Merge branch 'main' into privacy-update-vb

2025-05-12 21:37:22 +00:00 · 2022-09-16 11:12:15 -07:00 · 2022-09-16 11:12:15 -07:00 · a4264fb028
commit a4264fb028
parent 667fe2a535 9d3f9a4b0a
153 changed files with 2593 additions and 792 deletions
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@ -4,15 +4,14 @@
  :targets 
   {
     :counts {
-              ;;:spelling 10
+              ;;:correctness 13 
              ;;:grammar 3
              ;;:total 15 ;; absolute flag count but i don't know the difference between this and issues
              ;;:issues 15 ;; coming from the platform, will need to be tested.
             }
     :scores {
              ;;:terminology 100
              :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place
-              ;;:spelling 40
+              ;;:correctness 40
             }
   }
@ -22,7 +21,7 @@
 {
  "languageId" "en"
  "ruleSetName" "Standard"
-  "requestedFlagTypes" ["SPELLING" "GRAMMAR" "STYLE"
+  "requestedFlagTypes" ["CORRECTNESS" "SPELLING" "GRAMMAR" "STYLE"
                        "TERMINOLOGY_DEPRECATED"
                        "TERMINOLOGY_VALID"
                        "VOICE_GUIDANCE"
@ -35,7 +34,7 @@
 "
 ## Acrolinx Scorecards
-**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.**
+**The minimum Acrolinx topic score of 80 is required for all MAGIC content merged to the default branch.**
 If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:
@ -47,12 +46,12 @@ For more information about the exception criteria and exception process, see [Mi
 Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
-| Article | Score | Issues | Correctness<br>issues | Scorecard | Processed |
+| Article | Score | Issues | Correctness<br>score | Scorecard | Processed |
 | ------- | ----- | ------ | ------ | --------- | --------- |
 "
 :template-change
- "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/correctness} | [link](${acrolinx/scorecard}) | ${s/status} |
+ "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/scores/correctness} | [link](${acrolinx/scorecard}) | ${s/status} |
 "
 :template-footer
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -0,0 +1,39 @@
 <!-- 
 Fill out the following information to help us review this pull request. 
 You can delete these comments once you are done.
 -->
 <!-- 
 ## Description
 If your changes are extensive:
 - Uncomment this heading and provide a brief description here.
 - List more detailed changes below under the changes heading.
 -->
 ## Why
 <!--
 - Briefly describe _why_ you made this pull request.
 - If this pull request relates to an issue, provide the issue number or link.
 - If this pull request closes an issue, use a keyword (`Closes #123`).
  - Using a keyword will ensure the issue is automatically closed once this pull request is merged.
  - For more information, see [Linking a pull request to an issue using a keyword](https://docs.github.com/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword).
 -->
 - Closes #[Issue Number]
 ## Changes
 <!--
 - Briefly describe or list _what_ this PR changes.
 - Share any important highlights regarding your changes, such as screenshots, code snippets, or formatting.
 -->
 <!--
 Thanks for contributing to Microsoft docs content!
 Here are some resources that might be helpful while contributing:
 - [Microsoft Docs contributor guide](https://docs.microsoft.com/contribute/)
 - [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference)
 - [Microsoft Writing Style Guide](https://docs.microsoft.com/style-guide/welcome/)
 -->
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -1,5 +1,10 @@
 {
  "redirections": [
    {
      "source_path": "windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md",
      "redirect_url": "/windows/security/windows/security/identity-protection/hello-for-business/webauthn-apis",
      "redirect_document_id": false  
    },
    {
      "source_path": "windows/application-management/manage-windows-mixed-reality.md",
      "redirect_url": "/windows/mixed-reality/enthusiast-guide/manage-windows-mixed-reality",
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@ -26,12 +26,6 @@
      "recommendations": true,
      "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
      "ROBOTS": "INDEX, FOLLOW",
      "audience": "ITPro",
      "ms.technology": "internet-explorer",
      "ms.prod": "ie11",
      "ms.topic": "article",
      "manager": "dansimp",
      "ms.date": "04/05/2017",
      "feedback_system": "None",
      "hideEdit": true,
      "_op_documentIdPathDepotMapping": {
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@ -7,6 +7,7 @@ ms.reviewer:
 audience: itpro
 manager: dansimp
 ms.author: dansimp
 ms.prod: ie11
 ---
 # Full-sized flowchart detailing how document modes are chosen in IE11
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@ -9,6 +9,7 @@ metadata:
  author: aczechowski
  ms.author: aaroncz
  ms.date: 07/29/2022
  ms.prod: ie11
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
--- a/education/breadcrumb/toc.yml
+++ b/education/breadcrumb/toc.yml
@ -1,3 +1,4 @@
 items:
 - name: Docs
  tocHref: /
  topicHref: /
@ -12,4 +13,7 @@
      - name: Windows
        tocHref: /education/windows
        topicHref: /education/windows/index
      - name: Windows
        tocHref: /windows/security/
        topicHref: /education/windows/index
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@ -2,6 +2,38 @@
 ## Week of September 05, 2022
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 9/8/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
 | 9/8/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
 | 9/8/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
 | 9/9/2022 | [Take tests in Windows](/education/windows/take-tests-in-windows-10) | modified |
 ## Week of August 29, 2022
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 8/31/2022 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
 | 8/31/2022 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
 | 8/31/2022 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
 | 8/31/2022 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
 | 8/31/2022 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
 | 8/31/2022 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
 | 8/31/2022 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
 | 8/31/2022 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
 | 8/31/2022 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
 | 8/31/2022 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
 | 8/31/2022 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
 | 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
 | 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
 | 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
 ## Week of August 15, 2022
@ -47,14 +79,3 @@
 | 8/10/2022 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
 | 8/10/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
 | 8/10/2022 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
 ## Week of July 25, 2022
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 7/26/2022 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | added |
 | 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified |
 | 7/25/2022 | Edit an existing topic using the Edit link | removed |
 | 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified |
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@ -1,73 +1,99 @@
- name: Windows 11 SE for Education
+items:
 - name: Windows for Education Documentation
  href: index.yml
 - name: Tutorials
  expanded: true
  items:
  - name: Deploy and manage Windows devices in a school
    href: tutorial-school-deployment/toc.yml
 - name: Concepts
  items: 
    - name: Windows 11 SE
      items:
      - name: Overview
        href: windows-11-se-overview.md
      - name: Settings and CSP list
        href: windows-11-se-settings-list.md
- name: Windows 10 for Education
+    - name: Windows in S Mode
  href: index.md
      items:
    - name: Windows 10 editions for education customers
      href: windows-editions-for-education-customers.md
    - name: Windows 10 configuration recommendations for education customers
      href: configure-windows-for-education.md
    - name: Deployment recommendations for school IT administrators
      href: edu-deployment-recommendations.md
    - name: Set up Windows devices for education
      href: set-up-windows-10.md
      items: 
        - name: What's new in Set up School PCs
          href: set-up-school-pcs-whats-new.md
        - name: Technical reference for the Set up School PCs app
          href: set-up-school-pcs-technical.md
          items: 
            - name: Azure AD Join for school PCs
              href: set-up-school-pcs-azure-ad-join.md
            - name: Shared PC mode for school devices
              href: set-up-school-pcs-shared-pc-mode.md
            - name: Provisioning package settings
              href: set-up-school-pcs-provisioning-package.md
        - name: Use the Set up School PCs app
          href: use-set-up-school-pcs-app.md
        - name: Set up student PCs to join domain
          href: set-up-students-pcs-to-join-domain.md
        - name: Provision student PCs with apps
          href: set-up-students-pcs-with-apps.md
    - name: Take tests in Windows 10
      href: take-tests-in-windows-10.md
      items: 
        - name: Set up Take a Test on a single PC
          href: take-a-test-single-pc.md
        - name: Set up Take a Test on multiple PCs
          href: take-a-test-multiple-pcs.md
        - name: Take a Test app technical reference
          href: take-a-test-app-technical.md
    - name: Reset devices with Autopilot Reset
      href: autopilot-reset.md
    - name: Working with Microsoft Store for Education
      href: education-scenarios-store-for-business.md
    - name: "Get Minecraft: Education Edition"
      href: get-minecraft-for-education.md
      items: 
        - name: "For teachers: get Minecraft Education Edition"
          href: teacher-get-minecraft.md
        - name: "For IT administrators: get Minecraft Education Edition"
          href: school-get-minecraft.md
      - name: Test Windows 10 in S mode on existing Windows 10 education devices
        href: test-windows10s-for-edu.md
      - name: Enable Windows 10 in S mode on Surface Go devices
        href: enable-s-mode-on-surface-go-devices.md
-    - name: Deploy Windows 10 in a school
+    - name: Windows 10 editions for education customers
-      href: deploy-windows-10-in-a-school.md
+      href: windows-editions-for-education-customers.md
-    - name: Deploy Windows 10 in a school district
+    - name: Shared PC mode for school devices
-      href: deploy-windows-10-in-a-school-district.md
+      href: set-up-school-pcs-shared-pc-mode.md
    - name: Windows 10 configuration recommendations for education customers
      href: configure-windows-for-education.md
 - name: How-to-guides
  items:
    - name: Use the Set up School PCs app
      href: use-set-up-school-pcs-app.md
    - name: Take tests and assessments in Windows
      items: 
        - name: Overview
          href: take-tests-in-windows-10.md
        - name: Configure Take a Test on a single PC
          href: take-a-test-single-pc.md
        - name: Configure a Test on multiple PCs
          href: take-a-test-multiple-pcs.md
    - name: Change Windows edition
      items: 
      - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
        href: s-mode-switch-to-edu.md
      - name: Change to Windows 10 Pro Education from Windows 10 Pro
        href: change-to-pro-education.md
      - name: Upgrade Windows Home to Windows Education on student-owned devices
        href: change-home-to-edu.md
    - name: "Get and deploy Minecraft: Education Edition"
      items: 
      - name: "Get Minecraft: Education Edition"
        href: get-minecraft-for-education.md
      - name: "For IT administrators: get Minecraft Education Edition"
        href: school-get-minecraft.md
      - name: "For teachers: get Minecraft Education Edition"
        href: teacher-get-minecraft.md
    - name: Work with Microsoft Store for Education
      href: education-scenarios-store-for-business.md
    - name: Migrate from Chromebook to Windows
      items: 
        - name: Chromebook migration guide
          href: chromebook-migration-guide.md
    - name: Deploy Windows 10 devices in a school
      items: 
      - name: Overview
        href: deploy-windows-10-overview.md
      - name: Deploy Windows 10 in a school
        href: deploy-windows-10-in-a-school.md
      - name: Deploy Windows 10 in a school district
        href: deploy-windows-10-in-a-school-district.md
      - name: Deployment recommendations for school IT administrators
        href: edu-deployment-recommendations.md
      - name: Set up Windows devices for education
        items: 
          - name: Overview
            href: set-up-windows-10.md
          - name: Azure AD join for school PCs
            href: set-up-school-pcs-azure-ad-join.md
          - name: Active Directory join for school PCs
            href: set-up-students-pcs-to-join-domain.md
          - name: Provision student PCs with apps
            href: set-up-students-pcs-with-apps.md
    - name: Reset devices with Autopilot Reset
      href: autopilot-reset.md
 - name: Reference
  items:
    - name: Set up School PCs
      items:
      - name: Set up School PCs app technical reference
        href: set-up-school-pcs-technical.md
      - name: Provisioning package settings
        href: set-up-school-pcs-provisioning-package.md
      - name: What's new in Set up School PCs
        href: set-up-school-pcs-whats-new.md
    - name: Take a Test app technical reference
      href: take-a-test-app-technical.md
    - name: Change history for Windows 10 for Education
      href: change-history-edu.md
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@ -17,7 +17,7 @@ appliesto:
 ---
 # Change history for Windows 10 for Education
-This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+This topic lists new and updated topics in the [Windows 10 for Education](index.yml) documentation.
 ## May 2019
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@ -1,12 +1,8 @@
 ---
 title: Chromebook migration guide (Windows 10)
 description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
-ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
+ms.prod: windows-client
-keywords: migrate, automate, device, Chromebook migration
+ms.technology: itpro-edu
 ms.prod: windows
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.pagetype: edu, devices
 ms.localizationpriority: medium
 ms.collection: education
 author: paolomatarazzo
@ -142,7 +138,7 @@ Table 3. Settings in the Security node in the Google Admin Console
 |Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
 |Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.|
-**Identify locally-configured settings to migrate**
+**Identify locally configured settings to migrate**
 In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
@ -150,7 +146,7 @@ In addition to the settings configured in the Google Admin Console, users may ha
 Figure 2. Locally configured settings on Chromebook
-Table 4. Locally-configured settings
+Table 4. Locally configured settings
 | Section                | Settings                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 |------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@ -206,7 +202,7 @@ In addition to Chromebook devices, users may have companion devices (smartphones
 After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox.
-In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254).
+In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://support.microsoft.com/office/compare-how-different-mobile-devices-work-with-office-365-bdd06229-776a-4824-947c-82425d72597b).
 **Identify the optimal timing for the migration**
@ -416,11 +412,11 @@ Examine each of the following network infrastructure technologies and services a
    For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources:
-    -   [Chromebook vs. Windows Notebook Network Traffic Analysis](https://go.microsoft.com/fwlink/p/?LinkId=690255)
+    -   [Chromebook vs. Windows Notebook Network Traffic Analysis](https://www.principledtechnologies.com/Microsoft/Chromebook_PC_network_traffic_0613.pdf)
-    -   [Hidden Cost of Chromebook Deployments](https://go.microsoft.com/fwlink/p/?LinkId=690256)
+    -   [Hidden Cost of Chromebook Deployments](https://www.principledtechnologies.com/Microsoft/Windows_Chromebook_bandwidth_0514.pdf)
-    -   [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257)
+    -   [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://www.principledtechnologies.com/Microsoft/Windows_8.1_vs_Chromebooks_in_Education_0715.pdf)
 -   **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This condition means that your existing power outlets should support the same number of Windows devices.
@ -442,15 +438,11 @@ You must perform some of the steps in this section in a specific sequence. Each
 The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform.
-It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each.
+It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Use the following Microsoft network infrastructure products and technologies:
 Table 7. Network infrastructure products and technologies and deployment resources
 |Product or technology|Resources|
 |--- |--- |
 |DHCP|<li> [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li> [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))|
 |DNS|<li>[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li>[Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
 - [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server)
 - [DHCP overview](/windows-server/networking/technologies/dhcp/dhcp-top)
 - [DNS overview](/windows-server/networking/dns/dns-top)
 If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@ -459,33 +451,38 @@ If you use network infrastructure products and technologies from other vendors,
 It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
-In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
+In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Use the following resources to deploy or remediate on-premises AD DS, Azure AD, or both:
-Table 8. AD DS, Azure AD and deployment resources
+- [Core network guidance for Windows Server](/windows-server/networking/core-network-guide/core-network-guide-windows-server)
-
+- [AD DS overview](/windows-server/identity/ad-ds/active-directory-domain-services)
-|Product or technology|Resources|
+- [Azure AD documentation](/azure/active-directory/)
-|--- |--- |
+- [Azure AD Premium](https://azure.microsoft.com/pricing/details/active-directory/)
-|AD DS| <li> [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li>[Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))|
+- [Safely virtualizing Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
 |Azure AD| <li> [Azure Active Directory documentation](/azure/active-directory/) <li>[Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259) <li>[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
 If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 ## Prepare device, user, and app management systems
 In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings.
-Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems.
+Use the following Microsoft management systems and the deployment resources to prepare (deploy or remediate) these management systems.
-Table 9. Management systems and deployment resources
+- [Microsoft Intune](/mem/intune/fundamentals/setup-steps)
-|Management system|Resources|
+- [Windows Autopilot](/mem/autopilot/windows-autopilot)
-|--- |--- |
+
-|Windows provisioning packages| <li> [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) <li>[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) <li> [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
+- Microsoft Endpoint Configuration Manager [core infrastructure documentation](/mem/configmgr/core/)
-|Group Policy|<li> [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) <li> [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
+
-|Configuration Manager| <li> [Site Administration for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)) <li> [Deploying Clients for Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
+- Provisioning packages:
-|Intune| <li> [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262) <li> [System Center 2012 R2 Configuration Manager &amp;amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
+
-|MDT| <li> [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
+  - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
  - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
  - [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)
 - Group policy
  - [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
  - [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))
 If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@ -494,21 +491,19 @@ If you determined that no new management system or no remediation of existing sy
 In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer.
-In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
+In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Use the following Microsoft management systems and the app deployment resources to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
-Table 10. Management systems and app deployment resources
+- [Manage apps in Microsoft Intune](/mem/intune/apps/)
-
+- [App management in Configuration Manager](/mem/configmgr/apps/)
-|Management system|Resources|
+- Group policy
-|--- |--- |
+  - [Edit an AppLocker policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))
-|Group Policy| <li> [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) <li> [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) <li> [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
+  - [Group policy software deployment background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))
-|Configuration Manager| <li> [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)) <li> [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
+  - [Assigning and publishing software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))
 |Intune| <li> [Manage apps with Microsoft Intune](/mem/intune/)|
 If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 ## <a href="" id="migrate-user-device-settings"></a>Perform migration of user and device settings
 In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device.
 Perform the user and device setting migration by using the following steps:
@ -534,7 +529,7 @@ Alternatively, if you want to migrate to Office 365 from:
 -   **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server:
-    -   [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266)
+    -   [What you need to know about a cutover email migration in Exchange Online](/exchange/mailbox-migration/what-to-know-about-a-cutover-migration)
    -   [Step-By-Step: Migration of Exchange 2003 Server to Office 365](/archive/blogs/canitpro/step-by-step-migration-of-exchange-2003-server-to-office-365)
@ -544,7 +539,6 @@ Alternatively, if you want to migrate to Office 365 from:
 ## Perform cloud storage migration
 In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices.
 Manually migrate the cloud storage migration by using the following steps:
@ -577,7 +571,9 @@ In the [Select a Windows device deployment strategy](#select-windows-device-depl
 For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices.
-In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources:
+In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager or MDT. For more information on how to deploy Windows 10 images to the devices, see the following resources:
 -   [OS deployment in Configuration Manager](/mem/configmgr/osd/)
 -   [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
@ -585,8 +581,6 @@ In some instances, you may receive the devices with Windows 10 already deployed
 -   [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)
 -   [Operating System Deployment in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682018(v=technet.10))
 In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment:
 -   Enroll the device with your management system.
@ -601,10 +595,6 @@ After you complete these steps, your management system should take over the day-
 ## Related topics
 [Try it out: Windows 10 deployment (for education)](../index.yml)
 [Try it out: Windows 10 in the classroom](../index.yml)
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@ -1278,9 +1278,9 @@ You've now identified the tasks you need to perform monthly, at the end of an ac
 * [Try it out: Windows 10 in the classroom](../index.yml)
 * [Chromebook migration guide](./chromebook-migration-guide.md)
 * [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md)
-* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.md)
+* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.yml)
-* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.md)
+* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.yml)
-* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
+* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.yml)
-* [Reprovision devices at the end of the school year (video)](./index.md)
+* [Reprovision devices at the end of the school year (video)](./index.yml)
-* [Use MDT to deploy Windows 10 in a school (video)](./index.md)
+* [Use MDT to deploy Windows 10 in a school (video)](./index.yml)
-* [Use Microsoft Store for Business in a school environment (video)](./index.md)
+* [Use Microsoft Store for Business in a school environment (video)](./index.yml)
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@ -19,11 +19,6 @@ appliesto:
 # Deploy Windows 10 in a school
 **Applies to**
 - Windows 10
 This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 ## Prepare for school deployment
--- a/education/windows/deploy-windows-10-overview.md
+++ b/education/windows/deploy-windows-10-overview.md
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@ -16,6 +16,8 @@ ms.reviewer:
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Working with Microsoft Store for Education
@ -133,18 +135,10 @@ Teachers can:
 ## Distribute apps
 Manage and distribute apps to students and others in your organization. Different options are available for admins and teachers. 
 Applies to: IT admins
 **To manage and distribute apps**
 - For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](./school-get-minecraft.md#distribute-minecraft)
 - For info on how to manage and distribute other apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business)
 Applies to: Teachers
 For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](./teacher-get-minecraft.md#distribute-minecraft). 
 **To assign an app to a student**
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@ -16,6 +16,8 @@ ms.reviewer:
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Get Minecraft: Education Edition
@ -24,13 +26,11 @@ appliesto:
 <iframe width="501" height="282" src="https://www.youtube-nocookie.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe>
-Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. 
+Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution. 
 <!-- ![education.minecraft.net.](images/minecraft.png) -->
 ## Prerequisites
- **Minecraft: Education Edition** requires Windows 10.
+- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements).
 - Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
  - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
  - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office)
@ -38,9 +38,6 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
 <!-- ![teacher.](images/teacher.png) --> 
 [Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
 <!-- ![IT administrator.](images/school.png) -->
 [Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
--- a/education/windows/images/windows-11-se.png
+++ b/education/windows/images/windows-11-se.png
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@ -0,0 +1,85 @@
 ### YamlMime:Landing
 title: Windows for Education documentation
 summary: Evaluate, plan, deploy, and manage Windows devices in an education environment
 metadata:
  title: Windows for Education documentation
  description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
  ms.topic: landing-page
  ms.prod: windows
  ms.collection: education
  author: paolomatarazzo
  ms.author: paoloma
  ms.date: 08/10/2022
  ms.reviewer: 
  manager: aaroncz
  ms.localizationpriority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
  # Card (optional)
 landingContent: 
  - title: Get started
    linkLists:
      - linkListType: tutorial
        links:
        - text: Deploy and manage Windows devices in a school
          url: tutorial-school-deployment/index.md
        - text: Prepare your tenant
          url: tutorial-school-deployment/set-up-azure-ad.md
        - text: Configure settings and applications with Microsoft Intune
          url: tutorial-school-deployment/configure-devices-overview.md
        - text: Manage devices with Microsoft Intune
          url: tutorial-school-deployment/manage-overview.md
        - text: Management functionalities for Surface devices
          url: tutorial-school-deployment/manage-surface-devices.md     
  - title: Learn about Windows 11 SE
    linkLists:
      - linkListType: concept
        links:
        - text: What is Windows 11 SE?
          url: windows-11-se-overview.md
        - text: Windows 11 SE settings
          url: windows-11-se-settings-list.md
      - linkListType: video
        links:
        - text: Deploy Windows 11 SE using Set up School PCs
          url: https://www.youtube.com/watch?v=Ql2fbiOop7c
  - title: Deploy devices with Set up School PCs
    linkLists:
      - linkListType: concept
        links:
        - text: What is Set up School PCs?
          url: set-up-school-pcs-technical.md
      - linkListType: how-to-guide
        links:
        - text: Use the Set up School PCs app
          url: use-set-up-school-pcs-app.md
      - linkListType: reference
        links:
        - text: Provisioning package settings
          url: set-up-school-pcs-provisioning-package.md
      - linkListType: video
        links:
        - text: Use the Set up School PCs App
          url: https://www.youtube.com/watch?v=2ZLup_-PhkA
  - title: Configure devices
    linkLists:
      - linkListType: concept
        links:
        - text: Take tests and assessments
          url: take-tests-in-windows-10.md
        - text: Change Windows editions
          url: change-home-to-edu.md
        - text: "Deploy Minecraft: Education Edition"
          url: get-minecraft-for-education.md
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@ -15,6 +15,8 @@ ms.reviewer:
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Set up Take a Test on multiple PCs
@ -114,8 +116,6 @@ You can configure a dedicated testing account through MDM or Configuration Manag
    - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
    - **String value** = *assessment URL*
      See [Assessment URLs](#assessment-urls) for more information.
 4. Create a policy that associates the assessment URL to the account using the following values:
    - **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/TesterAccount
@ -263,15 +263,9 @@ You can also distribute the test link by creating a shortcut. To create the shor
 Once the shortcut is created, you can copy it and distribute it to students.
 ## Assessment URLs
 This assessment URL uses our lockdown API:
 - SBAC/AIR:  [https://mobile.tds.airast.org/launchpad/](https://mobile.tds.airast.org/launchpad/).
 ## Related topics
-[Take tests in Windows 10](take-tests-in-windows-10.md)
+[Take tests in Windows](take-tests-in-windows-10.md)
 [Set up Take a Test on a single PC](take-a-test-single-pc.md)
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@ -15,6 +15,8 @@ ms.reviewer:
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Set up Take a Test on a single PC
@ -23,7 +25,7 @@ To configure [Take a Test](take-tests-in-windows-10.md) on a single PC, follow t
 ## Set up a dedicated test account
 To configure the assessment URL and a dedicated testing account on a single PC, follow these steps.
-1. Sign into the Windows 10 device with an administrator account.
+1. Sign into the Windows device with an administrator account.
 2. Open the **Settings** app and go to **Accounts > Access work or school**.
 3. Click **Set up an account for taking tests**.
@ -127,7 +129,7 @@ Once the shortcut is created, you can copy it and distribute it to students.
 ## Related topics
-[Take tests in Windows 10](take-tests-in-windows-10.md)
+[Take tests in Windows](take-tests-in-windows-10.md)
 [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@ -1,5 +1,5 @@
 ---
-title: Take tests in Windows 10
+title: Take tests in Windows
 description: Learn how to set up and use the Take a Test app.
 keywords: take a test, test taking, school, how to, use Take a Test
 ms.prod: windows
@ -15,11 +15,13 @@ ms.reviewer:
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
-# Take tests in Windows 10
+# Take tests in Windows
-Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test:
+Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test:
 - Take a Test shows just the test and nothing else.
 - Take a Test clears the clipboard.
@ -46,7 +48,7 @@ There are several ways to configure devices for assessments, depending on your u
  - **For a single PC**
-      You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
+      You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
  - **For multiple PCs**
@ -55,7 +57,7 @@ There are several ways to configure devices for assessments, depending on your u
    - A provisioning package created in Windows Configuration Designer
    - Group Policy to deploy a scheduled task that runs a Powershell script
-      Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options:
+      You can also configure Take a Test using these options:
    - Set up School PCs app
    - Intune for Education
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@ -16,160 +16,34 @@ ms.reviewer:
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # For teachers - get Minecraft: Education Edition
-The following article describes how teachers can get and distribute Minecraft: Education Edition. 
+The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers. 
 Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers.
 To get started, go to https://education.minecraft.net/ and select **GET STARTED**.
 ## Try Minecraft: Education Edition for Free 
 Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
-To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**.
+To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download)
 ## Purchase Minecraft: Education Edition for Teachers and Students
-Minecraft: Education Edition is licensed via yearly subscriptions that are purchased through the Microsoft Store for Education, via volume licensing agreements and through partner resellers. 
+As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription. 
->[!Note]
+M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. 
 >M:EE is available on many platforms, but all license purchases can only be done through one of the three methods listed above.
 As a teacher, you may purchase subscription licenses for you and your students directly through the Microsoft Store for Education, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 account. 
 >[!Note] 
 >If you already have Office 365, you may already have Minecraft: Education Edition licenses for your school! M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly.
 You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education.
 To purchase individual Minecraft: Education Edition subscriptions (that is, direct purchase):
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account.
 2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it)
 3. Click **Buy**
 >[!Note]
 >Administrators can restrict the ability for teachers to purchase applications in the Microsoft Store for Education. If you do not have the ability to Buy, contact your school administration or IT administrator.
 ## Distribute Minecraft
 After Minecraft: Education Edition licenses have been purchased, either directly, through a volume license agreement or through a partner reseller, those licenses will be added to your Microsoft Store for Education. From there you have three options:
 - You can install the app on your PC.
 - You can assign the app to others.  
 - You can download the app to distribute. 
 <!-- ![App distribution options.](images/mc-install-for-me-teacher.png) -->
 ### Install for me
 You can install the app on your PC. This gives you a chance to work with the app before using it with your students.   
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**, and then click **Install**.
    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
 3. Click **Install**. 
 ### Assign to others
 Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. 
 **To assign to others**
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**.
    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
 3. Click **Invite people**.
 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
   ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png)
   You can assign the app to students with work or school accounts. </br>
   If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. 
 **To finish Minecraft install (for students)**
 Students will receive an email with a link that will install the app on their PC.
 ![Email with Get the app link.](images/minecraft-student-install-email.png)
 1. Click **Get the app** to start the app install in Microsoft Store app. 
 2. In Microsoft Store app, click **Install**. 
     ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png)
      After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
    ![Microsoft Store app directing the navigation to My Library.](images/minecraft-private-store.png) 
      When students click **My Library** they'll find apps assigned to them.
    ![My Library for example student.](images/minecraft-my-library.png)  
 ### Download for others
 Download for others allows teachers or IT admins to download packages that they can install on student PCs. This option will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
 - You have administrative permissions to install apps on the PC. 
 - You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. 
 - Your students share Windows 10 computers, but sign in with their own Windows account. 
 #### Requirements
 - Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app. 
 - Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
 #### Check for updates
 Minecraft: Education Edition won't install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. 
 **To check for app updates**
 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
 2. Click the account button, and then click **Downloads and updates**.
      ![Microsoft Store app displaying the navigation to the My Library option.](images/minecraft-private-store.png)
 3. Click **Check for updates**, and install all available updates. 
      ![Microsoft Store app directing the navigation to the My Library submenu item.](images/mc-check-for-updates.png)
 4. Restart the computer before installing Minecraft: Education Edition. 
 #### To download for others
 You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC. 
 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
    ![Microsoft Store app depicting the navigation path to the My Library option.](images/mc-dnld-others-teacher.png)
 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
 4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. 
 5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install.
 6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use.
 #### Troubleshoot 
-If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edition isn't available, there are a few things that might have happened.  
+If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport). 
 | Problem | Possible cause | Solution |
 |---------|----------------|----------|
 | Script ran, but it doesn't look like the app installed. | There might be pending app updates. | Check for app updates (see steps earlier in this topic). </br> Install updates. </br> Restart PC.  </br> Run **InstallMinecraftEducationEdition.bat** again.  | 
 | App won't install. | AppLocker is configured and preventing app installs.  |      Contact IT Admin.  | 
 | App won't install. | Policy prevents users from installing apps on the PC. |  Contact IT Admin. | 
 | Script starts, but stops quickly. | Policy prevents scripts from running on the PC.  | Contact IT Admin. |
 | App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app won't be available.| Restart PC. </br> Run **InstallMinecraftEducationEdition.bat** again. </br> If a restart doesn't work, contact your IT Admin.  | 
 If you're still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). 
 ## Related topics
 [Working with Microsoft Store for Education](education-scenarios-store-for-business.md) </br>
 Learn about overall Microsoft Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
 [Get Minecraft: Education Edition](get-minecraft-for-education.md)
 [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)
--- a/education/windows/tutorial-school-deployment/configure-device-apps.md
+++ b/education/windows/tutorial-school-deployment/configure-device-apps.md
@ -0,0 +1,99 @@
 ---
 title: Configure applications with Microsoft Intune
 description: Configure applications with Microsoft Intune in preparation to device deployment
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Configure applications with Microsoft Intune
 With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education.
 Applications can be assigned to groups:
 - If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
 - If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
 In this section you will:
 > [!div class="checklist"]
 > * Add apps to Intune for Education
 > * Assign apps to groups
 > * Review some considerations for Windows 11 SE devices
 ## Add apps to Intune for Education
 Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
 :::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true":::
 ### Desktop apps
 The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
 ### Web apps
 To create web applications in Intune for Education:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Apps**
 1. Select **New app** > **New web app**
 1. Provide a URL for the web app, a name and, optionally, an icon and description
 1. Select **Save**
 For more information, see [Add web apps][INT-2].
 ## Assign apps to groups
 To assign applications to a group of users or devices:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > Pick a group to manage
 1. Select **Apps**
 1. Select either **Web apps** or **Windows apps**
 1. Select the apps you want to assign to the group > Save
 ## Considerations for Windows 11 SE
 Windows 11 SE supports all web applications and a *curated list* of desktop applications.
 You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list][EDU-1].
 The process to add Win32 applications to Intune is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
 > [!NOTE]
 > If the applications you need aren't included in the list, anyone in your school district can submit an application request at <a href="https://edusupport.microsoft.com/support?product_id=win11se" target="_blank"><u>Microsoft Education Support</u></a>.
 > [!CAUTION]
 > If you assign an app to a device running **Windows 11 SE** and receive the **0x87D300D9** error code with a **Failed** state:
 > - Be sure the app is on the [<u>approved app list</u>][EDU-1]
 > - If you submitted a request to add your own app and it was approved, check that the app meets package requirements
 > - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA
 ________________________________________________________
 ## Next steps
 With the applications configured, you can now deploy students' and teachers' devices.
 > [!div class="nextstepaction"]
 > [Next: Deploy devices >](enroll-overview.md)
 <!-- Reference links in article -->
 [EDU-1]: /education/windows/windows-11-se-overview
 [MEM-1]: /mem/intune/apps/apps-win32-add
 [INT-1]: /intune-education/express-configuration-intune-edu
 [INT-2]: /intune-education/add-web-apps-edu
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@ -0,0 +1,142 @@
 ---
 title: Configure and secure devices with Microsoft Intune
 description: Configure policies with Microsoft Intune in preparation to device deployment
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Configure and secure devices with Microsoft Intune
 With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies.
 For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel.
 Settings can be assigned to groups:
 - If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
 - If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
 There are two ways to manage settings in Intune for Education:
 - **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments
 - **Group settings.** This option is used to configure all settings that are offered by Intune for Education
 > [!NOTE]
 > Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
 In this section you will:
 > [!div class="checklist"]
 > * Configure settings with Express Configuration
 > * Configure group settings
 > * Create Windows Update policies
 > * Configure security policies
 ## Configure settings with Express Configuration
 With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
 > [!TIP]
 > To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><u>this interactive demo</u></a>.
 ## Configure group settings
 Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > Pick a group to manage
 1. Select **Windows device settings**
 1. Expand the different categories and review information about individual settings
 Settings that are commonly configured for student devices include:
 - Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
 - Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
 - Enablement of the integrated testing and assessment solution *Take a test*. See: [Add Take a Test profile][INT-9]
 For more information, see [Windows device settings in Intune for Education][INT-3].
 ## Create Windows Update policies
 It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education.
 To create a Windows Update policy:
 1. Select **Groups** > Pick a group to manage
 1. Select **Windows device settings**
 1. Expand the category **Update and upgrade**
 1. Configure the required settings as needed
 For more information, see [Updates and upgrade][INT-6].
 > [!NOTE]
 > If you require a more complex Windows Update policy, you can create it in Microsoft Endpoint Manager. For more information:
 > - [<u>What is Windows Update for Business?</u>][WIN-1]
 > - [<u>Manage Windows software updates in Intune</u>][MEM-1]
 ## Configure security policies
 It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
 Intune for Education provides different settings to secure devices.
 To create a security policy:
 1. Select **Groups** > Pick a group to manage
 1. Select **Windows device settings**
 1. Expand the category **Security**
 1. Configure the required settings as needed, including
    - Windows Defender
    - Windows Encryption
    - Windows SmartScreen
 For more information, see [Security][INT-4].
 > [!NOTE]
 > If you require more sophisticated security policies, you can create them in Microsoft Endpoint Manager. For more information:
 > - [<u>Antivirus</u>][MEM-2]
 > - [<u>Disk encryption</u>][MEM-3]
 > - [<u>Firewall</u>][MEM-4]
 > - [<u>Endpoint detection and response</u>][MEM-5]
 > - [<u>Attack surface reduction</u>][MEM-6]
 > - [<u>Account protection</u>][MEM-7]
 ________________________________________________________
 ## Next steps
 With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
 > [!div class="nextstepaction"]
 > [Next: Configure applications >](configure-device-apps.md)
 <!-- Reference links in article -->
 [EDU-1]: /education/windows/windows-11-se-overview
 [INT-2]: /intune-education/express-configuration-intune-edu
 [INT-3]: /intune-education/all-edu-settings-windows
 [INT-4]: /intune-education/all-edu-settings-windows#security
 [INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade
 [INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop
 [INT-8]: /intune-education/add-wi-fi-profile
 [INT-9]: /intune-education/take-a-test-profiles
 [WIN-1]: /windows/deployment/update/waas-manage-updates-wufb
 [MEM-1]: /mem/intune/protect/windows-update-for-business-configure
 [MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy
 [MEM-3]: /mem/intune/protect/encrypt-devices
 [MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy
 [MEM-5]: /mem/intune/protect/endpoint-security-edr-policy
 [MEM-6]: /mem/intune/protect/endpoint-security-asr-policy
 [MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@ -0,0 +1,70 @@
 ---
 title: Configure devices with Microsoft Intune
 description: Configure policies and applications in preparation to device deployment
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Configure settings and applications with Microsoft Intune
 Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
 Microsoft Intune uses Azure AD groups to assign policies and applications to devices.
 With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
 In this section you will:
 > [!div class="checklist"]
 > * Create groups
 > * Create and assign policies to groups
 > * Create and assign applications to groups
 ## Create groups
 By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need.
 By default, Intune for Education creates two default groups: *All devices* and *All users*.
 Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school.
 :::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true":::
 Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to.
 Two group types can be created:
 - **Assigned groups** are used when you want to manually add users or devices to a group
 - **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups
 > [!TIP]
 > If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution.
 For more information, see:
 - [Create groups in Intune for Education][EDU-1]
 - [Manually add or remove users and devices to an existing assigned group][EDU-2]
 - [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
 ________________________________________________________
 ## Next steps
 With the groups created, you can configure policies and applications to deploy to your groups.
 > [!div class="nextstepaction"]
 > [Next: Configure policies >](configure-device-settings.md)
 <!-- Reference links in article -->
 [EDU-1]: /intune-education/create-groups
 [EDU-2]: /intune-education/edit-groups-intune-for-edu
 [EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
--- a/education/windows/tutorial-school-deployment/enroll-aadj.md
+++ b/education/windows/tutorial-school-deployment/enroll-aadj.md
@ -0,0 +1,42 @@
 ---
 title: Enrollment in Intune with standard out-of-box experience (OOBE)
 description: how to join Azure AD for OOBE and automatically get the device enrolled in Intune
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Automatic Intune enrollment via Azure AD join
 If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Azure Active Directory tenant, and automatically enroll it in Intune.
 With this process, no advance preparation is needed:
 1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
 1. Wait for updates. If any updates are available, they'll be installed at this time
  :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
 1. When prompted, select **Set up for work or school** and authenticate using your school's Azure Active Directory account
  :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
 1. The device will join Azure AD and automatically enroll in Intune. All settings defined in Intune will be applied to the device
 > [!IMPORTANT]
 > If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
 :::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
 ________________________________________________________
 ## Next steps
 With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@ -0,0 +1,160 @@
 ---
 title: Enrollment in Intune with Windows Autopilot
 description: how to join Azure AD and enroll in Intune using Windows Autopilot
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Windows Autopilot
 Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices.
 Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
 From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
 ## Prerequisites
 Before setting up Windows Autopilot, consider these prerequisites:
 - **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
 - **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
 - **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
 > [!NOTE]
 > Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [<u>Microsoft Intune</u>][INT-1] and [<u>Microsoft 365</u>][M365-1].
 ## Register devices to Windows Autopilot
 Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot:
 - **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
    > [!NOTE]
    > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
 - **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
    > [!TIP]
    > Try the <a href="https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english" target="_blank"><u>Microsoft Partner Center clickable demo</u></a>, which provides detailed steps to establish a partner relationship and register devices.
 - **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
    > [!IMPORTANT]
    > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
 ## Create groups for Autopilot devices
 **Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
 For this task, it's recommended to create dynamic device groups using Autopilot attributes.
 Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > **Create group**
 1. Specify a **Group name** and select **Dynamic**
 1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
 1. Select **Create group**
    :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
 More advanced dynamic membership rules can be created from Microsoft Endpoint Manager admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
 > [!TIP]
 > You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
 ## Create Autopilot deployment profiles
 For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
 A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
 1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Azure AD join process during OOBE
 1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Azure AD join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode.
 To create an Autopilot deployment profile:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Groups** > Select a group from the list
 1. Select **Windows device settings**
 1. Expand the **Enrolment** category
 1. From **Configure Autopilot deployment profile for device** select **User-driven**
 1. Ensure that **User account type** is configured as **Standard**
 1. Select **Save**
 While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Endpoint Manager admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
 ### Configure an Enrollment Status Page
 An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
 :::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false":::
 > [!NOTE]
 > Some Windows Autopilot deployment profiles **require** the ESP to be configured.
 To deploy the ESP to devices, you need to create an ESP profile in Microsoft Endpoint Manager.
 > [!TIP]
 > While testing the deployment process, you can configure the ESP to:
 > - allow the reset of the devices in case the installation fails
 > - allow the use of the  device if installation error occurs
 >
 > This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing.
 For more information, see [Set up the Enrollment Status Page][MEM-3].
 > [!CAUTION]
 > When targeting an ESP to **Windows 11 SE** devices, only applications included in the [<u>approved app list</u>][EDU-1] should part of the ESP configuration.
 ### Autopilot end-user experience
 Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection.
 When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
 1. Identify the language and region
 1. Select the keyboard layout and decide on the option for a second keyboard layout
 1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
 1. Apply updates: the device will look for and apply required updates
 1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
 1. The user authenticates to Azure AD, using the school account
 1. The device joins Azure AD, enrolls in Intune and all the settings and applications are configured
 > [!NOTE]
 > Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
 :::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
 ________________________________________________________
 ## Next steps
 With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/fundamentals/intune-endpoints
 [MEM-2]: /mem/autopilot/oem-registration
 [MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
 [MEM-4]: /mem/autopilot/profiles
 [MEM-5]: /mem/autopilot/partner-registration
 [MEM-6]: /mem/autopilot/add-devices
 [WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
 [MSFT-1]: https://partner.microsoft.com/
 [INT-1]: /intune/network-bandwidth-use
 [M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
 [EDU-1]: /education/windows/windows-11-se-overview
 [EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
 [SURF-1]: /surface/surface-autopilot-registration-support
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@ -0,0 +1,48 @@
 ---
 title: Device enrollment overview
 description: Options to enroll Windows devices in Microsoft Intune
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: overview
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Device enrollment overview
 There are three main methods for joining Windows devices to Azure AD and getting them enrolled and managed by Intune:
 - **Automatic Intune enrollment via Azure AD join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Azure AD. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
 - **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join an Azure AD tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
 - **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
 ## Choose the enrollment method
 **Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
 This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
 :::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
 Select one of the following options to learn the next steps about the enrollment method you chose:
 > [!div class="nextstepaction"]
 > [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md)
 > [!div class="nextstepaction"]
 > [Next: Bulk enrollment with provisioning packages >](enroll-package.md)
 > [!div class="nextstepaction"]
 > [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md)
 <!-- Reference links in article -->
 [INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@ -0,0 +1,76 @@
 ---
 title: Enrollment of Windows devices with provisioning packages
 description: options how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Enrollment with provisioning packages
 Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are:
 - There are no particular hardware dependencies on the devices to complete the enrollment process
 - Devices don't need to be registered in advance
 - Enrollment is a simple task: just open a provisioning package and the process is automated
 You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections.
 ## Set up School PCs
 With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Azure AD join and Intune enrollment process.
 ### Create a provisioning package
 The Set Up School PCs app guides you through configuration choices for school-owned devices.
 :::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false":::
 > [!CAUTION]
 > If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page.
 Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios.
 For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1].
 > [!TIP]
 > To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><u>Set Up School PCs demo</u></a>, which provides detailed steps to create a provisioning package and deploy a device.
 ## Windows Configuration Designer
 Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
 :::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
 For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
 ## Enroll devices with the provisioning package
 To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune.
 All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
 :::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
 ________________________________________________________
 ## Next steps
 With the devices joined to Azure AD tenant and managed by Intune, you can use Intune to maintain them and report on their status.
 > [!div class="nextstepaction"]
 > [Next: Manage devices >](manage-overview.md)
 <!-- Reference links in article -->
 [EDU-1]: /education/windows/use-set-up-school-pcs-app
 [WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
--- a/education/windows/tutorial-school-deployment/images/advanced-support.png
+++ b/education/windows/tutorial-school-deployment/images/advanced-support.png
--- a/education/windows/tutorial-school-deployment/images/configure.png
+++ b/education/windows/tutorial-school-deployment/images/configure.png
--- a/education/windows/tutorial-school-deployment/images/device-lifecycle.png
+++ b/education/windows/tutorial-school-deployment/images/device-lifecycle.png
--- a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png
+++ b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png
--- a/education/windows/tutorial-school-deployment/images/dfci-profile.png
+++ b/education/windows/tutorial-school-deployment/images/dfci-profile.png
--- a/education/windows/tutorial-school-deployment/images/enroll.png
+++ b/education/windows/tutorial-school-deployment/images/enroll.png
--- a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png
+++ b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png
--- a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png
+++ b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png
--- a/education/windows/tutorial-school-deployment/images/entra-branding.png
+++ b/education/windows/tutorial-school-deployment/images/entra-branding.png
--- a/education/windows/tutorial-school-deployment/images/entra-device-settings.png
+++ b/education/windows/tutorial-school-deployment/images/entra-device-settings.png
--- a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png
+++ b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png
--- a/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png
+++ b/education/windows/tutorial-school-deployment/images/i4e-autopilot-reset.png
--- a/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png
+++ b/education/windows/tutorial-school-deployment/images/i4e-factory-reset.png
--- a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png
+++ b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-apps.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-apps.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-groups.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-groups.png
--- a/education/windows/tutorial-school-deployment/images/intune-education-portal.png
+++ b/education/windows/tutorial-school-deployment/images/intune-education-portal.png
--- a/education/windows/tutorial-school-deployment/images/inventory-reporting.png
+++ b/education/windows/tutorial-school-deployment/images/inventory-reporting.png
--- a/education/windows/tutorial-school-deployment/images/m365-admin-center.png
+++ b/education/windows/tutorial-school-deployment/images/m365-admin-center.png
--- a/education/windows/tutorial-school-deployment/images/protect-manage.png
+++ b/education/windows/tutorial-school-deployment/images/protect-manage.png
--- a/education/windows/tutorial-school-deployment/images/remote-actions.png
+++ b/education/windows/tutorial-school-deployment/images/remote-actions.png
--- a/education/windows/tutorial-school-deployment/images/retire.png
+++ b/education/windows/tutorial-school-deployment/images/retire.png
--- a/education/windows/tutorial-school-deployment/images/supcs-win11se.png
+++ b/education/windows/tutorial-school-deployment/images/supcs-win11se.png
--- a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png
+++ b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png
--- a/education/windows/tutorial-school-deployment/images/surface-management-portal.png
+++ b/education/windows/tutorial-school-deployment/images/surface-management-portal.png
--- a/education/windows/tutorial-school-deployment/images/wcd.png
+++ b/education/windows/tutorial-school-deployment/images/wcd.png
--- a/education/windows/tutorial-school-deployment/images/whfb-disable.png
+++ b/education/windows/tutorial-school-deployment/images/whfb-disable.png
--- a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png
+++ b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png
--- a/education/windows/tutorial-school-deployment/images/win11-login-screen.png
+++ b/education/windows/tutorial-school-deployment/images/win11-login-screen.png
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif
--- a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png
+++ b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png
--- a/education/windows/tutorial-school-deployment/images/win11-wipe.png
+++ b/education/windows/tutorial-school-deployment/images/win11-wipe.png
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@ -0,0 +1,87 @@
 ---
 title: Introduction
 description: Introduction to deployment and management of Windows devices in education environments
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 ---
 # Tutorial: deploy and manage Windows devices in a school
 This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment.
 ## Audience and user requirements
 This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including:  
 - School leaders
 - IT administrators
 - Teachers
 - Microsoft partners
 This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**.
 > [!NOTE]
 > Depending on your school setup scenario, you may not need to implement all steps.
 ## Device lifecycle management
 Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
 Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Endpoint Manager (MEM). With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
 Microsoft Endpoint Manager services include:
 - [Microsoft Intune][MEM-1]
 - [Microsoft Intune for Education][INT-1]
 - [Configuration Manager][MEM-2]
 - [Desktop Analytics][MEM-3]
 - [Windows Autopilot][MEM-4]
 - [Surface Management Portal][MEM-5]
 These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
 ## Why Intune for Education?
 Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point.
 From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle:
 :::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
 - **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Azure AD tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
 - **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
 - **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
 - **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
 ## Four pillars of modern device management
 In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
 - **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Azure Active Directory, as the foundation for user identity and authentication
 - **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
 - **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
 - **Device reset:** Resetting managed devices with Intune for Education
 ________________________________________________________
 ## Next steps
 Let's begin with the creation and configuration of your Azure AD tenant and Intune environment.
 > [!div class="nextstepaction"]
 > [Next: Set up Azure Active Directory >](set-up-azure-ad.md)
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/fundamentals/what-is-intune
 [MEM-2]: /mem/configmgr/core/understand/introduction
 [MEM-3]: /mem/configmgr/desktop-analytics/overview
 [MEM-4]: /mem/autopilot/windows-autopilot
 [MEM-5]: /mem/autopilot/dfci-management
 [INT-1]: /intune-education/what-is-intune-for-education
--- a/education/windows/tutorial-school-deployment/manage-overview.md
+++ b/education/windows/tutorial-school-deployment/manage-overview.md
@ -0,0 +1,71 @@
 ---
 title: Manage devices with Microsoft Intune
 description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. 
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Manage devices with Microsoft Intune
 Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained.
 :::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false":::
 ## Remote device management
 With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely.
 ### Remote actions
 Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device.
 :::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true":::
 With bulk actions, remote actions can be performed on multiple devices at once.
 To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1].
 ## Remote assistance
 With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices.
 For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2].
 ## Device inventory and reporting
 With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline.
 Here are the steps for generating reports in Intune for Education:
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Reports**
 1. Select between one of the report types:
    - Device inventory
    - Device actions
    - Application inventory
    - Settings errors
    - Windows Defender
    - Autopilot deployment
 1. If needed, use the search box to find specific devices, applications, and settings
 1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
    :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true":::
 To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3].
 <!-- Reference links in article -->
 [EDU-1]: /intune-education/edu-device-remote-actions
 [EDU-2]: /intune-education/remote-assist-mobile-devices
 [EDU-3]: /intune-education/what-are-reports
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@ -0,0 +1,54 @@
 ---
 title: Management functionalities for Surface devices
 description: Management capabilities offered to Surface devices, including firmware management and the Surface Management Portal
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Surface devices</b>
 ---
 # Management functionalities for Surface devices
 Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
 ## Manage device firmware for Surface devices
 Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices.
 DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
 :::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Endpoint Manager" lightbox="./images/dfci-profile-expanded.png" border="true":::
 ## Microsoft Surface Management Portal
 Located in the Microsoft Endpoint Manager admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
 When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
 To access and use the Surface Management Portal:
 1. Sign in to <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
 1. Select **All services** > **Surface Management Portal**
    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Endpoint Manager" lightbox="./images/surface-management-portal-expanded.png" border="true":::
 1. To obtain insights for all your Surface devices, select **Monitor**
    - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
 1. To obtain details on each insights category, select **View report**
    - This dashboard displays diagnostic information that you can customize and export
 1. To obtain the device's warranty information, select **Device warranty and coverage**
 1. To review a list of support requests and their status, select **Support requests**
 <!-- Reference links in article -->
 [INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
 [MEM-1]: /mem/autopilot/dfci-management
 [SURF-1]: /surface/surface-manage-dfci-guide
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@ -0,0 +1,122 @@
 ---
 title: Reset and wipe Windows devices
 description: Reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Device reset options
 There are different scenarios that require a device to be reset, for example:
 - The device isn't responding to commands
 - The device is lost or stolen
 - It's the end of the life of the device
 - It's the end of the school year and you want to prepare the device for a new school year
 - The device has hardware problems and you want to send it to the service center
 :::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false":::
 Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them:
 - **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings
 - **Autopilot reset** is used to return the device to a fully configured or known IT-approved state
 ## Factory reset (wipe)
 A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management.
 Once the wipe is completed, the device will be in out-of-box experience.
 Here are the steps to perform a factory reset from Intune for Education: 
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Devices**
 1. Select the device you want to reset > **Factory reset**
 1. Select **Factory reset** to confirm the action
 :::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false":::
 Consider using factory reset in the following example scenarios:
 - The device isn't working properly, and you want to reset it without reimaging it
 - It's the end of school year and you want to prepare the device for a new school year
 - You need to reassign the device to a different student, and you want to reset the device to its original settings
 - You're returning a device to the service center, and you want to remove all data and settings from the device
 > [!TIP]
 > Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device.
 ## Autopilot Reset
 Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant.
 Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen.
 Here are the steps to perform an Autopilot reset from Intune for Education: 
 1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
 1. Select **Devices**
 1. Select the device you want to reset > **Autopilot reset**
 1. Select **Autopilot reset** to confirm the action
 :::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false":::
 Consider using Autopilot reset in the following example scenarios:
 - The device isn't working properly, and you want to reset it without reimaging it
 - It's the end of school year and you want to prepare the device for a new school year
 - You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE
 > [!TIP]
 > Consider that the end user will **not** go through OOBE, and the association of the user to  the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode).
 ## Wiping and deleting a device
 There are scenarios that require a device to be deleted from your tenant, for example:
 - The device is lost or stolen
 - It's the end of the life of the device
 - The device has been replaced with a new device or has its motherboard replaced
 > [!IMPORTANT]
 > The following actions should only be performed for devices that are no longer going to be used in your tenant.
 To completely remove a device, you need to perform the following actions:
 1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
 1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
 1. Delete the device from Azure Active Directory using [these steps][MEM-3]
 ## Autopilot considerations for a motherboard replacement scenario
 Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process:
 1. Deregister the device from Autopilot
 1. Replace the motherboard
 1. Capture a new device ID (4K HH)
 1. Re-register the device with Autopilot
    > [!IMPORTANT]
    > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management.
 1. Reset the device
 1. Return the device
 For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
 [MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
 [MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
 [MEM-4]: /mem/autopilot/autopilot-mbr
--- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md
+++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md
@ -0,0 +1,179 @@
 ---
 title: Set up Azure Active Directory
 description: How to create and prepare your Azure AD tenant for an education environment 
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 #appliesto:
 ---
 # Set up Azure Active Directory
 The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
 Azure Active Directory (Azure AD), which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Azure AD for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
 In this section you will:
 > [!div class="checklist"]
 > * Set up a Microsoft 365 Education tenant
 > * Add users, create groups, and assign licenses
 > * Configure school branding
 > * Enable bulk enrollment
 ## Create a Microsoft 365 tenant
 If you don't already have a Microsoft 365 tenant, you'll need to create one.
 For more information, see [Create your Office 365 tenant account][M365-1]
 > [!TIP]
 > To learn more, and practice how to configure the Microsoft 365 tenant for your school, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/set-up-Microsoft-365" target="_blank"><u>this interactive demo</u></a>.
 ### Explore the Microsoft 365 admin center
 The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
 From the Microsoft 365 admin center, you can access different administrative dashboards: Azure Active Directory, Microsoft Endpoint Manager, Intune for Education, and others:
 :::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
 For more information, see [Overview of the Microsoft 365 admin center][M365-2].
 > [!NOTE]
 > Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.
 ## Add users, create groups, and assign licenses
 With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
 > [!NOTE]
 > Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [<u>Azure Active Directory sync</u>](#azure-active-directory-sync) below.
 ### School Data Sync
 School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes.
 For more information, see [Overview of School Data Sync][SDS-1].
 > [!TIP]
 > To learn more and practice with School Data Sync, follow the <a href="https://interactiveguides-schooldatasync.azurewebsites.net/" target="_blank"><u>Microsoft School Data Sync demo</u></a>, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.
 > [!NOTE]
 > You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [<u>O365-EDU-Tools GitHub site</u>](https://github.com/OfficeDev/O365-EDU-Tools).
 >
 > Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
 ### Azure Active Directory sync
 To integrate an on-premises directory with Azure Active Directory, you can use **Microsoft Azure Active Directory Connect** to synchronize users, groups, and other objects. Azure AD Connect lets you configure the authentication method appropriate for your school, including:
 - [Password hash synchronization][AAD-1]
 - [Pass-through authentication][AAD-2]
 - [Federated authentication][AAD-3]
 For more information, see [Set up directory synchronization for Microsoft 365][O365-1].
 ### Create users manually
 In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.
 There are two options for adding users manually, either individually or in bulk:
 1. To add students and teachers as users in Microsoft 365 Education *individually*:
    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
    - Select **Azure Active Directory** > **Users** > **All users** > **New user** > **Create new user**
    For more information, see [Add users and assign licenses at the same time][M365-3].
 1. To add *multiple* users to Microsoft 365 Education:
    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
    - Select **Azure Active Directory** > **Users** > **All users** > **Bulk operations** > **Bulk create**
 For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
 ### Create groups
 Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**
 1. On the **New group** page, select **Group type** > **Security**
 1. Provide a group name and add members, as needed
 1. Select **Next**
 For more information, see [Create a group in the Microsoft 365 admin center][M365-5].
 ### Assign licenses
 The recommended way to assign licenses is through group-based licensing. With this method, Azure AD ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
 To assign a license to a group:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Azure Active Directory** > **Show More** > **Billing** > **Licenses**
 1. Select the required products that you want to assign licenses for > **Assign**
 1. Add the groups to which the licenses should be assigned
   :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
 For more information, see [Group-based licensing using Azure AD admin center][AAD-4].
 ## Configure school branding
 Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.
 To configure your school's branding:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Azure Active Directory** > **Show More** > **User experiences** > **Company branding**
 1. You can specify brand settings like background image, logo, username hint and a sign-in page text
    :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
 1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties**
 1. In the **Name** field, enter the school district or organization's name > **Save**
    :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
 For more information, see [Add branding to your directory][AAD-5].
 ## Enable bulk enrollment
 If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Azure AD tenant.
 To allow provisioning packages to complete the Azure AD Join process:
 1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
 1. Select **Azure Active Directory** > **Devices** > **Device Settings**
 1. Under **Users may join devices to Azure AD**, select **All**
    > [!NOTE]
    > If it is required that only specific users can join devices to Azure AD, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
 1. Select Save
    :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
 ________________________________________________________
 ## Next steps
 With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
 > [!div class="nextstepaction"]
 > [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
 <!-- Reference links in article -->
 [AAD-1]: /azure/active-directory/hybrid/whatis-phs
 [AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta
 [AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis
 [AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign
 [AAD-5]: /azure/active-directory/fundamentals/customize-branding
 [M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant
 [M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview
 [M365-3]: /microsoft-365/admin/add-users/add-users
 [M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time
 [M365-5]: /microsoft-365/admin/create-groups/create-groups
 [O365-1]: /office365/enterprise/set-up-directory-synchronization
 [SDS-1]: /schooldatasync/overview-of-school-data-sync
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@ -0,0 +1,104 @@
 ---
 title: Set up device management
 description: How to configure the Intune service and set up the environment for education.
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: tutorial
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 #appliesto:
 ---
 # Set up Microsoft Intune
 Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Endpoint Manager provides a collection of services that simplifies the management of devices at scale.
 Microsoft Intune is one of the services provided by Microsoft Endpoint Manager. The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
 :::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
 **Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.
 For more information, see [Intune for Education documentation][INT-1].
 In this section you will:
 > [!div class="checklist"]
 > * Review Intune's licensing prerequisites
 > * Configure the Intune service for education devices
 ## Prerequisites
 Before configuring settings with Intune for Education, consider the following prerequisites:
 - **Intune subscription.** Microsoft Intune is licensed in three ways:
  - As a standalone service
  - As part of [Enterprise Mobility + Security][MSFT-1]
  - As part of a [Microsoft 365 Education subscription][MSFT-2]
 - **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS
 For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*.
 ## Configure the Intune service for education devices
 The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.
 ### Configure enrollment restrictions
 With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.
 To block personally owned Windows devices from enrolling:
 1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
 1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
 1. Select the **Windows restrictions** tab
 1. Select **Create restriction**
 1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
 1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="Device enrollment restriction page in Microsoft Endpoint Manager admin center" lightbox="./images/enrollment-restrictions.png" border="true":::
 1. Optionally, on the **Scope tags** page, add scope tags > **Next**
 1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
 1. On the **Review + create** page, select **Create** to save the restriction
 For more information, see [Create a device platform restriction][MEM-2].
 ### Disable Windows Hello for Business
 Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled.
 It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
 To disable Windows Hello for Business at the tenant level:
 1. Sign in to the <a href="https://endpoint.microsoft.com/" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
 1. Select **Devices** > **Windows** > **Windows Enrollment**
 1. Select **Windows Hello for Business**
 1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
 1. Select **Save**
 :::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png":::
 For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
 ________________________________________________________
 ## Next steps
 With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
 > [!div class="nextstepaction"]
 > [Next: Configure devices >](configure-devices-overview.md)
 <!-- Reference links in article -->
 [MEM-1]: /mem/intune/fundamentals/licenses
 [MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set
 [MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
 [INT-1]: /intune-education/what-is-intune-for-education
 [MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
 [MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
 [MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf
--- a/education/windows/tutorial-school-deployment/toc.yml
+++ b/education/windows/tutorial-school-deployment/toc.yml
@ -0,0 +1,38 @@
 items: 
  - name: Introduction
    href: index.md
  - name: 1. Prepare your tenant
    items:
      - name: Set up Azure Active Directory
        href: set-up-azure-ad.md
      - name: Set up Microsoft Intune
        href: set-up-microsoft-intune.md
  - name: 2. Configure settings and applications
    items:
      - name: Overview
        href: configure-devices-overview.md
      - name: Configure policies
        href: configure-device-settings.md
      - name: Configure applications
        href: configure-device-apps.md        
  - name: 3. Deploy devices
    items: 
      - name: Overview
        href: enroll-overview.md
      - name: Enroll devices via Azure AD join
        href: enroll-aadj.md
      - name: Enroll devices with provisioning packages
        href: enroll-package.md
      - name: Enroll devices with Windows Autopilot
        href: enroll-autopilot.md
  - name: 4. Manage devices
    items: 
      - name: Overview
        href: manage-overview.md
      - name: Management functionalities for Surface devices
        href: manage-surface-devices.md       
      - name: Reset and wipe devices
        href: reset-wipe.md
  - name: 5. Troubleshoot and get help
    href: troubleshoot-overview.md
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@ -0,0 +1,68 @@
 ---
 title: Troubleshoot Windows devices
 description: How to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other Endpoint Manager services
 ms.date: 08/31/2022
 ms.prod: windows
 ms.technology: windows
 ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 #ms.reviewer: 
 manager: aaroncz
 ms.collection: education
 appliesto:
 - ✅ <b>Windows 10</b>
 - ✅ <b>Windows 11</b>
 - ✅ <b>Windows 11 SE</b>
 ---
 # Troubleshoot Windows devices
 Microsoft Endpoint Manager provides many tools that can help you troubleshoot Windows devices.
 Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
 - [Troubleshooting device enrollment in Intune][MEM-2]
 - [Troubleshooting Windows Autopilot][MEM-9]
 - [Troubleshoot Windows Wi-Fi profiles][MEM-6]
 - [Troubleshooting policies and profiles in Microsoft Intune][MEM-5]
 - [Troubleshooting BitLocker with the Intune encryption report][MEM-4]
 - [Troubleshooting CSP custom settings][MEM-8]
 - [Troubleshooting Win32 app installations with Intune][MEM-7]
 - [Troubleshooting device actions in Intune][MEM-3]
 - [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user
  :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true":::
 ## How to contact Microsoft Support
 Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
 Follow these steps to obtain support in Microsoft Endpoint Manager:
 - Sign in to the <a href="https://endpoint.microsoft.com" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
 - Select **Troubleshooting + support** > **Help and support**
    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Endpoint Manager." lightbox="images/advanced-support.png":::
 - Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
 - Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
 - In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
  - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution
  - View insights: find links to documentation that provides context and background specific to the product area or actions you've described
  - Recommended articles: browse suggested troubleshooting topics and other content related to your issue
 - If needed, use the *Contact support* pane to file an online support ticket
  > [!IMPORTANT]
  > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
 - To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
 For more information, see [Microsoft Endpoint Manager support page][MEM-1]
 <!-- Reference links in article -->
 [MEM-1]: /mem/get-support
 [MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
 [MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions
 [MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center
 [MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
 [MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles
 [MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install
 [MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings
 [MEM-9]: /mem/autopilot/troubleshooting
 [MEM-10]: /mem/intune/remote-actions/collect-diagnostics
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -1,5 +1,5 @@
 ---
-title: What is Windows 11 SE
+title: Windows 11 SE Overview
 description: Learn more about Windows 11 SE, and the apps that are included with the operating system. Read about the features IT professionals and administrators should know about Windows 11 SE. Add and deploy your apps using Microsoft Intune for Education.
 ms.prod: windows
 ms.mktglfcycl: deploy
@ -8,36 +8,86 @@ ms.pagetype: mobile
 ms.collection: education
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/10/2022
+ms.date: 09/12/2022
 ms.reviewer: 
 manager: aaroncz
 appliesto:
 - ✅ <b>Windows 11 SE</b>
 ---
-# Windows 11 SE for Education
+# Windows 11 SE Overview
-Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately).
+Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
 For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
- A simplified and secure experience for students. Student privacy is prioritized.
+- A simplified and secure experience for students, where student privacy is prioritized. With a curated allowlist of applications maintained by Microsoft, Windows SE is designed to only run essential education apps
- Admins remotely manage Windows 11 SE devices using [Microsoft Intune for Education](/intune-education/what-is-intune-for-education).
+- IT admin can remotely manage Windows 11 SE devices using [Microsoft Intune for Education][INT-1]
- It's built for low-cost devices.
+- It's built for low-cost devices
- It has a curated app experience, and is designed to only run essential education apps.
+
 :::image type="content" source="./images/windows-11-se.png" alt-text="Screenshot of Windows 11 SE showing Start menu and taskbar with default layout" border="false":::
 ## Get Windows 11 SE
-Windows 11 SE is only available preinstalled on devices from OEMs. The OEM installs Windows 11 SE, and makes the devices available for you to purchase. For example, you'll be able to purchase Microsoft Surface devices with Windows 11 SE already installed.
+Windows 11 SE is only available preinstalled on devices from OEMs. OEMs install Windows 11 SE, and make the devices available for you to purchase. For example, you can purchase Microsoft Surface SE devices with Windows 11 SE already installed.
-## Available apps
+## Application types
-Windows 11 SE comes with some preinstalled apps. The following apps can also run on Windows 11 SE, and are deployed using the [Intune for Education portal](https://intuneeducation.portal.azure.com). For more information, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+The following table lists the different application types available in Windows operating systems, detailing which application types are enabled in Windows 11 SE.
 | App type | Description | Enabled | Note|
 | --- | --- | :---: | ---|
 |Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
 | Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
 |Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.|
 |Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.|
 > [!IMPORTANT]
 > If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
 ## Applications included in Windows 11 SE
 The following table lists all the applications included in Windows 11 SE and the pinning to either the Start menu or to the taskbar.
 | App name                     | App type | Pinned to Start? | Pinned to taskbar? |
 |:-----------------------------|:--------:|:----------------:|:------------------:|
 | Alarm & Clock                | UWP      |                  |                    |
 | Calculator                   | UWP      | ✅              |                    |
 | Camera                       | UWP      | ✅              |                    |
 | Microsoft Edge               | Win32    | ✅              | ✅                 |
 | Excel                        | Win32    | ✅              |                    |
 | Feedback Hub                 | UWP      |                  |                    |
 | File Explorer                | Win32    |                  | ✅                |
 | FlipGrid                     | PWA      |                  |                    |
 | Get Help                     | UWP      |                  |                    |
 | Groove Music                 | UWP      | ✅              |                    |
 | Maps                         | UWP      |                  |                    |
 | Minecraft: Education Edition | UWP      |                  |                    |
 | Movies & TV                  | UWP      |                  |                    |
 | News                         | UWP      |                  |                    |
 | Notepad                      | Win32    |                  |                    |
 | OneDrive                     | Win32    |                  |                    |
 | OneNote                      | Win32    | ✅              |                    |
 | Outlook                      | PWA      | ✅              |                    |
 | Paint                        | Win32    | ✅              |                    |
 | Photos                       | UWP      |                  |                    |
 | PowerPoint                   | Win32    | ✅              |                    |
 | Settings                     | UWP      | ✅              |                    |
 | Snip & Sketch                | UWP      |                  |                    |
 | Sticky Notes                 | UWP      |                  |                    |
 | Teams                        | Win32    | ✅              |                    |
 | To Do                        | UWP      |                  |                    |
 | Whiteboard                   | UWP      | ✅              |                    |
 | Word                         | Win32    | ✅              |                    |
 ## Available applications
 The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1]
 | Application                             | Supported version | App Type | Vendor                       |
-| --- | --- | --- | --- |
+|-----------------------------------------|-------------------|----------|------------------------------|
 | AirSecure                               | 8.0.0             | Win32    | AIR                          |
 | Alertus Desktop                         | 5.4.44.0          | Win32    | Alertus technologies         |
 | Brave Browser                           | 1.34.80           | Win32    | Brave                        |
 | Bulb Digital Portfolio                  | 0.0.7.0           | Store    | Bulb                         |
 | Cisco Umbrella                          | 3.0.110.0         | Win32    | Cisco                        |
@ -52,31 +102,35 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
 | eTests                                  | 4.0.25            | Win32    | CASAS                        |
 | FortiClient                             | 7.0.1.0083        | Win32    | Fortinet                     |
 | Free NaturalReader                      | 16.1.2            | Win32    | Natural Soft                 |
 | Ghotit Real Writer & Reader             | 10.14.2.3         | Win32    | Ghotit Ltd                   |
 | GoGuardian                              | 1.4.4             | Win32    | GoGuardian                   |
 | Google Chrome                           | 102.0.5005.115    | Win32    | Google                       |
 | Illuminate Lockdown Browser             | 2.0.5             | Win32    | Illuminate Education         |
 | Immunet                                 | 7.5.0.20795       | Win32    | Immunet                      |
 | Impero Backdrop Client                  | 4.4.86            | Win32    | Impero Software              |
 | JAWS for Windows                        | 2022.2112.24      | Win32    | Freedom Scientific           |
 | Kite Student Portal                     | 8.0.3.0           | Win32    | Dynamic Learning Maps        |
 | Kortext                                 | 2.3.433.0         | Store    | Kortext                      |
 | Kurzweil 3000 Assistive Learning        | 20.13.0000        | Win32    | Kurzweil Educational Systems |
 | LanSchool                               | 9.1.0.46          | Win32    | Stoneware                    |
-|Lightspeed Smart Agent                	|2.6.2	    |Win32    |Lightspeed Systems|
+| Lightspeed Smart Agent                  | 1.9.1             | Win32    | Lightspeed Systems           |
 | MetaMoJi ClassRoom                      | 3.12.4.0          | Store    | MetaMoJi Corporation         |
 | Microsoft Connect                       | 10.0.22000.1      | Store    | Microsoft                    |
 | Mozilla Firefox                         | 99.0.1            | Win32    | Mozilla                      |
 | NAPLAN                                  | 2.5.0             | Win32    | NAP                          |
 | Netref Student                          | 22.2.0            | Win32    | NetRef                       |
 | NetSupport Manager                      | 12.01.0011        | Win32    | NetSupport                   |
 | NetSupport Notify                       | 5.10.1.215        | Win32    | NetSupport                   |
 | NetSupport School                       | 14.00.0011        | Win32    | NetSupport                   |
 | NextUp Talker                           | 1.0.49            | Win32    | NextUp Technologies          |
 | NonVisual Desktop Access                | 2021.3.1          | Win32    | NV Access                    |
-|NWEA Secure Testing Browser	        |5.4.300.0	 |Win32   |NWEA|
+| NWEA Secure Testing Browser             | 5.4.356.0         | Win32    | NWEA                         |
 | Pearson TestNav                         | 1.10.2.0          | Store    | Pearson                      |
 | Questar Secure Browser                  | 4.8.3.376         | Win32    | Questar, Inc                 |
 | ReadAndWriteForWindows                  | 12.0.60.0         | Win32    | Texthelp Ltd.                |
 | Remote Desktop client (MSRDC)           | 1.2.3213.0        | Win32    | Microsoft                    |
 | Remote Help                             | 3.8.0.12          | Win32    | Microsoft                    |
-|Respondus Lockdown Browser         	|2.0.8.05	 |Win32   |Respondus|
+| Respondus Lockdown Browser              | 2.0.9.00          | Win32    | Respondus                    |
 | Safe Exam Browser                       | 3.3.2.413         | Win32    | Safe Exam Browser            |
 | Secure Browser                          | 14.0.0            | Win32    | Cambium Development          |
 | Senso.Cloud                             | 2021.11.15.0      | Win32    | Senso.Cloud                  |
@ -85,53 +139,48 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
 | ZoomText Fusion                         | 2022.2109.10      | Win32    | Freedom Scientific           |
 | ZoomText Magnifier/Reader               | 2022.2109.25      | Win32    | Freedom Scientific           |
-### Enabled apps
+## Add your own applications
-| App type | Enabled |
+If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
 | --- | --- |
 | Apps that run in a browser | ✔️ Apps that run in a browser, like Progressive Web Apps (PWA) and Web apps, can run on Windows 11 SE without any changes or limitations. |
 | Apps that require installation | ❌ Apps that require an installation, including Microsoft Store apps and Win32 apps can't be installed. If students try to install these apps, the installation fails. <br/><br/>✔️ If there are specific installation-type apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). |
 ### Add your own apps
 If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
 Microsoft reviews every app request to make sure each app meets the following requirements:
- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more.
+- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more
-
+- Apps must be in one of the following app categories:
- Apps must be in one of the following app categories:
+  - Content Filtering apps
-  - Content Filtering apps
+  - Test Taking solutions
  - Test Taking solutions
  - Assistive technologies
-  - Classroom communication apps
+  - Classroom communication apps
  - Essential diagnostics, management, and supportability apps
-
+- Apps must meet the performance [requirements of Windows 11][WIN-1]
 - Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements).
 - Apps must meet the following security requirements:
-  - All app binaries are code-signed.
+  - All app binaries are code-signed
-  - All files include the `OriginalFileName` in the resource file header.
+  - All files include the `OriginalFileName` in the resource file header
-  - All kernel drivers are WHQL-signed.
+  - All kernel drivers are WHQL-signed
-
+- Apps don't have an equivalent web application
- Apps don't have an equivalent web application.
+- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE
 - Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE.
 If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE.
-When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices.
+When the app is ready, Microsoft will update you. Then, you add the app to the Intune for Education portal, and assign it to your Windows 11 SE devices.
-For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1].
 ### 0x87D300D9 error with an app
 When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then:
- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article).
+- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications)
- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview).
+- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1]
- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA.
+- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA
 ## Related articles
- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview)
+- [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2]
 [INT-1]: /intune-education/what-is-intune-for-education
 [EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps
 [EDUWIN-2]: /education/windows/tutorial-school-deployment/
 [WIN-1]: /windows/whats-new/windows-11-requirements
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@ -8,7 +8,7 @@ ms.pagetype: mobile
 ms.collection: education
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 08/10/2022
+ms.date: 09/12/2022
 ms.reviewer: 
 manager: aaroncz
 appliesto:
@ -25,26 +25,26 @@ This article lists the settings automatically configured. For more information o
 The following table lists and describes the settings that can be changed by administrators.
-| Setting  | Description |
+| Setting  | Description | Default Value |
-| --- | --- |
+| --- | --- | --- |
-| Block manual unenrollment  | Default: Blocked <br/> <br/> Users can't unenroll their devices from device management services. <br/> <br/> [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) |
+| Block manual unenrollment  | When blocked, users can't unenroll their devices from device management services. <br/> <br/> [Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | Blocked |
-| Allow option to Show Network  | Default: Allowed <br/> <br/> Gives users the option to see the **Show Network** folder in File Explorer. |
+| Allow option to Show Network  | When allowed, it gives users the option to see the **Show Network** folder in File Explorer. | Allowed |
-| Allow option to Show This PC  | Default: Allowed <br/> <br/> Gives user the option to see the **Show This PC** folder in File Explorer. |
+| Allow option to Show This PC  | When allowed, it gives users the option to see the **Show This PC** folder in File Explorer. | Allowed |
-| Set Allowed Folder location  | Default folders: Documents, Desktop, Pictures, and Downloads <br/> <br/> Gives user access to these folders. |
+| Set Allowed Folder location  | Gives user access to these folders. | Default folders: Documents, Desktop, Pictures, and Downloads |
-| Set Allowed Storage Locations  | Default: Blocks local drives and network drives <br/> <br/> Blocks user access to these storage locations. |
+| Set Allowed Storage Locations  | Blocks user access to these storage locations. | Blocks local drives and network drives |
-| Allow News and Interests | Default: Hide <br/> <br/> Hides widgets. |
+| Allow News and Interests | Hides widgets. | Hide |
-| Disable advertising ID  | Default: Disabled <br/> <br/> Blocks apps from using usage data to tailor advertisements. <br/> <br/> [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) |
+| Disable advertising ID  | Blocks apps from using usage data to tailor advertisements. <br/> <br/> [Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Disabled |
-| Visible settings pages  | Default: <br/> <br/> |
+| Visible settings pages  | Default: <br/> <br/> ||
-| Enable App Install Control  | Default: Turned On <br/><br/> Users can't download apps from the internet.<br/> <br/> [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)|
+| Enable App Install Control  | When enabled, users can't download apps from the internet.<br/> <br/> [SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| Enabled |
-| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days<br/> <br/> If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again. <br/> <br/> [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) |
+| Configure Storage Sense Cloud Content Dehydration Threshold | If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again. <br/> <br/> [Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | 30 days |
-| Allow Telemetry  | Default: Required Telemetry Only <br/> <br/> Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date. <br/> <br/> [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |
+| Allow Telemetry  | With *Required Telemetry Only*, it sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date. <br/> <br/> [System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Required Telemetry Only |
-| Allow Experimentation  | Default: Disabled <br/> <br/> Microsoft can't experiment with the product to study user preferences or device behavior. <br/> <br/>[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) |
+| Allow Experimentation  | When disabled, Microsoft can't experiment with the product to study user preferences or device behavior. <br/> <br/>[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | Disabled |
-| Block external extensions  | Default: Blocked <br/> <br/> In Microsoft Edge, users can't install external extensions. <br/> <br/> [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) |
+| Block external extensions  | When blocked, in Microsoft Edge users can't install external extensions. <br/> <br/> [BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | Blocked |
-| Configure new tab page  | Default: `Office.com` <br/> <br/> In Microsoft Edge, the new tab page defaults to `Office.com`. <br/> <br/> [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) |
+| Configure new tab page  | Set the new tab page defaults to a specific url. <br/> <br/> [Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | `Office.com` |
-| Configure homepage  | Default: `Office.com` <br/> <br/> In Microsoft Edge, the homepage defaults to `Office.com`. <br/> <br/> [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) |
+| Configure homepage  | Set the Microsoft Edge's homepage default. <br/> <br/> [HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | `Office.com` |
-| Prevent SmartScreen prompt override  | Default: Enabled <br/> <br/> In Microsoft Edge, users can't override Windows Defender SmartScreen warnings. <br/> <br/>[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) |
+| Prevent SmartScreen prompt override  | When enabled, in Microsoft Edge, users can't override Windows Defender SmartScreen warnings. <br/> <br/>[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | Enabled |
-| Wallpaper Image Customization  | Default: <br/> <br/> Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) |
+| Wallpaper Image Customization  | Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured |
-| Lock Screen Image Customization  | Default: <br/> <br/> Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) |
+| Lock Screen Image Customization  | Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image. <br/> <br/>[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured |
 ## Settings that can't be changed
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@ -63,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
 ## Related topics
 - [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
- [Windows deployment for education](./index.md)
+- [Windows deployment for education](./index.yml)
 - [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths)
 - [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10)
 - [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client)
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@ -37,10 +37,10 @@
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-M365-IT",
      "ms.technology": "windows",
      "audience": "ITPro",
      "ms.topic": "article",
-      "ms.author": "elizapo",
+      "feedback_system": "GitHub",
-      "feedback_system": "None",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.win-app-management",
@ -59,7 +59,11 @@
      ],
      "searchScope": ["Windows 10"]
    },
-    "fileMetadata": {},
+    "fileMetadata": {
      "feedback_system": {
        "app-v/**/*.*": "None"
      }
    },
    "template": [],
    "dest": "win-app-management",
    "markdownEngineName": "markdig"
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@ -18,8 +18,8 @@ ms.topic: article
 - Windows 11
 - Windows Server 2022
 ## Summary
 By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
 ## Introduction
@ -60,7 +60,6 @@ It's more difficult for users to make unauthorized copies of company data if use
 You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion.
 ## Scenario Overview
 The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
@ -90,7 +89,6 @@ This scenario, although similar to scenario #2, brings another layer of complexi
 In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
 ## Technology Review
 The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios.
@ -126,14 +124,14 @@ Hardware IDs are the identifiers that provide the exact match between a device a
 Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
-When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library.
+When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device).
 > [!NOTE]
 > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
 Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
-When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
+When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see [Device identification strings](/windows-hardware/drivers/install/device-identification-strings).
 #### Device setup classes
@ -143,7 +141,7 @@ When you use device Classes to allow or prevent users from installing drivers, y
 For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions.
-For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs.
+For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes).
 This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
@ -156,12 +154,11 @@ The following two links provide the complete list of Device Setup Classes. ‘Sy
 Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected.
 ### Group Policy Settings for Device Installation
 Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
-Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference.
+Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see [Group Policy Object Editor](/previous-versions/windows/desktop/Policy/group-policy-object-editor).
 The following passages are brief descriptions of the Device Installation policies that are used in this guide.
@ -213,9 +210,6 @@ Some of these policies take precedence over other policies. The flowchart shown
 ![Device Installation policies flow chart.](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
 ## Requirements for completing the scenarios
 ### General
@ -273,7 +267,7 @@ To find device identification strings using Device Manager
    ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
    > [!TIP]
-    > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
+    > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil).
 ### Getting device identifiers using PnPUtil
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@ -52,8 +52,11 @@ Available naming macros:
 |Macro|Description|Example|Generated Name|
 |:---|:---|:---|:---|
-|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456|
+|`%RAND:#%`|Generates the specified number (`#`) of random digits.|`Test%RAND:6%`|`Test123456`|
-|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456|
+|`%SERIAL%`|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|`Test-Device-%SERIAL%`|`Test-Device-456`|
 > [!NOTE]
 > If you use these naming macros, a unique name isn't guaranteed. The generated name may still be duplicated. To reduce the likelihood of a duplicated device name, use `%RAND:#%` with a large number. With the understanding that the maximum device name is 15 characters.
 Supported operation is Add.
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -754,7 +754,7 @@ ADMX Info:
 This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker.
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs.
+The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
 In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
@ -843,7 +843,7 @@ ADMX Info:
 This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs.
+The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan).
 In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -150,6 +150,15 @@ If you disable or don't configure this policy setting, the PIN will be provision
 Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="tenantid-policies-usecloudtrustforonpremauth--only-for---device-vendor-msft-"></a>***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT)  
 Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
 If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
 If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
 Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="tenantid-policies-pincomplexity"></a>***TenantId*/Policies/PINComplexity**  
 Node for defining PIN settings.
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -2105,17 +2105,17 @@ If you disable or don't configure this setting, security intelligence will be re
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
-   GP Friendly name: *Define security intelligence location for VDI clients*
+-   GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments*
 -   GP name: *SecurityIntelligenceLocation*
 -   GP element: *SecurityIntelligenceLocation*
-   GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates*
+-   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender*
 -   GP ADMX file name: *WindowsDefender.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 - Empty string - no policy is set
- Non-empty string - the policy is set and security intelligence is gathered from the location
+- Non-empty string - the policy is set and security intelligence is gathered from the location.
 <!--/SupportedValues-->
 <!--/Policy-->
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@ -213,6 +213,12 @@ manager: aaroncz
  <dd>
    <a href="#internetexplorer-enableextendediemodehotkeys">InternetExplorer/EnableExtendedIEModeHotkeys</a>
  </dd>
  <dd>
    <a href="#internetexplorer-enableglobalwindowlistiniemode">InternetExplorer/EnableGlobalWindowListInIEMode</a>
  </dd>
  <dd>
    <a href="#internetexplorer-disableieappdeprecationnotification">InternetExplorer/HideInternetExplorer11RetirementNotification </a>
  </dd>
  <dd>
    <a href="#internetexplorer-includealllocalsites">InternetExplorer/IncludeAllLocalSites</a>
  </dd>
@ -612,6 +618,9 @@ manager: aaroncz
  <dd>
    <a href="#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols">InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls</a>
  </dd>
  <dd>
    <a href="#internetexplorer-resetzoomfordialoginiemode">InternetExplorer/ResetZoomForDialogInIEMode</a>
  </dd>
  <dd>
    <a href="#internetexplorer-restrictactivexinstallinternetexplorerprocesses">InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses</a>
  </dd>
@ -4423,6 +4432,115 @@ ADMX Info:
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-enableglobalwindowlistiniemode"></a>**InternetExplorer/EnableGlobalWindowListInIEMode**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.
 The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.
 - If you enable this policy, Internet Explorer mode will use the global window list.
 - If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) - Disabled
 -   1 - Enabled
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Enable global window list in Internet Explorer mode*
 -   GP name: *EnableGlobalWindowListInIEMode*
 -   GP path: *Windows Components/Internet Explorer/Main*
 -   GP ADMX file name: *inetres.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-disableieappdeprecationnotification"></a>**InternetExplorer/HideInternetExplorer11RetirementNotification**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|No|
 |Windows SE|No|No|
 |Business|Yes|No|
 |Enterprise|Yes|No|
 |Education|Yes|No|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11.
 - If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11.
 - If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) - Disabled
 -   1 - Enabled
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Hide Internet Explorer 11 retirement notification*
 -   GP name: *DisableIEAppDeprecationNotification*
 -   GP path: *Windows Components/Internet Explorer/Main*
 -   GP ADMX file name: *inetres.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-includealllocalsites"></a>**InternetExplorer/IncludeAllLocalSites**  
@ -11161,6 +11279,60 @@ ADMX Info:
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-resetzoomfordialoginiemode"></a>**InternetExplorer/ResetZoomForDialogInIEMode**  
 <!--SupportedSKUs-->
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
 |Pro|Yes|Yes|
 |Windows SE|No|Yes|
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.
 - If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page.
 - If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) - Disabled
 -   1 - Enabled
 <!--/SupportedValues-->
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode*
 -   GP name: *ResetZoomForDialogInIEMode*
 -   GP path: *Windows Components/Internet Explorer/Main*
 -   GP ADMX file name: *inetres.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="internetexplorer-restrictactivexinstallinternetexplorerprocesses"></a>**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**  
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@ -128,7 +128,7 @@ This policy setting allows you to turn off discovering the display service adver
 <!--SupportedValues-->
 The following list shows the supported values:
-   0 - Don't allow
+-   0 - Doesn't allow
 -   1 - Allow
 <!--/SupportedValues-->
@ -166,9 +166,9 @@ The table below shows the applicability of Windows:
 <!--Description-->
 This policy setting allows you to disable the infrastructure movement detection feature.
-If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you're projecting over infrastructure.
+- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure.
-If you set it to 1, your PC will detect that you've moved and will automatically disconnect your infrastructure Wireless Display session.
+- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session.
 The default value is 1.
@ -177,7 +177,7 @@ The default value is 1.
 The following list shows the supported values:
- 0 - Don't allow
+- 0 - Doesn't allow
 - 1 (Default) - Allow
 <!--/SupportedValues-->
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@ -322,10 +322,8 @@ Supported operation is Get.
 - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
 - Bit 1 - Set to 1 when the client machine is Hyper-V capable.
 - Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine.
+- Bit 3 - Set to 1 when Application Guard is installed on the client machine.
 - Bit 4 - Set to 1 when required Network Isolation Policies are configured.
   > [!IMPORTANT]
   > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
 - Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
 - Bit 6 - Set to 1 when system reboot is required.
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@ -37,10 +37,10 @@
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-M365-IT",
      "ms.technology": "windows",
      "audience": "ITPro",
      "ms.topic": "article",
-      "feedback_system": "None",
+      "feedback_system": "GitHub",
-      "hideEdit": false,
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
      "_op_documentIdPathDepotMapping": {
        "./": {
          "depot_name": "MSDN.win-configuration",
@ -59,7 +59,12 @@
      ],
      "searchScope": ["Windows 10"]
    },
-    "fileMetadata": {},
+    "fileMetadata": {
      "feedback_system": {
        "ue-v/**/*.*": "None",
        "cortana-at-work/**/*.*": "None"
      }
    },
    "template": [],
    "dest": "win-configuration",
    "markdownEngineName": "markdig"
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -263,7 +263,7 @@
                href: update/update-compliance-schema-waasupdatestatus.md
              - name: WaaSInsiderStatus
                href: update/update-compliance-schema-waasinsiderstatus.md
-              - name: WaaSDepoymentStatus
+              - name: WaaSDeploymentStatus
                href: update/update-compliance-schema-waasdeploymentstatus.md
              - name: WUDOStatus
                href: update/update-compliance-schema-wudostatus.md
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@ -33,7 +33,7 @@ The following is a list of items that you should be aware of before you start th
 * When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive.
-* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
+* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
 * If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@ -21,9 +21,8 @@
        "files": [
          "**/*.png",
          "**/*.jpg",
-          "**/*.gif",
+          "**/*.svg",
-          "**/*.pdf",
+          "**/*.gif"
          "**/*.vsdx"
        ],
        "exclude": [
          "**/obj/**",
@ -37,9 +36,6 @@
      "recommendations": true,
      "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
      "uhfHeaderId": "MSDocsHeader-M365-IT",
      "ms.technology": "windows",
      "audience": "ITPro",
      "ms.topic": "article",
      "feedback_system": "GitHub",
      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
--- a/windows/deployment/media/Windows10AutopilotFlowchart.pdf
+++ b/windows/deployment/media/Windows10AutopilotFlowchart.pdf
--- a/windows/deployment/media/Windows10Autopilotflowchart.vsdx
+++ b/windows/deployment/media/Windows10Autopilotflowchart.vsdx
--- a/windows/deployment/media/Windows10DeploymentConfigManager.pdf
+++ b/windows/deployment/media/Windows10DeploymentConfigManager.pdf
--- a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx
+++ b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@ -22,7 +22,6 @@ search.appverid:
 - BCS160
 - IWA160
 description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption."
 feedback_system: none
 ---
 # How to check Windows release health
--- a/windows/deployment/update/update-compliance-v2-help.md
+++ b/windows/deployment/update/update-compliance-v2-help.md
@ -86,7 +86,7 @@ If you create an issue for something not related to documentation, Microsoft wil
 - [Product questions (using Microsoft Q&A)](/answers/products/)
 - [Support requests](#open-a-microsoft-support-case) for Update Compliance
-To share feedback on the fundamental docs.microsoft.com platform, see [Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
+To share feedback about the Microsoft Docs platform, see [Microsoft Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
 ## Troubleshooting tips
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@ -4,61 +4,62 @@ description: VAMT enables administrators to automate and centrally manage the Wi
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 ms.technology: itpro-deploy
 author: aczechowski
-ms.date: 04/25/2017
+ms.date: 09/16/2022
-ms.topic: article
+ms.topic: overview
 ---
 # Introduction to VAMT
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012.
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has a supported Windows OS version.
 > [!NOTE]
-> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
+> VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
-## In this Topic
+## <a href="" id="bkmk-managingmak"></a>Managing MAK and retail activation
 - [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak)
 - [Managing Key Management Service (KMS) Activation](#bkmk-managingkms)
 - [Enterprise Environment](#bkmk-enterpriseenvironment)
 - [VAMT User Interface](#bkmk-userinterface)
 ## <a href="" id="bkmk-managingmak"></a>Managing Multiple Activation Key (MAK) and Retail Activation
 You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+- **Online activation**: Many organizations maintain a single Windows system image or Office installation package for deployment across the organization. Occasionally there's also a need to use retail product keys in special situations. Online activation enables you to activate over the internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
 - **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
-## <a href="" id="bkmk-managingkms"></a>Managing Key Management Service (KMS) Activation
+- **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host.
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\
+## <a href="" id="bkmk-managingkms"></a>Managing KMS activation
 VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
-## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise Environment
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office.
-VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
+VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types.
 ## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise environment
 VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab.
 ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg)
-In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection.
+- In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS).
-The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
+- The secure zone represents higher-security core network computers that have extra firewall protection.
 - The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab.
-## <a href="" id="bkmk-userinterface"></a>VAMT User Interface
+## <a href="" id="bkmk-userinterface"></a>VAMT user interface
-The following screenshot shows the VAMT graphical user interface.
+The following screenshot shows the VAMT graphical user interface:
 ![VAMT user interface.](images/vamtuserinterfaceupdated.jpg)
 VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
+- **Adding and removing computers**: You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
 - **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
 - **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
 - **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
 - **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
-## Related topics
+- **Discovering products**: You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
+- **Monitoring activation status**: You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
 - **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
 - **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
 ## Next steps
 [VAMT step-by-step scenarios](vamt-step-by-step.md)
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@ -1,40 +1,36 @@
 ---
-title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
+title: VAMT technical reference
 description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
 manager: dougeby
 ms.author: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 ms.technology: itpro-deploy
 author: aczechowski
-ms.date: 04/25/2017
+ms.date: 09/16/2022
-ms.topic: article
+ms.topic: overview
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
 ---
-# Volume Activation Management Tool (VAMT) Technical Reference
+# Volume Activation Management Tool (VAMT) technical reference
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows&reg;, Microsoft&reg; Office, and select other Microsoft products volume and retail-activation process.
+The Volume Activation Management Tool (VAMT) lets you automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version.
 VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
 -   Windows&reg; 7 or above
 -   Windows Server 2008 R2 or above
-
+> [!IMPORTANT]
-**Important**  
+> VAMT is designed to manage volume activation for supported versions of Windows, Windows Server, and Office.
 VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or later), Microsoft Office 2010 (or above). 
 VAMT is only available in an EN-US (x86) package.
 ## In this section
-|Topic |Description |
+|Article |Description |
 |------|------------|
 |[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
-|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
+|[Active Directory-based activation overview](active-directory-based-activation-overview.md) |Describes Active Directory-based activation scenarios. |
-|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
+|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
-|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
+|[Add and manage products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
-|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
+|[Manage product keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
-|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
+|[Manage activations](manage-activations-vamt.md) |Describes how to activate a client computer by using various activation methods. |
-|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
+|[Manage VAMT data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
-|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
+|[VAMT step-by-step scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
-|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
+|[VAMT known issues](vamt-known-issues.md) |Lists known issues in VAMT. |
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@ -5,31 +5,33 @@ ms.reviewer:
 manager: dougeby
 author: aczechowski
 ms.author: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 ms.technology: itpro-deploy
 ms.localizationpriority: medium
-ms.topic: article
+ms.topic: reference
 ---
 # Windows 10 deployment process posters
 **Applies to**
-   Windows 10
+-   Windows 10
 The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager.
 ## Deploy Windows 10 with Autopilot
-The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format.
+The Windows Autopilot poster is two pages in portrait mode (11x17). Select the image to download a PDF version.
-[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf)
+[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf)
 ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
-The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format.
+The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version.
-[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf)
+[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf)
 ## See also
-[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot)<br>
+[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot)
-[Scenarios to deploy enterprise operating systems with Configuration Manager](/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
+
 [Scenarios to deploy enterprise operating systems with Configuration Manager](/mem/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@ -32,6 +32,8 @@
              href: deploy/windows-autopatch-device-registration-overview.md
            - name: Register your devices
              href: deploy/windows-autopatch-register-devices.md
            - name: Post-device registration readiness checks
              href: deploy/windows-autopatch-post-reg-readiness-checks.md
    - name: Operate
      href: operate/index.md
      items:
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@ -1,7 +1,7 @@
 ---
 title: Device registration overview
 description:  This article provides and overview on how to register devices in Autopatch
-ms.date: 07/28/2022
+ms.date: 09/07/2022
 ms.prod: w11
 ms.technology: windows
 ms.topic: conceptual
@ -44,12 +44,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
 | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
 | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. |
 | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
-| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.</li><ol><li>**If yes**, it means this device is enrolled into Intune.</li><li>**If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.</li></ol></ol></ol>|
+| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.</li><ol><li>**If yes**, it means this device is enrolled into Intune.</li><li>**If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
 | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
 | **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li></ol> |
 | **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**</li><ol><li>This group has all devices managed by Windows Autopatch and that have Windows 10 installed.</li></ol><li>When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**</li><ol><li>This group has all devices managed by Windows Autopatch and that have Windows 11 installed.</li></ol><li>When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all virtual devices managed by Windows Autopatch.</li></ol> |
 | **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Ready** tab.</li><li>The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
-| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Ready** tab.</li><li>If **not**, the device shows up in the **Not ready** tab.</li></ol> |
+| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not registered** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Ready** tab.</li><li>If **not**, the device shows up in the **Not registered** tab.</li></ol> |
 | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
 ## Detailed prerequisite check workflow diagram
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@ -0,0 +1,99 @@
 ---
 title: Post-device registration readiness checks
 description:  This article details how post-device registration readiness checks are performed in Windows Autopatch
 ms.date: 09/15/2022
 ms.prod: w11
 ms.technology: windows
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 msreviewer: andredm7
 ---
 # Post-device registration readiness checks
 One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle.  
 Having a way of measuring, quickly detecting and remediating when something goes wrong with on-going change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results.
 Windows Autopatch provides proactive device readiness information about devices that are and aren't ready to be fully managed by the service. IT admins can easily detect and fix device-related issues that are preventing them from achieving their update management compliance report goals.
 ## Device readiness scenarios
 Device readiness in Windows Autopatch is divided into two different scenarios:
 | Scenario | Description |
 | ----- | ----- |
 | Prerequisite checks | Ensures devices follow software-based requirements before being registered with the service. |
 | Post-device registration readiness checks | Provides continuous monitoring of device health for registered devices.<p>IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.</p>|
 ### Device readiness checks available for each scenario
 | Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API)  | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) |
 | ----- | ----- |
 | <ul><li>Windows OS (build, architecture and edition)</li></li><li>Managed by either Intune or ConfigMgr co-management</li><li>ConfigMgr co-management workloads</li><li>Last communication with Intune</li><li>Personal or non-Windows devices</li></ul> | <ul><li>Windows OS (build, architecture and edition)</li><li>Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict</li><li>Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)</li><li>Internet connectivity</li></ul> |
 The status of each post-device registration readiness check is shown in the Windows Autopatch’s Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service.
 ## About the three tabs in the Devices blade
 You deploy software updates to secure your environment, but these deployments only reach healthy and active devices. Unhealthy or not ready devices affect the overall software update compliance. Figuring out device health can be challenging and disruptive to the end user when IT can’t obtain proactive data sent by the device to the service for IT admins to proactively detect, troubleshoot, and fix issues.
 Windows Autopatch has three tabs within its Devices blade. Each tab is designed to provide a different set of device readiness statuses so IT admins know where to go to monitor, and troubleshoot potential device health issues:
 | Tab | Description |
 | ----- | ----- |
 | Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:<ul><li>Passed the prerequisite checks.</li><li>Registered with Windows Autopatch.</li></ul>This tab also lists devices that have passed all postdevice registration readiness checks. |
 | Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.<ul><li>**Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.</li><li>**Inactive**: Devices that haven’t communicated with the Microsoft Endpoint Manager-Intune service in the last 28 days.</li></ul> |
 | Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. |
 ## Details about the post-device registration readiness checks
 A healthy or active device in Windows Autopatch is:
 - Online
 - Actively sending data
 - Passes all post-device registration readiness checks
 The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin responsible for performing the readiness checks in devices and report back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
 The following list of post-device registration readiness checks is performed in Windows Autopatch:
 | Check | Description |
 | ----- | ----- |
 | **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. |
 | **Windows update policies managed via Microsoft Endpoint Manager-Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Endpoint Manager-Intune (MDM). |
 | **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Endpoint Manager-Intune. |
 | **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Endpoint Manager-Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
 | **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. |
 | **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. |
 | **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. |
 | **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft’s public URLs two times each, to confirm that ping results aren't coming from the device’s cache. |
 ## Daily operations in Windows Autopatch
 See the following end-to-end IT admin operation workflow:
 :::image type="content" source="../media/windows-autopatch-post-device-registration-readiness-checks.png" alt-text="Post-device registration readiness checks" lightbox="../media/windows-autopatch-post-device-registration-readiness-checks.png":::
 | Step | Description |
 | ----- | ----- |
 | **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
 | **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
 | **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch’s service.</li></ol>|
 | **Step 10: Add devices to the Not ready** | When devices don’t pass one or more readiness checks, even if they’re registered with Windows Autopatch, they’re added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
 | **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show back up into the **Ready** tab. |
 ## FAQ
 | Question | Answer |
 | ----- | ----- |
 | **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.</li><li>The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
 | **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don’t meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.</p>|
 ## Additional resources
 - [Device registration overview](windows-autopatch-device-registration-overview.md)
 - [Register your devices](windows-autopatch-register-devices.md)
--- a/Show More
+++ b/Show More