <a name="bkmk_admin-center"></a> Enroll through the Microsoft 365 admin center
 <!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->

windows/deployment/update/wufb-reports-help.md

@@ -11,7 +11,7 @@ manager: aaroncz
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 02/10/2023
+ms.date: 07/09/2024
 ---
 
 # Windows Update for Business reports feedback, support, and troubleshooting
@@ -52,7 +52,7 @@ You can open support requests directly from the Azure portal. If  the **Help + S
    - **Service type** - Select ***Windows Update for Business reports*** under ***Monitoring and Management***
 
 
-1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem.
+1. Based on the information you provided, you are shown some **Recommended solutions** you can use to try to resolve the problem.
 1. Complete the **Additional details** tab and then create the request on the **Review + create** tab.
 
 ## Documentation feedback

windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md

@@ -1,7 +1,7 @@
 ---
 title: Register your devices
 description: This article details how to register devices in Autopatch.
-ms.date: 02/15/2024
+ms.date: 07/10/2024
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: how-to
@@ -112,10 +112,7 @@ The following are the possible device readiness statuses in Windows Autopatch:
 
 ## Built-in roles required for device registration
 
-A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
+A role defines the set of permissions granted to users assigned to that role. You can use the **Intune Service Administrator** role to register devices.
-
-- Microsoft Entra Global Administrator
-- Intune Service Administrator
 
 For more information, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
 

windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md

@@ -1,7 +1,7 @@
 ---
 title: policy health and remediation
 description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
-ms.date: 07/08/2024
+ms.date: 07/10/2024
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: how-to
@@ -44,7 +44,7 @@ Alerts are raised when deployment rings don't have the required policies and the
 
 ## Built-in roles required for remediation actions
 
-The minimum role required to restore configurations is **Intune Service Administrator**. You can also perform these actions in the Global administrator role.
+The minimum role required to restore configurations is **Intune Service Administrator**.
 
 ## Restore device configuration policy
 

windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Windows quality and feature update reports overview
 description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
-ms.date: 04/09/2024 
+ms.date: 07/10/2024 
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: conceptual
@@ -53,7 +53,6 @@ The Windows feature update report types are organized into the following focus a
 
 Users with the following permissions can access the reports:
 
-- Global Administrator
 - Intune Service Administrator
 - Global Reader
 - Services Support Administrator

windows/hub/index.yml

@@ -197,4 +197,4 @@ additionalContent:
             - text: Microsoft Intune community
               url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
             - text: Microsoft Support community
-              url: https://answers.microsoft.com/windows/forum
+              url: https://answers.microsoft.com/

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -2,7 +2,7 @@
 title: Enable memory integrity
 description: This article explains the steps to opt in to using memory integrity on Windows devices.
 ms.topic: conceptual
-ms.date: 03/26/2024
+ms.date: 07/10/2024
 appliesto:
   - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
   - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"

windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md

@@ -2,7 +2,7 @@
 title: How System Guard helps protect Windows
 description: Learn how System Guard reorganizes the existing Windows system integrity features under one roof.
 ms.localizationpriority: medium
-ms.date: 01/16/2024
+ms.date: 07/10/2024
 ms.topic: conceptual
 ---
 
@@ -33,7 +33,7 @@ Also, a bug fix for UEFI code can take a long time to design, build, retest, val
 
 ### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
 
-[System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
+[System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by using a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
 
 ![System Guard Secure Launch.](images/system-guard-secure-launch.png)
 
@@ -41,7 +41,7 @@ Secure Launch simplifies management of SRTM measurements because the launch code
 
 ### System Management Mode (SMM) protection
 
-System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. Whenever one of these system operations is requested, a nonmaskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
 
 To defend against this, two techniques are used:
 
@@ -88,7 +88,7 @@ This feature is available for the following processors:
 |AUX Policy|The required AUX policy must be as follows: <ul><li> A = TPM2_PolicyLocality (Locality 3 & Locality 4) </li><li>B = TPM2_PolicyCommandCode (TPM_CC_NV_UndefineSpecial)</li><li>authPolicy = \{A} OR {{A} AND \{B}}</li><li>authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1, 0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1, 0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17, 0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24</li></ul>|
 |TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with: <ul><li>Handle: 0x01C101C0 </li><li>Attributes: <ul><li>TPMA_NV_POLICYWRITE</li><li>TPMA_NV_PPREAD </li><li>TPMA_NV_OWNERREAD</li><li>TPMA_NV_AUTHREAD</li><li>TPMA_NV_POLICYREAD</li><li>TPMA_NV_NO_DA</li><li>TPMA_NV_PLATFORMCREATE</li><li>TPMA_NV_POLICY_DELETE</li></ul> <li>A policy of: </li><ul><li>A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)</li><li>B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial) </li><li> authPolicy = \{A} OR {{A} AND \{B}} </li><li> Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1 </li></ul></ul> |
 |Platform firmware|Platform firmware must carry all code required to execute an Intel&reg; Trusted Execution Technology secure launch: <ul><li>Intel&reg; SINIT ACM must be carried in the OEM BIOS</li><li>Platforms must ship with a production ACM signed by the correct production Intel&reg; ACM signer for the platform</li></ul>|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+|Platform firmware update|It's recommended to update System firmware via UpdateCapsule in Windows Update. |
 
 ### Requirements for AMD&reg; processors starting with Zen2 or later silicon
 
@@ -102,7 +102,7 @@ This feature is available for the following processors:
 |Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
 |TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with: <ul><li>Handle: 0x01C101C0 </li><li>Attributes: <ul><li>TPMA_NV_POLICYWRITE</li><li>TPMA_NV_PPREAD </li><li>TPMA_NV_OWNERREAD</li><li>TPMA_NV_AUTHREAD</li><li>TPMA_NV_POLICYREAD</li><li>TPMA_NV_NO_DA</li><li>TPMA_NV_PLATFORMCREATE</li><li>TPMA_NV_POLICY_DELETE</li></ul> <li>A policy of: </li><ul><li>A = TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_SigningKey)</li><li>B = TPM2_PolicyCommandCode(TPM_CC_NV_UndefineSpaceSpecial) </li><li> authPolicy = \{A} OR {{A} AND \{B}} </li><li> Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b, 0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23, 0x1c, 0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc, 0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20, 0xe1 </li></ul></ul> |
 |Platform firmware|Platform firmware must carry all code required to execute Secure Launch: <ul><li>AMD&reg; Secure Launch platforms must ship with AMD&reg; DRTM driver devnode exposed and the AMD&reg; DRTM driver installed</li></ul><br/>Platform must have AMD&reg; Secure Processor Firmware Anti-Rollback protection enabled <br/> Platform must have AMD&reg; Memory Guard enabled.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+|Platform firmware update|It's recommended to update System firmware via UpdateCapsule in Windows Update. |
 
 ### Requirements for Qualcomm&reg; processors with SD850 or later chipsets
 
@@ -112,4 +112,4 @@ This feature is available for the following processors:
 |Monitor Mode Page Tables|All Monitor Mode page tables must: <ul><li>NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory) </li><li>They must NOT have execute and write permissions for the same page </li><li>Platforms must only allow Monitor Mode pages marked as executable </li><li>The memory map must report Monitor Mode as EfiReservedMemoryType</li><li>Platforms must provide mechanism to protect the Monitor Mode page tables from modification</li></ul> |
 |Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
 |Platform firmware|Platform firmware must carry all code required to launch.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+|Platform firmware update|It's recommended to update System firmware via UpdateCapsule in Windows Update. |

windows/security/hardware-security/index.md

@@ -1,7 +1,7 @@
 ---
 title: Windows hardware security
 description: Learn more about hardware security features support in Windows.
-ms.date: 07/28/2023
+ms.date: 07/10/2024
 ms.topic: overview
 appliesto:
 ---

windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md

@@ -4,7 +4,7 @@ description: Learn how Kernel DMA Protection protects Windows devices against dr
 ms.collection:
   - tier1
 ms.topic: conceptual
-ms.date: 01/09/2024
+ms.date: 07/10/2024
 ---
 
 # Kernel DMA Protection
@@ -20,16 +20,16 @@ Drive-by DMA attacks are attacks that occur while the owner of the system isn't
 
 ## How Windows protects against DMA drive-by attacks
 
-Windows uses the system *Input/Output Memory Management Unit (IOMMU)* to block external peripherals from starting and performing DMA, unless the drivers for these peripherals support memory isolation (such as DMA-remapping). Peripherals with [DMA Remapping compatible drivers][LINK-1] will be automatically enumerated, started, and allowed to perform DMA to their assigned memory regions.
+Windows uses the system *Input/Output Memory Management Unit (IOMMU)* to block external peripherals from starting and performing DMA, unless the drivers for these peripherals support memory isolation (such as DMA-remapping). Peripherals with [DMA Remapping compatible drivers][LINK-1] are automatically enumerated, started, and allowed to perform DMA to their assigned memory regions.
 
-By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using MDM or group policies.
+By default, peripherals with DMA Remapping incompatible drivers are blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using MDM or group policies.
 
 ## User experience
 
 When Kernel DMA Protection is enabled:
 
-- Peripherals with DMA Remapping-compatible device drivers will be automatically enumerated and started
+- Peripherals with DMA Remapping-compatible device drivers are automatically enumerated and started
-- Peripherals with DMA Remapping-incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
+- Peripherals with DMA Remapping-incompatible drivers are blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver is started by the OS, and the peripheral continues to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
 
 [!INCLUDE [kernel-direct-memory-access-dma-protection](../../../includes/licensing/kernel-direct-memory-access-dma-protection.md)]
 
@@ -44,7 +44,7 @@ Kernel DMA Protection isn't compatible with other BitLocker DMA attacks counterm
 
 ## Check if Kernel DMA Protection is enabled
 
-Systems that support Kernel DMA Protection will enable the feature automatically, with no user or IT admin configuration required.
+Systems that support Kernel DMA Protection enable the feature automatically, with no user or IT admin configuration required.
 
 You can use the Windows Security settings to check if Kernel DMA Protection is enabled:
 
@@ -53,7 +53,7 @@ You can use the Windows Security settings to check if Kernel DMA Protection is e
 
    :::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
 
-   Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
+   Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value is set to **ON**.
 
    :::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
 
@@ -91,7 +91,7 @@ Use the Windows-provided drivers for the peripherals, when available. If there a
 
 ### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on?
 
-Yes. DMA remapping for a specific device can be turned on independent from Kernel DMA Protection. For example, if the driver opts in and VT-d (Virtualization Technology for Directed I/O) is turned on, then DMA remapping will be enabled for the devices driver even if Kernel DMA Protection is turned off.
+Yes. DMA remapping for a specific device can be turned on independent from Kernel DMA Protection. For example, if the driver opts in and VT-d (Virtualization Technology for Directed I/O) is turned on, then DMA remapping is enabled for the devices driver even if Kernel DMA Protection is turned off.
 
 Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.
 
@@ -117,5 +117,4 @@ The policy can be enabled by using:
 [LINK-1]: /windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers
 [LINK-2]: /windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies
 [LINK-3]: /windows-hardware/design/device-experiences/oem-kernel-dma-protection
-
 [EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf

windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md

@@ -2,7 +2,7 @@
 title: Microsoft Pluton security processor
 description: Learn more about Microsoft Pluton security processor
 ms.topic: conceptual
-ms.date: 02/19/2024
+ms.date: 07/10/2024
 ---
 
 # Microsoft Pluton security processor
@@ -13,7 +13,7 @@ Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm
 
 ## What is Microsoft Pluton?
 
-Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker installs malware or has complete physical possession of the PC.
+Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data, and encryption keys. Information is significantly harder to be removed even if an attacker installs malware or has complete physical possession of the PC.
 
 Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) and deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for other Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
 

windows/security/hardware-security/pluton/pluton-as-tpm.md

@@ -2,12 +2,12 @@
 title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
 description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
 ms.topic: conceptual
-ms.date: 02/19/2024
+ms.date: 07/10/2024
 ---
 
 # Microsoft Pluton as Trusted Platform Module
 
-Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard.
+Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and System Guard.
 
 As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installs malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution can't access key material.
 
@@ -17,7 +17,7 @@ To learn more about the TPM related scenarios that benefit from Pluton, see [TPM
 
 ## Microsoft Pluton as a security processor alongside discrete TPM
 
-Microsoft Pluton can be used as a TPM, or in conjunction with a TPM. Although Pluton builds security directly into the CPU, device manufacturers may choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM.
+Microsoft Pluton can be used as a TPM, or with a TPM. Although Pluton builds security directly into the CPU, device manufacturers might choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM.
 
 Pluton is integrated within the SoC subsystem, and provides a flexible, updatable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft.
 

windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md

@@ -1,14 +1,13 @@
 ---
 title: System Guard Secure Launch and SMM protection
-description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
+description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows devices.
-ms.localizationpriority: medium
+ms.date: 07/10/2024
-ms.date: 07/31/2023
 ms.topic: conceptual
 ---
 
 # System Guard Secure Launch and SMM protection
 
-This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
+This article explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
 
 > [!NOTE]
 > System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard).
@@ -28,35 +27,30 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
 
 ### Group Policy
 
-1. Click **Start** > type and then click **Edit group policy**.
+1. Select **Start** > type and then select **Edit group policy**.
-
+1. Select **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
-2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
 
     ![Secure Launch Configuration.](images/secure-launch-group-policy.png)
 
 ### Windows Security
 
-Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
+Select **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
 
   ![Windows Security settings.](images/secure-launch-security-app.png)
 
 ### Registry
 
 1. Open Registry editor.
-
+1. Select **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
-2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
+1. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
-
+1. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
-3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
+1. Double-click **Enabled**, change the value to **1**, and click **OK**.
-
-4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
-
-5. Double-click **Enabled**, change the value to **1**, and click **OK**.
 
     ![Secure Launch Registry.](images/secure-launch-registry.png)
 
 ## How to verify System Guard Secure Launch is configured and running
 
-To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
+To verify that Secure Launch is running, use System Information (MSInfo32). Select **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
 
 ![Verifying Secure Launch is running in the Windows Security settings.](images/secure-launch-msinfo.png)
 

windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md

@@ -2,7 +2,7 @@
 title: Back up TPM recovery information to Active Directory
 description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # Back up the TPM recovery information to AD DS

windows/security/hardware-security/tpm/change-the-tpm-owner-password.md

@@ -1,8 +1,8 @@
 ---
 title: Change the TPM owner password
-description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
+description: This article for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # Change the TPM owner password
@@ -32,7 +32,6 @@ Without the owner password, you can still perform all the preceding actions with
 Instead of changing your owner password, you can also use the following options to manage your TPM:
 
 - **Clear the TPM** - If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-
 - **Turn off the TPM** - With TPM 1.2 and Windows 10, versions 1507 and 1511, you can turn off the TPM. Turn off the TPM if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm).
 
 ## Changing the TPM owner password
@@ -44,7 +43,3 @@ To change to a new TPM owner password, in `TPM.msc`, select **Change Owner Passw
 ## Use the TPM cmdlets
 
 You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule).
-
-## Related articles
-
-- [Trusted Platform Module](trusted-platform-module-overview.md)

windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md

@@ -2,12 +2,12 @@
 title: How Windows uses the TPM
 description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # How Windows uses the Trusted Platform Module
 
-The Windows operating system places hardware-based security deeper inside many features, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a device with a TPM.
+The Windows operating system places hardware-based security deeper inside many features, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security effect of running Windows on a device with a TPM.
 
 ## TPM Overview
 
@@ -21,7 +21,7 @@ The Trusted Computing Group (TCG) is the nonprofit organization that publishes a
 
 OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
 
-The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't.
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments clearly define security requirements for TPMs, whereas others don't.
 
 Certification programs for TPMs-and technology in general-continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
 
@@ -51,11 +51,11 @@ Smart cards are physical devices that typically store a single certificate and t
 
 In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
 
-For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios aren't applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
 
 ## Windows Hello for Business
 
-Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they are compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
+Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they're compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (that is, the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system doesn't have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it isn't shared across devices.
 
 The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Entra account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
 
@@ -63,7 +63,7 @@ Identity providers have flexibility in how they provision credentials on client
 
 - **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an endorsement key. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
 
-- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
+- **Attestation identity key**. To protect privacy, most TPM scenarios don't directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
 :::image type="content" alt-text="TPM Capabilities." source="images/tpm-capabilities.png" lightbox="images/tpm-capabilities.png":::
 *Figure 1:  TPM Cryptographic Key Management*
@@ -72,15 +72,15 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
 
 ## BitLocker Drive Encryption
 
-BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
+BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they don't need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data isn't encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
 
-In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however-for example, a different operating system is booted from a USB device-the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows sign-in prompt, the only path forward is for the user to sign in with their credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however-for example, a different operating system is booted from a USB device-the operating system volume and user data can't be read and aren't accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
 
 - **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
 
-- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process can't proceed normally because the data on the operating system can't be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
+- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM won't let Windows Boot Manager use the key, and the startup process can't proceed normally because the data on the operating system can't be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM won't allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
 
-Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the sign-in screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows sign-in screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
 
 Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the "TPM-only" configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
 
@@ -92,17 +92,17 @@ For software measurements, Device Encryption relies on measurements of the autho
 
 ## Measured Boot
 
-Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows.
+Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM weren't helpful for understanding the starting state of Windows.
 
-The Windows boot process happens in stages and often involves non-Microsoft drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
+The Windows boot process happens in stages and often involves non-Microsoft drivers to communicate with vendor-specific hardware or implement anti-malware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch anti-malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that anti-malware drivers use and configuration data about Windows security features (for example, whether BitLocker is on or off).
 
 Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted.
 
-TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
+TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements doesn't include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and didn't start with malware.
 
 The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
 
-- **Remote Attestation**.  Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
+- **Remote Attestation**.  Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or *quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
 
 When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
 
@@ -111,24 +111,22 @@ When new security features are added to Windows, Measured Boot adds security-rel
 
 ## Health Attestation
 
-Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
+Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers and parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health.
 
 Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.
 
 ## Credential Guard
 
-Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization.
+Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a sign-in password) were hashed to generate an authorization token. The user employed the token to access resources that they were permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to sign in to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization.
 
-Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel can't access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment can't tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
+Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel can't access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment can't tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they're accessible only during the boot process step when the separate region is initialized; they aren't available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
 
-The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it can't access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows.
+The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it can't access the secrets inside the isolated memory area that actually generates authorization tokens. The solution doesn't solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows.
 
 ## Conclusion
 
 The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM's major features.
 
-<br/>
-
 | Feature                    | Benefits when used on a system with a TPM                                                                                                                                                             |
 |----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Platform Crypto Provider   | - If the machine is compromised, the private key associated with the certificate can't be copied off the device.<br>- The TPM's dictionary attack mechanism protects PIN values to use a certificate. |
@@ -138,8 +136,6 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard
 | Device Encryption          | With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.                                                                                  |
 | Measured Boot              | A hardware root of trust contains boot measurements that help detect malware during remote attestation.                                                                                               |
 | Health Attestation         | MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.                                              |
-| Credential Guard           | Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.                 |
+| Credential Guard           | Defense in depth increases so that even if malware has administrative rights on one machine, it's significantly more difficult to compromise additional machines in an organization.                 |
 
-<br />
+Although some of the aforementioned features have more hardware requirements (for example, virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](/windows/iot-core/windows-iot-core). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
-
-Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](/windows/iot-core/windows-iot-core).  IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.

windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md

@@ -2,7 +2,7 @@
 title: Troubleshoot the TPM
 description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ms.collection:
 - tier1
 ---
@@ -13,9 +13,6 @@ This article provides information how to troubleshoot the Trusted Platform Modul
 
 - [Troubleshoot TPM initialization](#tpm-initialization)
 - [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
-
-With TPM 1.2 and Windows 11, you can also take the following actions:
-
 - [Turn on or turn off the TPM](#turn-on-or-turn-off-the-tpm)
 
 For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
@@ -28,17 +25,17 @@ Windows automatically initializes and takes ownership of the TPM. There's no nee
 
 If you find that Windows isn't able to initialize the TPM automatically, review the following information:
 
-- You can try clearing the TPM to the factory default values, allowing Windows to reinitialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
+- You can try clearing the TPM to the factory default values, allowing Windows to reinitialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm).
-- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system
+- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system.
-- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will reinitialize it
+- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows reinitializes it.
-- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it, and then allow the operating system to initialize the TPM
+- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it, and then allow the operating system to initialize the TPM.
 
 ### Network connection issues for domain-joined Windows 11 devices
 
 If you have Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist:
 
-- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through group policy
+- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through group policy.
-- A domain controller can't be reached. This scenario may occur on a device that is currently disconnected from the internal network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter)
+- A domain controller can't be reached. This scenario may occur on a device that is currently disconnected from the internal network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
 
 If these issues occur, an error message appears, and you can't complete the initialization process. To avoid the issue, allow Windows to initialize the TPM while you're connected to the corporate network, and you can contact a domain controller.
 
@@ -46,7 +43,7 @@ If these issues occur, an error message appears, and you can't complete the init
 
 Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows doesn't support this configuration. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs, you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm).
 
-For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed.
+For example, toggling TPMs cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected for use and the selection isn't changed.
 
 ## Clear all the keys from the TPM
 
@@ -61,11 +58,11 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win
 
 Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
 
-- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM
+- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
-- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator
+- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator.
-- If you want to temporarily suspend TPM operations on Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm)
+- If you want to temporarily suspend TPM operations on Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm).
-- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI
+- Always use functionality in the operating system (such as TPM.msc) to clear the TPM. Don't clear the TPM directly from UEFI.
-- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website
+- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
 
 Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
 
@@ -76,7 +73,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
 1. Select **Security processor details**.
 1. Select **Security processor troubleshooting**.
 1. Select **Clear TPM**.
-    - You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
+    - You'll be prompted to restart the computer. During the restart, you might be prompted to press a button to confirm that you wish to clear the TPM.
     - After the device restarts, your TPM will be automatically prepared for use by Windows.
 
 ## Turn on or turn off the TPM
@@ -100,7 +97,7 @@ If you want to stop using the services that are provided by the TPM, you can use
 1. Open the TPM MMC (`tpm.msc`).
 1. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
 1. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
-   - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
+   - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the `.tpm` file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
    - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
    - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
 

windows/security/hardware-security/tpm/manage-tpm-commands.md

@@ -2,14 +2,14 @@
 title: Manage TPM commands
 description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # Manage TPM commands
 
 This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
 
-After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
+After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide more commands or the Trusted Computing Group might decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
 
 The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
 
@@ -33,34 +33,24 @@ The following procedures describe how to manage the TPM command lists. You must
     > [!NOTE]
     > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
 
-1. After you have added numbers for each command that you want to block, select **OK** twice.
+1. After adding numbers for each command that you want to block, select **OK** twice.
 
 1. Close the Local Group Policy Editor.
 
 ## Block or allow TPM commands by using the TPM MMC
 
 1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-
 1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
-
 1. In the list, select a command that you want to block or allow.
-
 1. Under **Actions**, select **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy.
 
 ## Block new commands
 
 1. Open the TPM MMC (`tpm.msc`). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-
 1. In the console tree, select **Command Management**. A list of TPM commands is displayed.
-
 1. In the **Action** pane, select **Block New Command**. The **Block New Command** dialog box is displayed.
-
 1. In the **Command Number** text box, type the number of the new command that you want to block, and then select **OK**. The command number you entered is added to the blocked list.
 
 ## Use the TPM cmdlets
 
 You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
-
-## Related articles
-
-- [Trusted Platform Module](trusted-platform-module-overview.md)

windows/security/hardware-security/tpm/manage-tpm-lockout.md

@@ -2,7 +2,7 @@
 title: Manage TPM lockout
 description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # Manage TPM lockout
@@ -21,11 +21,11 @@ In some cases, encryption keys are protected by a TPM by requiring a valid autho
 
 TPM 2.0 devices have standardized lockout behavior which Windows configures. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This configuration means that every continuous 10 minutes of powered on operation without an event causes the counter to decrease by 1.
 
-If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
+If your TPM is in lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
 
 ### TPM 1.2
 
-The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time.
+The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips might not store failed attempts over time. Other TPM chips might store every failed attempt indefinitely. Therefore, some users might experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for some time.
 
 ## Reset the TPM lockout by using the TPM MMC
 
@@ -73,7 +73,3 @@ For information about mitigating dictionary attacks that use the lockout setting
 ## Use the TPM cmdlets
 
 You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/).
-
-## Related articles
-
-- [Trusted Platform Module](trusted-platform-module-overview.md)

windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md

@@ -1,8 +1,8 @@
 ---
-title: UnderstandPCR banks on TPM 2.0 devices
+title: Understand PCR banks on TPM 2.0 devices
 description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # PCR banks on TPM 2.0 devices
@@ -27,9 +27,9 @@ It's important to note that this binding to PCR values also includes the hashing
 
 ## What happens when PCR banks are switched?
 
-When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
+When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm returns a different cryptographic signature for the same inputs.
 
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR[12] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched, all keys that are bound to the previous PCR values no longer work. For example, if you had a key bound to the SHA-1 value of PCR[12] and later changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows can't unseal it if the PCR banks are switched while BitLocker is enabled.
 
 ## What can I do to switch PCRs when BitLocker is already active?
 
@@ -43,7 +43,7 @@ You can configure a TPM to have multiple PCR banks active. When BIOS performs me
 - DWORD: `TPMActivePCRBanks`
 - Defines which PCR banks are currently active. This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.
 
-Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met.
+Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows prefers the use of the SHA-256 bank for measurements and falls back to SHA1 PCR bank if one of the preconditions isn't met.
 
 You can identify which PCR bank is currently used by Windows by looking at the registry:
 
@@ -51,4 +51,4 @@ You can identify which PCR bank is currently used by Windows by looking at the r
 - DWORD: `TPMDigestAlgID`
 - Algorithm ID of the PCR bank that Windows is currently using. This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.
 
-Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted.
+Windows only uses one PCR bank to continue boot measurements. All other active PCR banks are extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted.

windows/security/hardware-security/tpm/tpm-fundamentals.md

@@ -2,7 +2,7 @@
 title: Trusted Platform Module (TPM) fundamentals
 description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # TPM fundamentals
@@ -98,7 +98,7 @@ TPM 2.0 allows some keys to be created without an authorization value associated
 
 Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
-Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4,415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 
 Starting in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
 

windows/security/hardware-security/tpm/tpm-recommendations.md

@@ -1,15 +1,15 @@
 ---
 title: TPM recommendations
-description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
+description: This article provides recommendations for Trusted Platform Module (TPM) technology for Windows.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ms.collection:
 - tier1
 ---
 
 # TPM recommendations
 
-This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
+This article provides recommendations for Trusted Platform Module (TPM) technology for Windows.
 
 For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md).
 
@@ -17,24 +17,24 @@ For a basic feature description of TPM, see the [Trusted Platform Module Technol
 
 Traditionally, TPMs are discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
 
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, they may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly can't leave the TPM.
 
-The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments clearly define security requirements for TPMs whereas others don't.
 
 ## TPM 1.2 vs. 2.0 comparison
 
-From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
+From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization, and NV RAM.
 
 ## Why TPM 2.0?
 
 TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
 
 - The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
-- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
+- For security reasons, some entities are moving away from SHA-1. Notably, NIST requires many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have removed support for SHA-1 based signing or certificates in 2017.
 - TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
   - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs don't support all algorithms.
   - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers).
@@ -58,7 +58,7 @@ There are three implementation options for TPMs:
 - Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components.
 - Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit.
 
-Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions, which should suit all needs.
+Windows uses any compatible TPM in the same way. Microsoft doesn't take a position on which way a TPM should be implemented and there's a wide ecosystem of available TPM solutions, which should suit all needs.
 
 ## Is there any importance for TPM for consumers?
 
@@ -84,25 +84,21 @@ The following table defines which Windows features require TPM support.
 
 | Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
 |--|--|--|--|--|
-| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
+| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm, which is being deprecated. |
 | BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support |
 | Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
 | Windows Defender Application Control (Device Guard) | No | Yes | Yes |
-| Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
+| System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. |
+| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers. |
-| Device Health Attestation | Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated. |
+| Device Health Attestation | Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm, which is being deprecated. |
-| Windows Hello/Windows Hello for Business | No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage. |
+| Windows Hello/Windows Hello for Business | No | Yes | Yes | Microsoft Entra join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator takes advantage of TPM 2.0 for key storage. |
 | UEFI Secure Boot | No | Yes | Yes |
 | TPM Platform Crypto Provider Key Storage Provider | Yes | Yes | Yes |
 | Virtual Smart Card | Yes | Yes | Yes |
 | Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
-| Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. |
+| Autopilot | No | N/A | Yes | If you intend to deploy a scenario, which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required. |
 | SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
 
 ## OEM Status on TPM 2.0 system availability and certified parts
 
 Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. For more information, contact your OEM or hardware vendor.
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-overview.md)

windows/security/hardware-security/tpm/trusted-platform-module-overview.md

@@ -2,7 +2,7 @@
 title: Trusted Platform Module Technology Overview
 description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ms.collection:
 - tier1
 ---

windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md

@@ -1,13 +1,52 @@
 ---
 title: TPM Group Policy settings
-description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
+description: This article describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.topic: conceptual
-ms.date: 11/17/2023
+ms.date: 07/10/2024
 ---
 
 # TPM Group Policy settings
 
-This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. The Group Policy settings for TPM services are located under **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services**.
+This article describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. The Group Policy settings for TPM services are located under **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services**.
+
+## Configure the list of blocked TPM commands
+
+This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows.
+
+If you enable this policy setting, Windows blocks the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number `129` is `TPM_OwnerReadInternalPub`, and command number `170` is `TPM_FieldUpgrade`.
+
+If you disable or don't configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by running `tpm.msc`, navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running `tpm.msc` or through scripting against the Win32_Tpm interface.
+
+## Configure the system to clear the TPM if it is not in a ready state
+
+This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy takes effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user sign-in only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and sign-in until the policy is disabled or until the TPM is in a Ready state.
+
+## Ignore the default list of blocked TPM commands
+
+This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
+
+If you enable this policy setting, Windows ignores the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list.
+
+The local list of blocked TPM commands is configured outside of Group Policy by running `tpm.msc` or through scripting against the `Win32_Tpm` interface. The default list of blocked TPM commands is preconfigured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands.
+
+If you disable or don't configure this policy setting, Windows blocks the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands.
+
+## Ignore the local list of blocked TPM commands
+
+This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions, which require TPM owner authorization without requiring the user to enter the TPM owner password.
+
+You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none.
+
+If you enable this policy setting, Windows stores the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose.
+
+Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios, which don't depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features, which depend on the TPM anti-hammering logic can be used.
+
+Choose the operating system managed TPM authentication setting of "Delegated" to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic.
+
+Choose the operating system managed TPM authentication setting of "None" for compatibility with previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this setting might cause issues with some TPM-based applications.
+
+> [!NOTE]
+> If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value is regenerated and any copies of the original TPM owner authorization value are invalidated.
 
 ## Configure the level of TPM owner authorization information available to the operating system
 
@@ -24,11 +63,11 @@ This policy setting configured which TPM authorization values are stored in the
 
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
 
-- **Full**: This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+- **Full**: This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that don't require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
 
 - **Delegated**: This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
 
-- **None**: This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+- **None**: This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization can't be stored locally. Using this setting might cause issues with some TPM-based applications.
 
 > [!NOTE]
 > If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
@@ -46,31 +85,31 @@ The following table shows the TPM owner authorization values in the registry.
 | 2          | Delegated |
 | 4          | Full      |
 
-If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
+If you enable this policy setting, the Windows operating system stores the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
 
-On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
+On Windows 10 prior to version 1607, if you disable or don't configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
 
 ## Standard User Lockout Duration
 
 This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require
 authorization to the TPM.
 
-The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption.
+The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it's global for all users (including administrators) and for Windows features such as BitLocker Drive Encryption.
 
 This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
 
 For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
 
-- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold): This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+- [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold): This value is the maximum number of authorization failures that each standard user can have before the user isn't allowed to send commands that require authorization to the TPM.
-- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold): This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold): This value is the maximum total number of authorization failures that all standard users can have before all standard users aren't allowed to send commands that require authorization to the TPM.
 
 An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
-If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
+If you don't configure this policy setting, a default value of 480 minutes (8 hours) is used.
 
 ## Standard User Individual Lockout Threshold
 
-This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
+This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user isn't allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).
 
 This setting helps administrators prevent the TPM hardware from entering a lockout mode by slowing the speed at which standard users can send commands that require authorization to the TPM.
 
@@ -78,7 +117,7 @@ An authorization failure occurs each time a standard user sends a command to the
 
 An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
-If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
+If you don't configure this policy setting, a default value of 4 is used. A value of zero means that the operating system won't allow standard users to send commands to the TPM, which might cause an authorization failure.
 
 ## Standard User Total Lockout Threshold
 
@@ -90,7 +129,7 @@ An authorization failure occurs each time a standard user sends a command to the
 
 An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
-If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
+If you don't configure this policy setting, a default value of 9 is used. A value of zero means that the operating system won't allow standard users to send commands to the TPM, which might cause an authorization failure.
 
 ## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
 
@@ -114,14 +153,13 @@ You can change what users see about TPM in **Windows Security**. The Group Polic
 
 ### Disable the Clear TPM button
 
-If you don't want users to be able to click the **Clear TPM** button in **Windows Security**, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
+If you don't want users to be able to select the **Clear TPM** button in **Windows Security**, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
 
 ### Hide the TPM Firmware Update recommendation
 
 If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected.
 
-## Related topics
+## Related articles
 
-- [Trusted Platform Module](trusted-platform-module-overview.md)
 - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
 - [BitLocker planning guide](../../operating-system-security/data-protection/bitlocker/planning-guide.md)

windows/whats-new/deprecated-features.md

@@ -1,7 +1,7 @@
 ---
 title: Deprecated features in the Windows client
 description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 06/11/2024
+ms.date: 07/09/2024
 ms.service: windows-client
 ms.subservice: itpro-fundamentals
 ms.localizationpriority: medium
@@ -54,7 +54,7 @@ The features in this article are no longer being actively developed, and might b
 | TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
 | Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
 | Windows Mixed Reality <!--8412877--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates.</br> </br>This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
-| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. </br></br> **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated [Windows Store app](https://apps.microsoft.com/detail/9N8GNLC8Z9C8) will not be available after May 2024. This affects the following browsers: [*Application Guard Extension - Chrome*](https://chromewebstore.google.com/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj) and [*Application Guard Extension - Firefox*](https://addons.mozilla.org/firefox/addon/application-guard-extension/). If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
+| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. </br></br> **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
 | Legacy console mode <!-- 8577271 -->| The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
 | Windows speech recognition <!--8396142-->| [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is  deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
 | Microsoft Defender Application Guard for Office <!--8396036-->| [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac).  | November 2023 |

windows/whats-new/feature-lifecycle.md

@@ -6,9 +6,9 @@ ms.localizationpriority: medium
 author: mestew
 manager: aaroncz
 ms.author: mstewart
-ms.topic: conceptual
+ms.topic: reference
 ms.subservice: itpro-fundamentals
-ms.date: 12/15/2023
+ms.date: 07/09/2024
 ms.collection:
   - highpri
   - tier2

windows/whats-new/ltsc/overview.md

@@ -8,7 +8,7 @@ manager: aaroncz
 ms.localizationpriority: low
 ms.topic: overview
 ms.subservice: itpro-fundamentals
-ms.date: 12/18/2023
+ms.date: 07/09/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 Enterprise LTSC</a>
 ---

windows/whats-new/ltsc/whats-new-windows-10-2015.md

@@ -6,9 +6,9 @@ description: New and updated IT pro content about new features in Windows 10 Ent
 ms.service: windows-client
 author: mestew
 ms.localizationpriority: low
-ms.topic: conceptual
+ms.topic: reference
 ms.subservice: itpro-fundamentals
-ms.date: 12/18/2023
+ms.date: 07/09/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2015</a>
 ---

windows/whats-new/ltsc/whats-new-windows-10-2016.md

@@ -6,9 +6,9 @@ description: New and updated IT pro content about new features in Windows 10 Ent
 ms.service: windows-client
 author: mestew
 ms.localizationpriority: low
-ms.topic: conceptual
+ms.topic: reference
 ms.subservice: itpro-fundamentals
-ms.date: 12/18/2023
+ms.date: 07/09/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2016</a>
 ---

windows/whats-new/ltsc/whats-new-windows-10-2019.md

@@ -6,9 +6,9 @@ description: New and updated IT Pro content about new features in Windows 10 Ent
 ms.service: windows-client
 author: mestew
 ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
 ms.subservice: itpro-fundamentals
-ms.date: 12/18/2023
+ms.date: 07/09/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2019</a>
 ---

windows/whats-new/ltsc/whats-new-windows-10-2021.md

@@ -6,9 +6,9 @@ description: New and updated IT Pro content about new features in Windows 10 Ent
 ms.service: windows-client
 author: mestew
 ms.localizationpriority: high
-ms.topic: conceptual
+ms.topic: reference
 ms.subservice: itpro-fundamentals
-ms.date: 12/18/2023
+ms.date: 07/09/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/" target="_blank">Windows 10 Enterprise LTSC 2021</a>
 ---

windows/whats-new/whats-new-windows-10-version-22H2.md

@@ -7,8 +7,8 @@ ms.author: mstewart
 author: mestew
 manager: aaroncz
 ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
-ms.date: 10/18/2022
+ms.date: 07/09/2024
 ms.collection:
   - highpri
   - tier2

windows/whats-new/whats-new-windows-11-version-22H2.md

@@ -6,12 +6,12 @@ ms.service: windows-client
 ms.author: mstewart
 author: mestew
 ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
 ms.collection:
   - highpri
   - tier2
 ms.subservice: itpro-fundamentals
-ms.date: 08/11/2023
+ms.date: 07/09/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2</a>
 ---

windows/whats-new/whats-new-windows-11-version-23h2.md

@@ -6,12 +6,12 @@ ms.service: windows-client
 ms.author: mstewart
 author: mestew
 ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
 ms.collection:
   - highpri
   - tier2
 ms.subservice: itpro-fundamentals
-ms.date: 10/31/2023
+ms.date: 07/09/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 23H2</a>
 ---