From cf41ad11bb4cba8c4b31075e8a94d6d8c8dbd02e Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 24 Nov 2021 17:26:50 +0530
Subject: [PATCH 01/73] Added missing policies in policy-system-csp.md

Added:

- System/LimitDiagnosticLogCollection
- System/LimitDumpCollection
---
 .../policy-configuration-service-provider.md  |   6 +
 .../mdm/policy-csp-system.md                  | 143 ++++++++++++++++++
 2 files changed, 149 insertions(+)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index bbd3101f94..a49ccf6dae 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -8358,6 +8358,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
   <dd>
     <a href="./policy-csp-system.md#system-feedbackhubalwayssavediagnosticslocally" id="system-feedbackhubalwayssavediagnosticslocally">System/FeedbackHubAlwaysSaveDiagnosticsLocally</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-limitdiagnosticlogcollection" id="system-limitdiagnosticlogcollection">System/LimitDiagnosticLogCollection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-system.md#system-limitdumpcollection" id="system-limitdumpcollection">System/LimitDumpCollection</a>
+  </dd>
   <dd>
     <a href="./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics" id="system-limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 04cccacbb5..f963b773a2 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -94,6 +94,9 @@ manager: dansimp
   <dd>
     <a href="#system-feedbackhubalwayssavediagnosticslocally">System/FeedbackHubAlwaysSaveDiagnosticsLocally</a>
   </dd>
+  <dd>
+    <a href="#system-limitdiagnosticlogcollection">System/LimitDiagnosticLogCollection</a>
+  </dd>
   <dd>
     <a href="#system-limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
   </dd>
@@ -1766,6 +1769,146 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="system-limitdiagnosticlogcollection"></a>**System/LimitDiagnosticLogCollection**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem.  It is sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for additional data collection.  
+
+If you disable or do not configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Limit Diagnostic Log Collection*
+-   GP name: *LimitDiagnosticLogCollection*
+-   GP path: *Data Collection and Preview Builds*
+-   GP ADMX file name: *DataCollection.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 – Disabled
+-   1 – Enabled
+- 
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="system-limitdumpcollection"></a>**System/LimitDumpCollection**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem.  These dumps are not sent unless we have permission to collect optional diagnostic data.
+
+By enabling this policy setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only. 
+
+If you disable or do not configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Limit Dump Collection*
+-   GP name: *LimitDumpCollection*
+-   GP path: *Data Collection and Preview Builds*
+-   GP ADMX file name: *DataCollection.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 – Disabled
+-   1 – Enabled
+- 
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="system-limitenhanceddiagnosticdatawindowsanalytics"></a>**System/LimitEnhancedDiagnosticDataWindowsAnalytics**  
 

From 5436b59670ae0a26a8da33989fc394926a57e98e Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 24 Nov 2021 17:30:08 +0530
Subject: [PATCH 02/73] added index

---
 windows/client-management/mdm/policy-csp-system.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index f963b773a2..15ca67148a 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -97,6 +97,9 @@ manager: dansimp
   <dd>
     <a href="#system-limitdiagnosticlogcollection">System/LimitDiagnosticLogCollection</a>
   </dd>
+  <dd>
+    <a href="#system-limitdumpcollection">System/LimitDumpCollection</a>
+  </dd>
   <dd>
     <a href="#system-limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
   </dd>

From a7b671cf433767152e3345561e32b4bc1d54f384 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Thu, 25 Nov 2021 14:43:05 +0530
Subject: [PATCH 03/73] Added missing CSP in TextInput.md

Added :
- TextInput/AllowTextInputSuggestionUpdate
---
 .../policy-configuration-service-provider.md  |  3 +
 .../mdm/policy-csp-textinput.md               | 72 +++++++++++++++++++
 2 files changed, 75 insertions(+)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index bbd3101f94..b15e0648ff 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -8447,6 +8447,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
   <dd>
     <a href="./policy-csp-textinput.md#textinput-allowlinguisticdatacollection" id="textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-textinput.md#textinput-allowtextinputsuggestionupdate"id="textinput-allowtextinputsuggestionupdate">TextInput/AllowTextInputSuggestionUpdate</a>
+  </dd>
   <dd>
     <a href="./policy-csp-textinput.md#textinput-configurejapaneseimeversion"id="textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 77bf576304..23f839bf58 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -58,6 +58,9 @@ manager: dansimp
   <dd>
     <a href="#textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
   </dd>
+  <dd>
+    <a href="#textinput-allowtextinputsuggestionupdate">TextInput/AllowTextInputSuggestionUpdate</a>
+  </dd>
   <dd>
     <a href="#textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
   </dd>
@@ -856,6 +859,75 @@ This setting supports a range of values between 0 and 1.
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="textinput-allowtextinputsuggestionupdate"></a>**TextInput/AllowTextInputSuggestionUpdate**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Allows the user to turn on or off the automatic downloading of newer versions of the Expressive Input UI.
+When downloading is not allowed the Expressive Input panel will always display the initial UI included with the base Windows image.
+
+Most restricted value is 0.
+
+Default: Enabled
+
+<!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+- 1 (Enabled) - The newer UX is downloaded from Microsoft service.
+- 0 (Diabled) - The UX remains unchanged with what the operating system installs.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="textinput-configurejapaneseimeversion"></a>**TextInput/ConfigureJapaneseIMEVersion**  
 

From d90f8375eddde74d6c44e24fd236b27cf3ca48fe Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Thu, 25 Nov 2021 15:24:27 +0530
Subject: [PATCH 04/73] Added missing CSPs in TimeLanguageSettings.md

Added :
-  TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks
- TimeLanguageSettings/MachineUILanguageOverwrite
- TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall
---
 .../policy-configuration-service-provider.md  |   9 +
 .../mdm/policy-csp-timelanguagesettings.md    | 233 ++++++++++++++++++
 2 files changed, 242 insertions(+)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index bbd3101f94..73b572e3bd 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -8497,9 +8497,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
 ### TimeLanguageSettings policies
 
 <dl>
+  <dd>
+    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks" id="timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks">TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks</a>
+  </dd>
   <dd>
     <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone" id="timelanguagesettings-configuretimezone">TimeLanguageSettings/ConfigureTimeZone</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-machineuilanguageoverwrite" id="timelanguagesettings-machineuilanguageoverwrite">TimeLanguageSettings/MachineUILanguageOverwrite</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-restrictlanguagepacksandfeaturesinstall" id="timelanguagesettings-restrictlanguagepacksandfeaturesinstall">TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall</a>
+  </dd>
 </dl>
 
 ### Troubleshooting policies
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 9d490b2202..b176166a68 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -22,12 +22,99 @@ manager: dansimp
 ## TimeLanguageSettings policies  
 
 <dl>
+  <dd>
+    <a href="#timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks">TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks</a>
+  </dd>
   <dd>
     <a href="#timelanguagesettings-configuretimezone">TimeLanguageSettings/ConfigureTimeZone</a>
   </dd>
+  <dd>
+    <a href="#timelanguagesettings-machineuilanguageoverwrite">TimeLanguageSettings/MachineUILanguageOverwrite</a>
+  </dd>
+  <dd>
+    <a href="#timelanguagesettings-restrictlanguagepacksandfeaturesinstall">TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall</a>
+  </dd>
 </dl>
 
 
+<hr/>
+
+<!--Policy-->
+<a href="" id="timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks"></a>**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting controls whether the maintenance task will run to clean up language packs installed on a machine but are not used by any users on that machine.
+
+If you enable this policy setting (value 1), language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system.
+
+If you disable (value 0) or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Block cleanup of unused language packs*
+-   GP name: *BlockCleanupOfUnusedPreinstalledLangPacks*
+-   GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options*
+-   GP ADMX file name: *Globalization.admx*
+
+<!--/ADMXMapped-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
 <hr/>
 
 <!--Policy-->
@@ -98,5 +185,151 @@ Specifies the time zone to be applied to the device. This is the standard Window
 <!--/Policy-->
 <hr/>
 
+<!--Policy-->
+<a href="" id="timelanguagesettings-machineuilanguageoverwrite"></a>**TimeLanguageSettings/MachineUILanguageOverwrite**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting controls which UI language is used for computers with more than one UI language installed.
+
+If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator.
+
+If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Force selected system UI language to overwrite the user UI language*
+-   GP name: *MachineUILanguageOverwrite*
+-   GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options*
+-   GP ADMX file name: *Globalization.admx*
+
+<!--/ADMXMapped-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="timelanguagesettings-restrictlanguagepacksandfeaturesinstall"></a>**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting restricts standard users from installing language features on demand. This policy does not restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.”  
+
+If you enable this policy setting, the installation of language features is prevented for standard users.  
+
+If you disable or do not configure this policy setting, there is no language feature installation restriction for the standard users.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
 <!--/Policies-->
 

From 218d92239ff5bd8229c33952bbcaa373cdb2eed6 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Thu, 25 Nov 2021 17:35:28 +0530
Subject: [PATCH 05/73] Added new VirtualizationBasedTechnology.md for policies

Added new file: VirtualizationBasedTechnology.md to include missing policies:

-
VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity
- VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable
---
 .../policy-configuration-service-provider.md  |  11 ++
 ...olicy-csp-virtualizationbasedtechnology.md | 181 ++++++++++++++++++
 windows/client-management/mdm/toc.yml         |   2 +
 3 files changed, 194 insertions(+)
 create mode 100644 windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index bbd3101f94..b95d387e6b 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -8797,6 +8797,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
   </dd>
 </dl>
 
+### VirtualizationBasedTechnology policies
+
+<dl>
+  <dd>
+    <a href="./policy-csp-virtualizationbasedtechnology.md#virtualizationbasedtechnology-hypervisorenforcedcodeintegrity" id="virtualizationbasedtechnology-hypervisorenforcedcodeintegrity">VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-virtualizationbasedtechnology.md#virtualizationbasedtechnology-requireuefimemoryattributestable" id="virtualizationbasedtechnology-requireuefimemoryattributestable">VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable</a>
+  </dd>
+</dl>
+
 ### Wifi policies
 
 <dl>
diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
new file mode 100644
index 0000000000..0640cb8d99
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -0,0 +1,181 @@
+---
+title: Policy CSP - VirtualizationBasedTechnology
+description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices.
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: aljupudi
+ms.localizationpriority: medium
+ms.date: 11/25/2021
+ms.reviewer: 
+manager: dansimp
+---
+
+# Policy CSP - VirtualizationBasedTechnology
+
+<hr/>
+
+<!--Policies-->
+## VirtualizationBasedTechnology policies
+
+<dl>
+  <dd>
+    <a href="#virtualizationbasedtechnology-hypervisorenforcedcodeintegrity">VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity</a>
+  </dd>
+  <dd>
+    <a href="#virtualizationbasedtechnology-requireuefimemoryattributestable">VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="virtualizationbasedtechnology-hypervisorenforcedcodeintegrity"></a>**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
+
+>[!NOTE]
+>After the policy is pushed, a system reboot will be required to change the state of HVCI.
+
+<!--/Description-->
+<!--SupportedValues-->
+The following are the supported values:
+
+- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock
+- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock
+- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+<hr/>
+
+<!--Policy-->
+<a href="" id="virtualizationbasedtechnology-requireuefimemoryattributestable"></a>**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
+
+>[!NOTE]
+>After the policy is pushed, a system reboot will be required to change the state of HVCI.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+The following are the supported values:
+
+- 0: (Disabled) Do not require UEFI Memory Attributes Table
+- 1: (Enabled) Require UEFI Memory Attributes Table
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+<hr/>
+
+<!--/Policies-->
+
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 7a1fa1b52f..6ac4cc4a3d 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -831,6 +831,8 @@ items:
               href: policy-csp-update.md
             - name: UserRights
               href: policy-csp-userrights.md
+            - name: VirtualizationBasedTechnology
+              href: policy-csp-virtualizationbasedtechnology.md
             - name: Wifi
               href: policy-csp-wifi.md
             - name: WindowsConnectionManager

From d1d396088b4b4607673053ce12e8bdac07e076bf Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Thu, 25 Nov 2021 17:44:48 +0530
Subject: [PATCH 06/73] Added missing CSP in WirelessDisplay.md

Added:

- WirelessDisplay/AllowMovementDetectionOnInfrastructure
---
 .../policy-configuration-service-provider.md  |  3 +
 .../mdm/policy-csp-wirelessdisplay.md         | 74 +++++++++++++++++++
 2 files changed, 77 insertions(+)

diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index bbd3101f94..a2c7c9c52a 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -8979,6 +8979,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
   <dd>
     <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery" id="wirelessdisplay-allowmdnsdiscovery">WirelessDisplay/AllowMdnsDiscovery</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowmovementdetectiononinfrastructure" id="wirelessdisplay-allowmovementdetectiononinfrastructure">WirelessDisplay/AllowMovementDetectionOnInfrastructure</a>
+  </dd>
   <dd>
     <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc" id="wirelessdisplay-allowprojectionfrompc">WirelessDisplay/AllowProjectionFromPC</a>
   </dd>
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 9d941ee024..779859ca11 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -26,6 +26,9 @@ manager: dansimp
   <dd>
     <a href="#wirelessdisplay-allowmdnsdiscovery">WirelessDisplay/AllowMdnsDiscovery</a>
   </dd>
+  <dd>
+    <a href="#wirelessdisplay-allowmovementdetectiononinfrastructure">WirelessDisplay/AllowMovementDetectionOnInfrastructure</a>
+  </dd>
   <dd>
     <a href="#wirelessdisplay-allowprojectionfrompc">WirelessDisplay/AllowProjectionFromPC</a>
   </dd>
@@ -177,6 +180,77 @@ The following list shows the supported values:
 
 <hr/>
 
+<!--Policy-->
+<a href="" id="wirelessdisplay-allowmovementdetectiononinfrastructure"></a>**WirelessDisplay/AllowMovementDetectionOnInfrastructure**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Edition</th>
+    <th>Windows 10</th>
+    <th>Windows 11</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td>No</td>
+    <td>No</td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td>Yes</td>
+    <td>Yes</td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows you to disable the infrastructure movement detection feature.
+
+If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure.
+
+If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session.
+
+The default value is 1.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+The following list shows the supported values:
+
+- 0 - Do not allow
+- 1 (Default) - Allow
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="wirelessdisplay-allowprojectionfrompc"></a>**WirelessDisplay/AllowProjectionFromPC**  
 

From cfbd96d72542491d2145dbcdaa80f1253238456f Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Fri, 26 Nov 2021 11:47:25 +0530
Subject: [PATCH 07/73] author name fix

---
 .../mdm/policy-csp-virtualizationbasedtechnology.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
index 0640cb8d99..be76aebb53 100644
--- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -5,7 +5,7 @@ ms.author: dansimp
 ms.topic: article
 ms.prod: w10
 ms.technology: windows
-author: aljupudi
+author: alekyaj
 ms.localizationpriority: medium
 ms.date: 11/25/2021
 ms.reviewer: 

From 8fa90e2d4f27b598d32013e2bcb20f058f8810a0 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 28 Nov 2021 21:42:52 +0500
Subject: [PATCH 08/73] Update determine-appropriate-page-file-size.md

---
 .../client-management/determine-appropriate-page-file-size.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md
index da6bb869ab..237c2ed58d 100644
--- a/windows/client-management/determine-appropriate-page-file-size.md
+++ b/windows/client-management/determine-appropriate-page-file-size.md
@@ -66,7 +66,7 @@ Kernel memory crash dumps require enough page file space or dedicated dump file
 
 Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators now have the option to create a dedicated dump file instead.
 
-A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file.
+A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options).
 
 ## System-managed page files
 

From 05bfb9b575509f80ea158f8fad34ba4ee7312d97 Mon Sep 17 00:00:00 2001
From: gkomatsu <gkomatsu@microsoft.com>
Date: Mon, 29 Nov 2021 09:03:05 -0800
Subject: [PATCH 09/73] Log collection command cab->zip

Changed log collection command to output in zip format instead of cab. Enables easier usability.
---
 .../mdm/diagnose-mdm-failures-in-windows-10.md              | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 92ed52968c..a84c1a4087 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -35,12 +35,12 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
 You can also collect the MDM Diagnostic Information logs using the following command:
 
 ```xml
-mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab c:\users\public\documents\MDMDiagReport.cab
+mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -zip c:\users\public\documents\MDMDiagReport.zip
 ```
 -   In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
 
-### Understanding cab structure
-The cab file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the cab files collected via command line or Feedback Hub
+### Understanding zip structure
+The zip file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub
 
 -   DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls
 -   DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider)

From e5e0379ab62872f0e73944d24cc7d678c7eaad7a Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Thu, 2 Dec 2021 17:29:44 +0530
Subject: [PATCH 10/73] Html to md table conversion - batch 26

---
 .../deployment/upgrade/upgrade-error-codes.md | 106 +++--
 .../access-control/local-accounts.md          | 190 ++-------
 .../hello-manage-in-organization.md           | 368 +++---------------
 .../how-user-account-control-works.md         | 190 ++-------
 .../vpn/vpn-authentication.md                 |  15 +-
 .../bitlocker/bitlocker-basic-deployment.md   | 140 +------
 ...ve-encryption-tools-to-manage-bitlocker.md | 142 +------
 ...nd-storage-area-networks-with-bitlocker.md | 121 +-----
 .../app-behavior-with-wip.md                  | 105 +----
 .../create-wip-policy-using-configmgr.md      |  94 +----
 .../create-wip-policy-using-intune-azure.md   |  43 +-
 .../limitations-with-wip.md                   | 148 +------
 .../testing-scenarios-for-wip.md              | 149 +------
 ...iew-of-threat-mitigations-in-windows-10.md |  59 +--
 ...-the-health-of-windows-10-based-devices.md |  83 +---
 15 files changed, 302 insertions(+), 1651 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 2286a7ec90..8af8acdd00 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -88,67 +88,57 @@ Extend codes can be matched to the phase and operation when an error occurred. T
 
 The following tables provide the corresponding phase and operation for values of an extend code:
 
-<br>
+### Extend code: phase
 
-<table cellspacing="0" cellpadding="0">
-<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><font color="#000000"><b>Extend code: phase</b></td>
-<tr><td><b>Hex</b><td><b>Phase</b>
-<tr><td>0<td>SP_EXECUTION_UNKNOWN
-<tr><td>1<td>SP_EXECUTION_DOWNLEVEL
-<tr><td>2<td>SP_EXECUTION_SAFE_OS
-<tr><td>3<td>SP_EXECUTION_FIRST_BOOT
-<tr><td>4<td>SP_EXECUTION_OOBE_BOOT
-<tr><td>5<td>SP_EXECUTION_UNINSTALL
-</table>
+|Hex|Phase|
+|--- |--- |
+|0|SP_EXECUTION_UNKNOWN|
+|1|SP_EXECUTION_DOWNLEVEL|
+|2|SP_EXECUTION_SAFE_OS|
+|3|SP_EXECUTION_FIRST_BOOT|
+|4|SP_EXECUTION_OOBE_BOOT|
+|5|SP_EXECUTION_UNINSTALL|
 
+### Extend code: Operation
 
-<table border="0" style='border-collapse:collapse;border:none'>
-<tr><td colspan="2" align="center" valign="top" BGCOLOR="#a0e4fa"><font color="#000000"><B>Extend code: operation</B></td>
-<tr><td align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
-<table>
-<tr><td><b>Hex</b><td><span style='padding:0in 5.4pt 0in 5.4pt;'><b>Operation</b>
-<tr><td><span>0<td><span>SP_EXECUTION_OP_UNKNOWN
-<tr><td><span>1<td><span>SP_EXECUTION_OP_COPY_PAYLOAD
-<tr><td><span>2<td><span>SP_EXECUTION_OP_DOWNLOAD_UPDATES
-<tr><td><span>3<td><span>SP_EXECUTION_OP_INSTALL_UPDATES
-<tr><td><span>4<td><span>SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
-<tr><td><span>5<td><span>SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
-<tr><td><span>6<td><span>SP_EXECUTION_OP_REPLICATE_OC
-<tr><td><span>7<td><span>SP_EXECUTION_OP_INSTALL_DRVIERS
-<tr><td><span>8<td><span>SP_EXECUTION_OP_PREPARE_SAFE_OS
-<tr><td><span>9<td><span>SP_EXECUTION_OP_PREPARE_ROLLBACK
-<tr><td><span>A<td><span>SP_EXECUTION_OP_PREPARE_FIRST_BOOT
-<tr><td><span>B<td><span>SP_EXECUTION_OP_PREPARE_OOBE_BOOT
-<tr><td><span>C<td><span>SP_EXECUTION_OP_APPLY_IMAGE
-<tr><td><span>D<td><span>SP_EXECUTION_OP_MIGRATE_DATA
-<tr><td><span>E<td><span>SP_EXECUTION_OP_SET_PRODUCT_KEY
-<tr><td><span>F<td><span>SP_EXECUTION_OP_ADD_UNATTEND
-</table>
-</td>
-<td align="left" valign="top" style='border:dotted #A6A6A6 1.0pt;'>
-<table>
-<tr><td><b>Hex</b><td><b>Operation</b>
-<tr><td><span>10<td><span>SP_EXECUTION_OP_ADD_DRIVER
-<tr><td><span>11<td><span>SP_EXECUTION_OP_ENABLE_FEATURE
-<tr><td><span>12<td><span>SP_EXECUTION_OP_DISABLE_FEATURE
-<tr><td><span>13<td><span>SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
-<tr><td><span>14<td><span>SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
-<tr><td><span>15<td><span>SP_EXECUTION_OP_CREATE_FILE
-<tr><td><span>16<td><span>SP_EXECUTION_OP_CREATE_REGISTRY
-<tr><td><span>17<td><span>SP_EXECUTION_OP_BOOT
-<tr><td><span>18<td><span>SP_EXECUTION_OP_SYSPREP
-<tr><td><span>19<td><span>SP_EXECUTION_OP_OOBE
-<tr><td><span>1A<td><span>SP_EXECUTION_OP_BEGIN_FIRST_BOOT
-<tr><td><span>1B<td><span>SP_EXECUTION_OP_END_FIRST_BOOT
-<tr><td><span>1C<td><span>SP_EXECUTION_OP_BEGIN_OOBE_BOOT
-<tr><td><span>1D<td><span>SP_EXECUTION_OP_END_OOBE_BOOT
-<tr><td><span>1E<td><span>SP_EXECUTION_OP_PRE_OOBE
-<tr><td><span>1F<td><span>SP_EXECUTION_OP_POST_OOBE
-<tr><td><span>20<td><span>SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
-</table>
-</td>
-</tr>
-</table>
+|Hex|Operation|
+|--- |--- |
+|0|SP_EXECUTION_OP_UNKNOWN|
+|1|SP_EXECUTION_OP_COPY_PAYLOAD|
+|2|SP_EXECUTION_OP_DOWNLOAD_UPDATES|
+|3|SP_EXECUTION_OP_INSTALL_UPDATES|
+|4|SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT|
+|5|SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE|
+|6|SP_EXECUTION_OP_REPLICATE_OC|
+|7|SP_EXECUTION_OP_INSTALL_DRIVERS|
+|8|SP_EXECUTION_OP_PREPARE_SAFE_OS|
+|9|SP_EXECUTION_OP_PREPARE_ROLLBACK|
+|A|SP_EXECUTION_OP_PREPARE_FIRST_BOOT|
+|B|SP_EXECUTION_OP_PREPARE_OOBE_BOOT|
+|C|SP_EXECUTION_OP_APPLY_IMAGE|
+|D|SP_EXECUTION_OP_MIGRATE_DATA|
+|E|SP_EXECUTION_OP_SET_PRODUCT_KEY|
+|F|SP_EXECUTION_OP_ADD_UNATTEND|
+
+|Hex|Operation|
+|--- |--- |
+|10|SP_EXECUTION_OP_ADD_DRIVER|
+|11|SP_EXECUTION_OP_ENABLE_FEATURE|
+|12|SP_EXECUTION_OP_DISABLE_FEATURE|
+|13|SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS|
+|14|SP_EXECUTION_OP_REGISTER_SYNC_PROCESS|
+|15|SP_EXECUTION_OP_CREATE_FILE|
+|16|SP_EXECUTION_OP_CREATE_REGISTRY|
+|17|SP_EXECUTION_OP_BOOT|
+|18|SP_EXECUTION_OP_SYSPREP|
+|19|SP_EXECUTION_OP_OOBE|
+|1A|SP_EXECUTION_OP_BEGIN_FIRST_BOOT|
+|1B|SP_EXECUTION_OP_END_FIRST_BOOT|
+|1C|SP_EXECUTION_OP_BEGIN_OOBE_BOOT|
+|1D|SP_EXECUTION_OP_END_OOBE_BOOT|
+|1E|SP_EXECUTION_OP_PRE_OOBE|
+|1F|SP_EXECUTION_OP_POST_OOBE|
+|20|SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE|
 
 For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**).
 
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 2126be498a..b2a5460671 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -139,53 +139,16 @@ For details about the HelpAssistant account attributes, see the following table.
 
 **HelpAssistant account attributes**
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-&lt;domain&gt;-13 (Terminal Server User), S-1-5-&lt;domain&gt;-14 (Remote Interactive Logon)</p></td>
-</tr>
-<tr class="even">
-<td><p>Type</p></td>
-<td><p>User</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default container</p></td>
-<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
-</tr>
-<tr class="even">
-<td><p>Default members</p></td>
-<td><p>None</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default member of</p></td>
-<td><p>Domain Guests</p>
-<p>Guests</p></td>
-</tr>
-<tr class="even">
-<td><p>Protected by ADMINSDHOLDER?</p></td>
-<td><p>No</p></td>
-</tr>
-<tr class="odd">
-<td><p>Safe to move out of default container?</p></td>
-<td><p>Can be moved out, but we do not recommend it.</p></td>
-</tr>
-<tr class="even">
-<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
-<td><p>No</p></td>
-</tr>
-</tbody>
-</table>
+|Attribute|Value|
+|--- |--- |
+|Well-Known SID/RID|S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)|
+|Type|User|
+|Default container|CN=Users, DC=<domain>, DC=|
+|Default members|None|
+|Default member of|Domain Guests<p>Guests|
+|Protected by ADMINSDHOLDER?|No|
+|Safe to move out of default container?|Can be moved out, but we do not recommend it.|
+|Safe to delegate management of this group to non-Service admins?|No|
 
 ### DefaultAccount
 
@@ -290,71 +253,18 @@ For more information about UAC, see [User Account Control](/windows/access-prote
 
 The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
 
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<tbody>
-<tr class="odd">
-<td><p><b>No.</b></p></td>
-<td><p><b>Setting</b></p></td>
-<td><p><b>Detailed Description</b></p></td>
-</tr>
-<tr class="even">
-<td><p></p></td>
-<td><p>Policy location</p></td>
-<td><p>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options</p></td>
-</tr>
-<tr class="odd">
-<td><p>1</p></td>
-<td><p>Policy name</p></td>
-<td><p><a href="/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode" data-raw-source="[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)">User Account Control: Run all administrators in Admin Approval Mode</a></p></td>
-</tr>
-<tr class="even">
-<td><p></p></td>
-<td><p>Policy setting</p></td>
-<td><p>Enabled</p></td>
-</tr>
-<tr class="odd">
-<td><p>2</p></td>
-<td><p>Policy location</p></td>
-<td><p>Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options</p></td>
-</tr>
-<tr class="even">
-<td><p></p></td>
-<td><p>Policy name</p></td>
-<td><p><a href="/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode" data-raw-source="[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)">User Account Control: Run all administrators in Admin Approval Mode</a></p></td>
-</tr>
-<tr class="odd">
-<td><p></p></td>
-<td><p>Policy setting</p></td>
-<td><p>Enabled</p></td>
-</tr>
-<tr class="even">
-<td><p>3</p></td>
-<td><p>Registry key</p></td>
-<td><p><b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</b></p></td>
-</tr>
-<tr class="odd">
-<td><p></p></td>
-<td><p>Registry value name</p></td>
-<td><p>LocalAccountTokenFilterPolicy</p></td>
-</tr>
-<tr class="even">
-<td><p></p></td>
-<td><p>Registry value type</p></td>
-<td><p>DWORD</p></td>
-</tr>
-<tr class="odd">
-<td><p></p></td>
-<td><p>Registry value data</p></td>
-<td><p>0</p></td>
-</tr>
-</tbody>
-</table>
-
+|No.|Setting|Detailed Description|
+|--- |--- |--- |
+||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
+|1|Policy name|[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)|
+||Policy setting|Enabled|
+|2|Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
+||Policy name|[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)|
+||Policy setting|Enabled|
+|3|Registry key|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|
+||Registry value name|LocalAccountTokenFilterPolicy|
+||Registry value type|DWORD|
+||Registry value data|0|
 
 >[!NOTE]
 >You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
@@ -437,54 +347,14 @@ In order to perform this procedure, you must first identify the name of the loca
 
 The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.
 
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<tbody>
-<tr class="odd">
-<td><p><b>No.</b></p></td>
-<td><p><b>Setting</b></p></td>
-<td><p><b>Detailed Description</b></p></td>
-</tr>
-<tr class="even">
-<td><p></p></td>
-<td><p>Policy location</p></td>
-<td><p>Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment</p></td>
-</tr>
-<tr class="odd">
-<td><p>1</p></td>
-<td><p>Policy name</p></td>
-<td><p><a href="/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network" data-raw-source="[Deny access to this computer from the network](/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network)">Deny access to this computer from the network</a></p></td>
-</tr>
-<tr class="even">
-<td><p></p></td>
-<td><p>Policy setting</p></td>
-<td><p>Local account and member of Administrators group</p>
-</td>
-</tr>
-<tr class="odd">
-<td><p>2</p></td>
-<td><p>Policy location</p></td>
-<td><p>Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment</p></td>
-</tr>
-<tr class="even">
-<td><p></p></td>
-<td><p>Policy name</p></td>
-<td><p><a href="/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services" data-raw-source="[Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)">Deny log on through Remote Desktop Services</a></p></td>
-</tr>
-<tr class="odd">
-<td><p></p></td>
-<td><p>Policy setting</p></td>
-<td><p>Local account and member of Administrators group</p>
-</td>
-</tr>
-</tbody>
-</table>
-
- 
+|No.|Setting|Detailed Description|
+|--- |--- |--- |
+||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment|
+|1|Policy name|[Deny access to this computer from the network](/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network)|
+||Policy setting|Local account and member of Administrators group|
+|2|Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment|
+||Policy name|[Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)|
+||Policy setting|Local account and member of Administrators group|
 
 **To deny network logon to all local administrator accounts**
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index de574128e5..a585e796ba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -41,151 +41,32 @@ The following table lists the Group Policy settings that you can configure for W
 > [!NOTE]
 > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **PIN Complexity**.
 
-<table>
-<tr>
-<th colspan="2">Policy</th>
-<th>Scope</th>
-<th>Options</th>
-</tr>
-<tr>
-<td>Use Windows Hello for Business</td>
-<td></td>
-<td>Computer or user</td>
-<td>
-<p><b>Not configured</b>: Device does not provision Windows Hello for Business for any user.</p>
-<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.</p>
-<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.</p>
-</td>
-</tr>
-<tr>
-<td>Use a hardware security device</td>
-<td></td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.</p>
-<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-</td>
-</tr>
-<tr>
-<td>Use certificate for on-premises authentication</td>
-<td></td>
-<td>Computer or user</td>
-<td>
-<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
-<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.</p>
-<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.</p>
-</td>
-</tr>
-<td>Use PIN recovery</td>
-<td></td>
-<td>Computer</td>
-<td>
-<p>Added in Windows 10, version 1703</p>
-<p><b>Not configured</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
-<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
-<p><b>Disabled</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
-<p>
+|Policy|Scope|Options|
+|--- |--- |--- |
+|Use Windows Hello for Business|Computer or user|<p><b>Not configured</b>: Device does not provision Windows Hello for Business for any user.<p><b>Enabled</b>: Device provisions Windows Hello for Business using keys or certificates for all users.<p><b>Disabled</b>: Device does not provision Windows Hello for Business for any user.|
+|Use a hardware security device|Computer|<p><b>Not configured</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.<p><b>Enabled</b>: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.<p><b>Disabled</b>: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.|
+|Use certificate for on-premises authentication|Computer or user|<p><b>Not configured</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.<p><b>Enabled</b>: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.<p><b>Disabled</b>: Windows Hello for Business enrolls a key that is used for on-premises authentication.|
+|Use PIN recovery|Computer|<p>Added in Windows 10, version 1703<p><b>Not configured</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service<p><b>Enabled</b>: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset<p><b>Disabled</b>: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.<p>For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
+|Use biometrics|Computer|<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.<p><b>Disabled</b>: Only a PIN can be used as a gesture.|
 
-For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
-</p>
-</td>
-</tr>
-<tr>
-<td>Use biometrics</td>
-<td></td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: Biometrics can be used as a gesture in place of a PIN.</p>
-<p><b>Enabled</b>: Biometrics can be used as a gesture in place of a PIN.</p>
-<p><b>Disabled</b>: Only a PIN can be used as a gesture.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="8">PIN Complexity</td>
-<td>Require digits</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: Users must include a digit in their PIN.</p>
-<p><b>Enabled</b>: Users must include a digit in their PIN.</p>
-<p><b>Disabled</b>: Users cannot use digits in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td>Require lowercase letters</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN.</p>
-<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.</p>
-<p><b>Disabled</b>: Users cannot use lowercase letters in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td>Maximum PIN length</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: PIN length must be less than or equal to 127.</p>
-<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.</p>
-<p><b>Disabled</b>: PIN length must be less than or equal to 127.</p>
-</td>
-</tr>
-<tr>
-<td>Minimum PIN length</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.</p>
-<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.</p>
-<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.</p>
-</td>
-</tr>
-<tr>
-<td>Expiration</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: PIN does not expire.</p>
-<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.</p>
-<p><b>Disabled</b>: PIN does not expire.</p>
-</td>
-</tr>
-<tr>
-<td>History</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: Previous PINs are not stored.</p>
-<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.</p>
-<p><b>Disabled</b>: Previous PINs are not stored.</p>
-<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>
-<div> </div>
-</td>
-</tr>
-<tr>
-<td>Require special characters</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: Users cannot include a special character in their PIN.</p>
-<p><b>Enabled</b>: Users must include at least one special character in their PIN.</p>
-<p><b>Disabled</b>: Users cannot include a special character in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td>Require uppercase letters</td>
-<td>Computer</td>
-<td>
-<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.</p>
-<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.</p>
-<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.</p>
-</td>
-</tr>
-<tr>
-<td>Phone Sign-in</td>
-<td>Use Phone Sign-in</td>
-<td>Computer</td>
-</td>
-<td>
-<p>Not currently supported.</p>
-</td>
-</tr>
-</table>
+### PIN Complexity
+
+|Policy|Scope|Options|
+|--- |--- |--- |
+|Require digits|Computer|<p><b>Not configured</b>: Users must include a digit in their PIN.<p><b>Enabled</b>: Users must include a digit in their PIN.<p><b>Disabled</b>: Users cannot use digits in their PIN.|
+|Require lowercase letters|Computer|<p><b>Not configured</b>: Users cannot use lowercase letters in their PIN<p><b>Enabled</b>: Users must include at least one lowercase letter in their PIN.<p><b>Disabled</b>: Users cannot use lowercase letters in their PIN.|
+|Maximum PIN length|Computer|<p><b>Not configured</b>: PIN length must be less than or equal to 127.<p><b>Enabled</b>: PIN length must be less than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be less than or equal to 127.|
+|Minimum PIN length|Computer|<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.|
+|Expiration|Computer|<p><b>Not configured</b>: PIN does not expire.<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<p><b>Disabled</b>: PIN does not expire.|
+|History|Computer|<p><b>Not configured</b>: Previous PINs are not stored.<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<p><b>Disabled</b>: Previous PINs are not stored.<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>|
+|Require special characters|Computer|<p><b>Not configured</b>: Users cannot include a special character in their PIN<p><b>Enabled</b>: Users must include at least one special character in their PIN.<p><b>Disabled</b>: Users cannot include a special character in their PIN.|
+|Require uppercase letters|Computer|<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.|
+
+### Phone Sign-in
+
+|Policy|Scope|Options|
+|--- |--- |--- |
+|Use Phone Sign-in|Computer|Not currently supported.|
 
 ## MDM policy settings for Windows Hello for Business
 
@@ -194,175 +75,38 @@ The following table lists the MDM policy settings that you can configure for Win
 >[!IMPORTANT]
 >Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
 
-<table>
-<tr>
-<th colspan="2">Policy</th>
-<th>Scope</th>
-<th>Default</th>
-<th>Options</th>
-</tr>
-<tr>
-<td>UsePassportForWork</td>
-<td></td>
-<td>Device or user</td>
-<td>True</td>
-<td>
-<p>True: Windows Hello for Business will be provisioned for all users on the device.</p>
-<p>False: Users will not be able to provision Windows Hello for Business. </p>
-<div class="alert"><b>Note</b>  If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.</div>
-<div> </div>
-</td>
-</tr>
-<tr>
-<td>RequireSecurityDevice</td>
-<td></td>
-<td>Device or user</td>
-<td>False</td>
-<td>
-<p>True: Windows Hello for Business will only be provisioned using TPM.</p>
-<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.</p>
-</td>
-</tr>
-<tr>
-<td>ExcludeSecurityDevice</td>
-<td>TPM12</td>
-<td>Device</td>
-<td>False</td>
-<td>
-<p>Added in Windows 10, version 1703</p>
-<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.</p>
-<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.</p>
-</td>
-</tr>
-<tr>
-<td>EnablePinRecovery</td>
-<td></td>
-<td>Device or user</td>
-<td>False</td>
-<td>
-<p>Added in Windows 10, version 1703</p>
-<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.</p>
-<p>False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.</p>
-<p>
+|Policy|Scope|Default|Options|
+|--- |--- |--- |--- |
+|UsePassportForWork|Device or user|True|<p>True: Windows Hello for Business will be provisioned for all users on the device.<p>False: Users will not be able to provision Windows Hello for Business. <div class="alert"> **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices</div>|
+|RequireSecurityDevice|Device or user|False|<p>True: Windows Hello for Business will only be provisioned using TPM.<p>False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.|
+|ExcludeSecurityDevice<p>TPM12|Device|False|Added in Windows 10, version 1703<p>True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.<p>False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.|
+|EnablePinRecovery|Device or use|False|<p>Added in Windows 10, version 1703<p>True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.<p>False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).|
 
-For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
-</p>
-</td>
-</tr>
-<tr>
-<td rowspan="2">Biometrics</td>
-<td>
-<p>UseBiometrics</p>
-</td>
-<td>Device </td>
-<td>False</td>
-<td>
-<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.</p>
-<p>False: Only a PIN can be used as a gesture for domain sign-in.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>FacialFeaturesUser</p>
-<p>EnhancedAntiSpoofing</p>
-</td>
-<td>Device</td>
-<td>Not configured</td>
-<td>
-<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.</p>
-<p>True: Enhanced anti-spoofing is required on devices which support it.</p>
-<p>False: Users cannot turn on enhanced anti-spoofing.</p>
-</td>
-</tr>
-<tr>
-<td rowspan="9">PINComplexity</td>
-</tr>
-<tr>
-<td>Digits </td>
-<td>Device or user</td>
-<td>1 </td>
-<td>
-<p>0: Digits are allowed. </p>
-<p>1: At least one digit is required.</p>
-<p>2: Digits are not allowed. </p>
-</td>
-</tr>
-<tr>
-<td>Lowercase letters </td>
-<td>Device or user</td>
-<td>2</td>
-<td>
-<p>0: Lowercase letters are allowed. </p>
-<p>1: At least one lowercase letter is required.</p>
-<p>2: Lowercase letters are not allowed. </p>
-</td>
-</tr>
-<tr>
-<td>Special characters</td>
-<td>Device or user</td>
-<td>2</td>
-<td>
-<p>0: Special characters are allowed. </p>
-<p>1: At least one special character is required. </p>
-<p>2: Special characters are not allowed.</p>
-</td>
-</tr>
-<tr>
-<td>Uppercase letters</td>
-<td>Device or user</td>
-<td>2</td>
-<td>
-<p>0: Uppercase letters are allowed. </p>
-<p>1: At least one uppercase letter is required.</p>
-<p>2: Uppercase letters are not allowed. </p>
-</td>
-</tr>
-<tr>
-<td>Maximum PIN length </td>
-<td>Device or user</td>
-<td>127 </td>
-<td>
-<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.</p>
-</td>
-</tr>
-<tr>
-<td>Minimum PIN length</td>
-<td>Device or user</td>
-<td>4</td>
-<td>
-<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.</p>
-</td>
-</tr>
-<tr>
-<td>Expiration </td>
-<td>Device or user</td>
-<td>0</td>
-<td>
-<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
-</p>
-</td>
-</tr>
-<tr>
-<td>History</td>
-<td>Device or user</td>
-<td>0</td>
-<td>
-<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
-</p>
-</td>
-</tr>
-<tr>
-<td>Remote</td>
-<td>
-<p>UseRemotePassport</p>
-</td>
-<td>Device or user</td>
-<td>False</td>
-<td>
-<p>Not currently supported.</p>
-</td>
-</tr>
-</table>
+### Biometrics
+
+|Policy|Scope|Default|Options|
+|--- |--- |--- |--- |
+|UseBiometrics|Device |False|<p>True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.<p>False: Only a PIN can be used as a gesture for domain sign-in.|
+|<p>FacialFeaturesUser<p>EnhancedAntiSpoofing|Device|Not configured|<p>Not configured: users can choose whether to turn on enhanced anti-spoofing.<p>True: Enhanced anti-spoofing is required on devices which support it.<p>False: Users cannot turn on enhanced anti-spoofing.|
+
+### PINComplexity
+
+|Policy|Scope|Default|Options|
+|--- |--- |--- |--- |
+|Digits |Device or user|1 |<p>0: Digits are allowed. <p>1: At least one digit is required.<p>2: Digits are not allowed.|
+|Lowercase letters |Device or user|2|<p>0: Lowercase letters are allowed. <p>1: At least one lowercase letter is required.<p>2: Lowercase letters are not allowed.|
+|Special characters|Device or user|2|<p>0: Special characters are allowed. <p>1: At least one special character is required. <p>2: Special characters are not allowed.|
+|Uppercase letters|Device or user|2|<p>0: Uppercase letters are allowed. <p>1: At least one uppercase letter is required.<p>2: Uppercase letters are not allowed.|
+|Maximum PIN length |Device or user|127 |<p>Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.|
+|Minimum PIN length|Device or user|4|<p>Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.|
+|Expiration |Device or user|0|<p>Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.|
+|History|Device or user|0|<p>Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.|
+
+### Remote
+
+|Policy|Scope|Default|Options|
+|--- |--- |--- |--- |
+|UseRemotePassport|Device or user|False|Not currently supported.|
 
 >[!NOTE]
 > In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index e9f7b85291..edf3452542 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -106,169 +106,35 @@ The following diagram details the UAC architecture.
 
 To better understand each component, review the table below:
 
-<table>
-<tr>
-<th>Component</th>
-<th>Description</th>
-</tr>
-<tr>
-<th colspan="2">User</th>
-</tr>
-<tr>
-<td>
-<p>User performs operation requiring privilege</p>
-</td>
-<td>
-<p>If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>ShellExecute</p>
-</td>
-<td>
-<p>ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>CreateProcess</p>
-</td>
-<td>
-<p>If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.</p>
-</td>
-</tr>
-<tr>
-<th colspan="2">System</th>
-</tr>
-<tr>
-<td>
-<p>Application Information service</p>
-</td>
-<td>
-<p>A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user&#39;s full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Elevating an ActiveX install</p>
-</td>
-<td>
-<p>If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the <b>User Account Control: Switch to the secure desktop when prompting for elevation</b> Group Policy setting is checked.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Check UAC slider level</p>
-</td>
-<td>
-<p>UAC has a slider to select from four levels of notification.</p>
-<ul>
-<li><p><b>Always notify</b> will:</p>
-<ul>
-<li>Notify you when programs try to install software or make changes to your computer.</li>
-<li>Notify you when you make changes to Windows settings.</li>
-<li>Freeze other tasks until you respond.</li>
-</ul>
-<p>Recommended if you often install new software or visit unfamiliar websites.</p><br>
-</li>
-<li><p><b>Notify me only when programs try to make changes to my computer</b> will:</p>
-<ul>
-<li>Notify you when programs try to install software or make changes to your computer.</li>
-<li>Not notify you when you make changes to Windows settings.</li>
-<li>Freeze other tasks until you respond.</li>
-</ul>
-<p>Recommended if you do not often install apps or visit unfamiliar websites.</p><br>
-</li>
-<li><p><b>Notify me only when programs try to make changes to my computer (do not dim my desktop)</b> will:</p>
-<ul>
-<li>Notify you when programs try to install software or make changes to your computer.</li>
-<li>Not notify you when you make changes to Windows settings.</li>
-<li>Not freeze other tasks until you respond.</li>
-</ul>
-<p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.</p><br>
-</li>
-<li><p><b>Never notify (Disable UAC prompts)</b> will:</p>
-<ul>
-<li>Not notify you when programs try to install software or make changes to your computer.</li>
-<li>Not notify you when you make changes to Windows settings.</li>
-<li>Not freeze other tasks until you respond.</li>
-</ul>
-<p>Not recommended due to security concerns.</p>
-</li></ul>
-</td>
-</tr>
-<tr>
-<td>
-<p>Secure desktop enabled</p>
-</td>
-<td>
-<p>The <b>User Account Control: Switch to the secure desktop when prompting for elevation</b> policy setting is checked: </p>
-<ul>
-<li>
-<p>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</p>
-</li>
-<li>
-<p>If the secure desktop is not enabled, all elevation requests go to the interactive user&#39;s desktop, and the per-user settings for administrators and standard users are used.</p>
-</li>
-</ul>
-</td>
-</tr>
-<tr>
-<td>
-<p>CreateProcess</p>
-</td>
-<td>
-<p>CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>AppCompat</p>
-</td>
-<td>
-<p>The AppCompat database stores information in the application compatibility fix entries for an application.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Fusion</p>
-</td>
-<td>
-<p>The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>Installer detection</p>
-</td>
-<td>
-<p>Installer detection detects setup files, which helps prevent installations from being run without the user&#39;s knowledge and consent.</p>
-</td>
-</tr>
-<tr>
-<th colspan="2">Kernel</th>
-</td>
-</tr>
-<tr>
-<td>
-<p>Virtualization</p>
-</td>
-<td>
-<p>Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.</p>
-</td>
-</tr>
-<tr>
-<td>
-<p>File system and registry</p>
-</td>
-<td>
-<p>The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.</p>
-</td>
-</tr>
-</table>
+### User
+
+|Component|Description|
+|--- |--- |
+|<p>User performs operation requiring privilege|<p>If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
+|<p>ShellExecute|<p>ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
+|<p>CreateProcess|<p>If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
+
+### System
+
+|Component|Description|
+|--- |--- |
+|<p>Application Information service|<p>A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.|
+|<p>Elevating an ActiveX install|<p>If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
+|<p>Check UAC slider level|<p>UAC has a slider to select from four levels of notification.<ul><li><p>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you often install new software or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you do not often install apps or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li><p>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended due to security concerns.|
+|<p>Secure desktop enabled|<p>The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li><p>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li><p>If the secure desktop is not enabled, all elevation requests go to the interactive user&#39;s desktop, and the per-user settings for administrators and standard users are used.|
+|<p>CreateProcess|<p>CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
+|<p>AppCompat|<p>The AppCompat database stores information in the application compatibility fix entries for an application.|
+|<p>Fusion|<p>The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
+|<p>Installer detection|<p>Installer detection detects setup files, which helps prevent installations from being run without the user&#39;s knowledge and consent.|
+
+### Kernel
+
+|Component|Description|
+|--- |--- |
+|<p>Virtualization|<p>Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
+|<p>File system and registry|<p>The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
  
-The slider will never turn UAC completely off. If you set it to <b>Never notify</b>, it will:
+The slider will never turn UAC completely off. If you set it to **Never notify**, it will:
 
 -   Keep the UAC service running.
 -   Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 77824138a9..b646e90f3e 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -23,15 +23,12 @@ In addition to older and less-secure password-based authentication methods (whic
 
 Windows supports a number of EAP authentication methods. 
 
-<table>
-<thead><tr><th>Method</th><th>Details</th></thead>
-<tbody>
-<tr><td>EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)</td><td><ul><li>User name and password authentication</li><li>Winlogon credentials - can specify authentication with computer sign-in credentials</li></ul></td></tr>
-<tr><td>EAP-Transport Layer Security (EAP-TLS) </td><td><ul><li>Supports the following types of certificate authentication<ul><li>Certificate with keys in the software Key Storage Provider (KSP)</li><li>Certificate with keys in Trusted Platform Module (TPM) KSP</li><li>Smart card certificates</li><li>Windows Hello for Business certificate</li></ul></li><li>Certificate filtering<ul><li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with</li><li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based</li></ul></li><li>Server validation - with TLS, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li></ul></td></tr>
-<tr><td><a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754179(v=ws.11)">Protected Extensible Authentication Protocol (PEAP)</a></td><td><ul><li>Server validation - with PEAP, server validation can be toggled on or off<ul><li>Server name - specify the server to validate</li><li>Server certificate - trusted root certificate to validate the server</li><li>Notification - specify if the user should get a notification asking whether to trust the server or not</li></ul></li><li>Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<ul><li>EAP-MSCHAPv2</li><li>EAP-TLS</li></ul><li>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<li><a href="/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937">Cryptobinding</a>: By deriving and exchanging values from the PEAP phase 1 key material (<b>Tunnel Key</b>) and from the PEAP phase 2 inner EAP method key material (<b>Inner Session Key</b>), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.</li></li></ul></td></tr>
-<tr><td>Tunneled Transport Layer Security (TTLS)</td><td><ul><li>Inner method<ul><li>Non-EAP<ul><li>Password Authentication Protocol (PAP)</li><li>CHAP</li><li>MSCHAP</li><li>MSCHAPv2</li></ul></li><li>EAP<ul><li>MSCHAPv2</li><li>TLS</li></ul></li></ul></li><li>Server validation: in TTLS, the server must be validated. The following can be configured:<ul><li>Server name</li><li>Trusted root certificate for server certificate</li><li>Whether there should be a server validation notification</li></ul></li></ul></td></tr></tbody>
-</table>
-</br>
+|Method|Details|
+|--- |--- |
+|EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)|<li>User name and password authentication<li>Winlogon credentials- can specify authentication with computer sign-in credentials|
+|EAP-Transport Layer Security (EAP-TLS)|<p>Supports the following types of certificate authentication <li>Certificate with keys in the software Key Storage Provider (KSP)<li>Certificate with keys in Trusted Platform Module (TPM) KSP<li>Smart card certificates<li>Windows Hello for Business certificate<p>Certificate filtering<li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with<li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based<p>Server validation- with TLS, server validation can be toggled on or off<li>Server name-specify the server to validate<li>Server certificate- trusted root certificate to validate the server<li>Notification-specify if the user should get a notification asking whether to trust the server or not|
+|[Protected Extensible Authentication Protocol (PEAP)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754179(v=ws.11))|<p>Server validation with PEAP,- server validation can be toggled on or off<li>Server name- specify the server to validate<li>Server certificate- trusted root certificate to validate the server<li>Notification- specify if the user should get a notification asking whether to trust the server or not<p>Inner method- the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<li>EAP-MSCHAPv2<li>EAP-TLS<p>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<p>[Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.|
+|Tunneled Transport Layer Security (TTLS)|**Inner method**<p>Non-EAP<li>Password Authentication Protocol (PAP)<li>CHAP<li>MSCHAP<li>MSCHAPv2<p>EAP<li>MSCHAPv2<li>TLS<p>Server validation: in TTLS, the server must be validated. The following can be configured:<li>Server name<li>Trusted root certificate for server certificate<li>Whether there should be a server validation notification|
 
 For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index d43cdb899b..887293791c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -184,132 +184,20 @@ manage-bde -on C:
 
 Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Name</p></td>
-<td align="left"><p>Parameters</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
-<td align="left"><p>-ADAccountOrGroup</p>
-<p>-ADAccountOrGroupProtector</p>
-<p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-Password</p>
-<p>-PasswordProtector</p>
-<p>-Pin</p>
-<p>-RecoveryKeyPath</p>
-<p>-RecoveryKeyProtector</p>
-<p>-RecoveryPassword</p>
-<p>-RecoveryPasswordProtector</p>
-<p>-Service</p>
-<p>-StartupKeyPath</p>
-<p>-StartupKeyProtector</p>
-<p>-TpmAndPinAndStartupKeyProtector</p>
-<p>-TpmAndPinProtector</p>
-<p>-TpmAndStartupKeyProtector</p>
-<p>-TpmProtector</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-KeyProtectorId</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
-<td align="left"><p>-AdAccountOrGroup</p>
-<p>-AdAccountOrGroupProtector</p>
-<p>-Confirm</p>
-<p>-EncryptionMethod</p>
-<p>-HardwareEncryption</p>
-<p>-Password</p>
-<p>-PasswordProtector</p>
-<p>-Pin</p>
-<p>-RecoveryKeyPath</p>
-<p>-RecoveryKeyProtector</p>
-<p>-RecoveryPassword</p>
-<p>-RecoveryPasswordProtector</p>
-<p>-Service</p>
-<p>-SkipHardwareTest</p>
-<p>-StartupKeyPath</p>
-<p>-StartupKeyProtector</p>
-<p>-TpmAndPinAndStartupKeyProtector</p>
-<p>-TpmAndPinProtector</p>
-<p>-TpmAndStartupKeyProtector</p>
-<p>-TpmProtector</p>
-<p>-UsedSpaceOnly</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
-<td align="left"><p>-MountPoint</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-ForceDismount</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-KeyProtectorId</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-RebootCount</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
-<td align="left"><p>-AdAccountOrGroup</p>
-<p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-Password</p>
-<p>-RecoveryKeyPath</p>
-<p>-RecoveryPassword</p>
-<p>-RecoveryPassword</p>
-<p>-WhatIf</p></td>
-</tr>
-</tbody>
-</table>
+|Name|Parameters|
+|--- |--- |
+|**Add-BitLockerKeyProtector**|<li>ADAccountOrGroup<li>ADAccountOrGroupProtector<li>Confirm<li>MountPoint<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>WhatIf|
+|**Backup-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
+|**Disable-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Disable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Enable-BitLocker**|<li>AdAccountOrGroup<li>AdAccountOrGroupProtector<li>Confirm<li>EncryptionMethod<li>HardwareEncryption<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>SkipHardwareTest<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>UsedSpaceOnly<li>WhatIf|
+|**Enable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Get-BitLockerVolume**|<li>MountPoint|
+|**Lock-BitLocker**|<li>Confirm<li>ForceDismount<li>MountPoint<li>WhatIf|
+|**Remove-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
+|**Resume-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
+|**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
 
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index c70a1373ec..300f1f911d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -128,134 +128,20 @@ For more information about using repair-bde, see [Repair-bde](/previous-versions
 
 Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th><p>Name</p></th>
-<th><p>Parameters</p></th>
-</tr>
-</thead>
-<tbody>
-<tr class="even">
-<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
-<td align="left"><p>-ADAccountOrGroup</p>
-<p>-ADAccountOrGroupProtector</p>
-<p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-Password</p>
-<p>-PasswordProtector</p>
-<p>-Pin</p>
-<p>-RecoveryKeyPath</p>
-<p>-RecoveryKeyProtector</p>
-<p>-RecoveryPassword</p>
-<p>-RecoveryPasswordProtector</p>
-<p>-Service</p>
-<p>-StartupKeyPath</p>
-<p>-StartupKeyProtector</p>
-<p>-TpmAndPinAndStartupKeyProtector</p>
-<p>-TpmAndPinProtector</p>
-<p>-TpmAndStartupKeyProtector</p>
-<p>-TpmProtector</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Backup-BitLockerKeyProtector</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-KeyProtectorId</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Disable-BitLocker</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Disable-BitLockerAutoUnlock</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Enable-BitLocker</b></p></td>
-<td align="left"><p>-AdAccountOrGroup</p>
-<p>-AdAccountOrGroupProtector</p>
-<p>-Confirm</p>
-<p>-EncryptionMethod</p>
-<p>-HardwareEncryption</p>
-<p>-Password</p>
-<p>-PasswordProtector</p>
-<p>-Pin</p>
-<p>-RecoveryKeyPath</p>
-<p>-RecoveryKeyProtector</p>
-<p>-RecoveryPassword</p>
-<p>-RecoveryPasswordProtector</p>
-<p>-Service</p>
-<p>-SkipHardwareTest</p>
-<p>-StartupKeyPath</p>
-<p>-StartupKeyProtector</p>
-<p>-TpmAndPinAndStartupKeyProtector</p>
-<p>-TpmAndPinProtector</p>
-<p>-TpmAndStartupKeyProtector</p>
-<p>-TpmProtector</p>
-<p>-UsedSpaceOnly</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Enable-BitLockerAutoUnlock</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Get-BitLockerVolume</b></p></td>
-<td align="left"><p>-MountPoint</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Lock-BitLocker</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-ForceDismount</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Remove-BitLockerKeyProtector</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-KeyProtectorId</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Resume-BitLocker</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Suspend-BitLocker</b></p></td>
-<td align="left"><p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-RebootCount</p>
-<p>-WhatIf</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Unlock-BitLocker</b></p></td>
-<td align="left"><p>-AdAccountOrGroup</p>
-<p>-Confirm</p>
-<p>-MountPoint</p>
-<p>-Password</p>
-<p>-RecoveryKeyPath</p>
-<p>-RecoveryPassword</p>
-<p>-RecoveryPassword</p>
-<p>-WhatIf</p></td>
-</tr>
-</tbody>
-</table>
+|Name|Parameters|
+|--- |--- |
+|**Add-BitLockerKeyProtector**|<li>ADAccountOrGroup<li>ADAccountOrGroupProtector<li>Confirm<li>MountPoint<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>WhatIf|
+|**Backup-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
+|**Disable-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Disable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Enable-BitLocker**|<li>AdAccountOrGroup<li>AdAccountOrGroupProtector<li>Confirm<li>EncryptionMethod<li>HardwareEncryption<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>SkipHardwareTest<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>UsedSpaceOnly<li>WhatIf|
+|**Enable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Get-BitLockerVolume**|<li>MountPoint|
+|**Lock-BitLocker**|<li>Confirm<li>ForceDismount<li>MountPoint<li>WhatIf|
+|**Remove-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
+|**Resume-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
+|**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
+|**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
  
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
 
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index ac8caab616..8eb564b9c2 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -160,110 +160,23 @@ Unlike CSV2.0 volumes, physical disk resources can only be accessed by one clust
 
 The following table contains information about both Physical Disk Resources (that is, traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
 
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<tbody>
-<tr class="odd">
-<td align="left"><p><b>Action</b></p></td>
-<td align="left"><p><b>On owner node of failover volume</b></p></td>
-<td align="left"><p><b>On Metadata Server (MDS) of CSV</b></p></td>
-<td align="left"><p><b>On (Data Server) DS of CSV</b></p></td>
-<td align="left"><p><b>Maintenance Mode</b></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Manage-bde –on</b></p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Manage-bde –off</b></p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Manage-bde Pause/Resume</b></p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked<b></p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Manage-bde –lock</b></p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>manage-bde –wipe</b></p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Unlock</b></p></td>
-<td align="left"><p>Automatic via cluster service</p></td>
-<td align="left"><p>Automatic via cluster service</p></td>
-<td align="left"><p>Automatic via cluster service</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>manage-bde –protector –add</b></p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>manage-bde -protector -delete</b></p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>manage-bde –autounlock</b></p></td>
-<td align="left"><p>Allowed (not recommended)</p></td>
-<td align="left"><p>Allowed (not recommended)</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed (not recommended)</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Manage-bde -upgrade</b></p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p><b>Shrink</b></p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p><b>Extend</b></p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Allowed</p></td>
-<td align="left"><p>Blocked</p></td>
-<td align="left"><p>Allowed</p></td>
-</tr>
-</tbody>
-</table>
- 
-&gt;</b>Note:**  Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+|**Action**|**On owner node of failover volume**|**On Metadata Server (MDS) of CSV**|**On (Data Server) DS of CSV**|**Maintenance Mode**|
+|--- |--- |--- |--- |--- |
+|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed|
+|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed|
+|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed|
+|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed|
+|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed|
+|**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed|
+|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed|
+|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed|
+|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
+|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed|
+|**Shrink**|Allowed|Allowed|Blocked|Allowed|
+|**Extend**|Allowed|Allowed|Blocked|Allowed|
+
+>[!NOTE]
+> Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
  
 In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
 
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index f1bededfaf..a2dde84f60 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -42,104 +42,21 @@ We strongly suggest that the only unenlightened apps you add to your allowed app
 ## Unenlightened app behavior
 This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
 
-<table>
-   <tr>
-     <th>App rule setting</th>
-     <th align="center" colspan="2">Networking policy configuration</th>
-   </tr>
-   <tr>
-        <th>&nbsp;</th>
-        <th align="center">Name-based policies, without the /&#42;AppCompat&#42;/ string</th>
-        <th align="center">Name-based policies, using the /&#42;AppCompat&#42;/ string or proxy-based policies</th>
-    </tr>
-   <tr align="left">
-     <td><b>Not required.</b> App connects to enterprise cloud resources directly, using an IP address.</td>
-     <td>
-        <ul>
-            <li>App is entirely blocked from both personal and enterprise cloud resources.</li>
-            <li>No encryption is applied.</li>
-            <li>App can’t access local Work files.</li>
-        </ul>
-    </td>
-    <td>
-        <ul>
-            <li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.</li>
-            <li>No encryption is applied.</li>
-            <li>App can’t access local Work files.</li>
-        </ul>
-    </td>
-   </tr>
-    <tr align="left">
-     <td><b>Not required.</b> App connects to enterprise cloud resources, using a hostname.</td>
-     <td colspan="2">
-        <ul>
-            <li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
-            <li>No encryption is applied.</li>
-            <li>App can’t access local Work files.</li>
-        </ul>
-    </td>
-   </tr>
-    <tr align="left">
-     <td><b>Allow.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
-     <td colspan="2">
-        <ul>
-            <li>App can access both personal and enterprise cloud resources.</li>
-            <li>Auto-encryption is applied.</li>
-            <li>App can access local Work files.</li>
-        </ul>
-    </td>
-   </tr>
-    <tr align="left" colspan="2">
-     <td><b>Exempt.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
-     <td colspan="2">
-        <ul>
-            <li>App can access both personal and enterprise cloud resources.</li>
-            <li>No encryption is applied.</li>
-            <li>App can access local Work files.</li>
-        </ul>
-    </td>
-   </tr>
-</table>
+|App rule setting|Networking policy configuration|
+|--- |--- |
+|**Not required.** App connects to enterprise cloud resources directly, using an IP address.|<p>**Name-based policies, without the /&#42;AppCompat&#42;/ string:**<li>App is entirely blocked from both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can’t access local Work files.<p>**Name-based policies, using the /&#42;AppCompat&#42;/ string or proxy-based policies:**<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.<li>No encryption is applied.<li>App can’t access local Work files.|
+|**Not required.** App connects to enterprise cloud resources, using a hostname.|<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.<li>No encryption is applied.<li>App can’t access local Work files.|
+|**Allow.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>Auto-encryption is applied.<li>App can access local Work files.|
+|**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can access local Work files.|
 
 ## Enlightened app behavior
 This table includes info about how enlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
 
-<table>
-   <tr>
-     <th>App rule setting</th>
-     <th>Networking policy configuration for name-based policies, possibly using the /&#42;AppCompat&#42;/ string, or proxy-based policies</th>
-   </tr>
-    <tr>
-        <td><b>Not required.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
-        <td>
-            <ul>
-                <li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
-                <li>No encryption is applied.</li>
-                <li>App can't access local Work files.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td><b>Allow.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
-        <td>
-            <ul>
-                <li>App can access both personal and enterprise cloud resources.</li>
-                <li>App protects work data and leaves personal data unprotected.</li>
-                <li>App can access local Work files.</li>
-            </ul>
-        </td>
-    </tr>
-    <tr>
-        <td><b>Exempt.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
-        <td>
-            <ul>
-                <li>App can access both personal and enterprise cloud resources.</li>
-                <li>App protects work data and leaves personal data unprotected.</li>
-                <li>App can access local Work files.</li>
-            </ul>
-        </td>
-    </tr>
-</table>
+|App rule setting|Networking policy configuration for name-based policies, possibly using the /&#42;AppCompat&#42;/ string, or proxy-based policies|
+|--- |--- |
+|**Not required.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.<li> No encryption is applied.<li> App can't access local Work files.|
+|**Allow.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li> App protects work data and leaves personal data unprotected.<li> App can access local Work files.|
+|**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li> App protects work data and leaves personal data unprotected.<li> App can access local Work files.|
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 32511b9cd5..43da21cd72 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -155,40 +155,15 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
 
 5.  Pick the options you want to include for the app rule (see table), and then click **OK**.
 
-    <table>
-        <tr>
-            <th>Option</th>
-            <th>Manages</th>
-        </tr>
-        <tr>
-            <td>All fields left as "*"</td>
-            <td>All files signed by any publisher. (Not recommended.)</td>
-        </tr>
-        <tr>
-            <td><b>Publisher</b> selected</td>
-            <td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
-        </tr>
-        <tr>
-            <td><b>Publisher</b> and <b>Product Name</b> selected</td>
-            <td>All files for the specified product, signed by the named publisher.</td>
-        </tr>
-        <tr>
-            <td><b>Publisher</b>, <b>Product Name</b>, and <b>Binary name</b> selected</td>
-            <td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-        <tr>
-            <td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, and above</b>, selected</td>
-            <td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
-        </tr>
-        <tr>
-            <td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, And below</b> selected</td>
-            <td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-        <tr>
-            <td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, Exactly</b> selected</td>
-            <td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
-        </tr>
-    </table>
+     |Option|Manages|
+     |--- |--- |
+     |All fields left as "*"|All files signed by any publisher. (Not recommended.)|
+     |**Publisher** selected|All files signed by the named publisher.This might be useful if your company is the publisher and signer of internal line-of-business apps.|
+     |**Publisher** and **Product Name** selected|All files for the specified product, signed by the named publisher.|
+     |**Publisher**, **Product Name**, and **Binary name** selected|Any version of the named file or package for the specified product, signed by the named publisher.|
+     |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.This option is recommended for enlightened apps that weren't previously enlightened.|
+     |**Publisher**, **Product Name**, **Binary name**, and **File Version, And below** selected|Specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
+     |**Publisher**, **Product Name**, **Binary name**, and **File Version, Exactly** selected|Specified version of the named file or package for the specified product, signed by the named publisher.|
 
 If you're unsure about what to include for the publisher, you can run this PowerShell command:
 
@@ -374,47 +349,16 @@ There are no default locations included with WIP, you must add each of your netw
 
    ![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png)
 
-   <table>
-       <tr>
-           <th>Network location type</th>
-           <th>Format</th>
-           <th>Description</th>
-       </tr>
-       <tr>
-           <td>Enterprise Cloud Resources</td>
-           <td><b>With proxy:</b> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><b>Without proxy:</b> contoso.sharepoint.com|contoso.visualstudio.com</td>
-           <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><b>Important</b><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
-       </tr>
-       <tr>
-           <td>Enterprise Network Domain Names (Required)</td>
-           <td>corp.contoso.com,region.contoso.com</td>
-           <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the &quot;,&quot; delimiter.</td>
-       </tr>
-       <tr>
-           <td>Proxy servers</td>
-           <td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
-           <td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td>
-       </tr>
-       <tr>
-           <td>Internal proxy servers</td>
-           <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
-           <td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/>    </tr>
-       <tr>
-           <td>Enterprise IPv4 Range (Required)</td>
-           <td><b>Starting IPv4 Address:</b> 3.4.0.1<br><b>Ending IPv4 Address:</b> 3.4.255.254<br><b>Custom URI:</b> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
-           <td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.</td>
-       </tr>
-       <tr>
-           <td>Enterprise IPv6 Range</td>
-           <td><b>Starting IPv6 Address:</b> 2a01:110::<br><b>Ending IPv6 Address:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br><b>Custom URI:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
-           <td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.</td>
-       </tr>
-       <tr>
-           <td>Neutral Resources</td>
-           <td>sts.contoso.com,sts.contoso2.com</td>
-           <td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the &quot;,&quot; delimiter.</td>
-       </tr><br/></table>
-
+     |Network location type|Format|Description|
+     |--- |--- |--- |
+     |Enterprise Cloud Resources|<b>With proxy:</b> contoso.sharepoint.com,contoso.internalproxy1.com,<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><b>Without proxy:</b> contoso.sharepoint.com,contoso.visualstudio.com|Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;I&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;I&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code><p><b>Important</b><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.|
+     |Enterprise Network Domain Names (Required)|corp.contoso.com,region.contoso.com|Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the &quot;,&quot; delimiter.|
+     |Proxy servers|proxy.contoso.com:80;proxy2.contoso.com:443|Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.|
+     |Internal proxy servers|contoso.internalproxy1.com;contoso.internalproxy2.com|Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.|
+     |Enterprise IPv4 Range (Required)|<b>Starting IPv4 Address:</b> 3.4.0.1<br><b>Ending IPv4 Address:</b> 3.4.255.254<br><b>Custom URI:</b> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254|Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.|
+     |Enterprise IPv6 Range|<b>Starting IPv6 Address:</b> 2a01:110::<br><b>Ending IPv6 Address:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br><b>Custom URI:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff|Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.|
+     |Neutral Resources|sts.contoso.com,sts.contoso2.com|Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the &quot;,&quot; delimiter.|
+     
 3. Add as many locations as you need, and then click **OK**.
 
    The **Add or edit corporate network definition** box closes.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 0442c3778a..370455c093 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -164,40 +164,15 @@ If you don't know the Store app publisher or product name, you can find them by
 
 To add **Desktop apps**, complete the following fields, based on what results you want returned.
 
-<table>
-    <tr>
-        <th>Field</th>
-        <th>Manages</th>
-    </tr>
-    <tr>
-        <td>All fields marked as “*”</td>
-        <td>All files signed by any publisher. (Not recommended and may not work)</td>
-    </tr>
-    <tr>
-        <td>Publisher only</td>
-        <td>If you only fill out this field, you’ll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
-    </tr>
-    <tr>
-        <td>Publisher and Name only</td>
-            <td>If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.</td>
-    </tr>
-    <tr>
-        <td>Publisher, Name, and File only</td>
-        <td>If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.</td>
-    </tr>
-    <tr>
-        <td>Publisher, Name, File, and Min version only</td>
-        <td>If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td>
-    </tr>
-    <tr>
-        <td>Publisher, Name, File, and Max version only</td>
-        <td>If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
-    </tr>
-    <tr>
-        <td>All fields completed</td>
-        <td>If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.</td>
-    </tr>
-</table>
+|Field|Manages|
+|--- |--- |
+|All fields marked as “*”|All files signed by any publisher. (Not recommended and may not work)|
+|Publisher only|If you only fill out this field, you’ll get all files signed by the named publisher.This might be useful if your company is the publisher and signer of internal line-of-business apps.|
+|Publisher and Name only|If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.|
+|Publisher, Name, and File only|If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.|
+|Publisher, Name, File, and Min version only|If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.This option is recommended for enlightened apps that weren't previously enlightened.|
+|Publisher, Name, File, and Max version only|If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
+|All fields completed|If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.|
 
 To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**.
 
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 929975aa97..15b0f9f1f8 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -24,138 +24,28 @@ ms.localizationpriority: medium
 
 This table provides info about the most common problems you might encounter while running WIP in your organization.
 
-<table>
-    <tr>
-        <th>Limitation</th>
-        <th>How it appears</th>
-        <th>Workaround</th>
-    </tr>
-    <tr>
-        <td>Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.</td>
-        <td><b>If you’re using Azure RMS:</b> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<br><br><b>If you’re not using Azure RMS:</b> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won&#39;t open or the file opens, but doesn&#39;t contain readable text.</td>
-        <td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<br><br>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
-    </tr>
-    <tr>
-        <td>Direct Access is incompatible with WIP.</td>
-        <td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.</td>
-        <td>We recommend that you use VPN for client access to your intranet resources.<br><br><b>Note</b><br>VPN is optional and isn’t required by WIP.</td>
-    </tr>
-    <tr>
-        <td><b>NetworkIsolation</b> Group Policy setting takes precedence over MDM Policy settings.</td>
-        <td>The <b>NetworkIsolation</b> Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.</td>
-        <td>If you use both Group Policy and MDM to configure your <b>NetworkIsolation</b> settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.</td>
-    </tr>
-    <tr>
-        <td>Cortana can potentially allow data leakage if it’s on the allowed apps list.</td>
-        <td>If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.</td>
-        <td>We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don&#39;t mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.</td>
-    </tr>
-    <tr>
-        <td>WIP is designed for use by a single user per device.</td>
-        <td>A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.</td>
-        <td>We recommend only having one user per managed device.</td>
-    </tr>
-    <tr>
-        <td>Installers copied from an enterprise network file share might not work properly.</td>
-        <td>An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.</td>
-        <td>To fix this, you can:
-            <ul>
-                <li>Start the installer directly from the file share.<br><br>-OR-<br><br></li>
-                <li>Decrypt the locally copied files needed by the installer.<br><br>-OR-<br><br></li>
-                <li>Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as <b>Authoritative</b> and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.</li>
-            </ul></td>
-    </tr>
-    <tr>
-        <td>Changing your primary Corporate Identity isn’t supported.</td>
-        <td>You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.</td>
-        <td>Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.</td>
-    </tr>
-    <tr>
-        <td>Redirected folders with Client-Side Caching are not compatible with WIP.</td>
-        <td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
-        <td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><b>Note</b><br>For more info about Work Folders and Offline Files, see the blog, <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" data-raw-source="[Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)">Work Folders and Offline Files support for Windows Information Protection</a>. If you&#39;re having trouble opening files offline while using Offline Files and WIP, see the support article, <a href="https://support.microsoft.com/kb/3187045" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.</td>
-    </tr>
-    <tr>
-        <td>An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.</td>
-        <td><p>Data copied from the WIP-managed device is marked as <b>Work</b>.<p>Data copied to the WIP-managed device is not marked as <b>Work</b>.<p>Local <b>Work</b> data copied to the WIP-managed device remains <b>Work</b> data.<p><b>Work</b> data that is copied between two apps in the same session remains </b> data.</td>
-        <td>Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.</td>
-    </tr>
-    <tr>
-        <td>You can&#39;t upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
-        <td>A message appears stating that the content is marked as <b>Work</b> and the user isn&#39;t given an option to override to <b>Personal</b>.</td>
-        <td>Open File Explorer and change the file ownership to <b>Personal</b> before you upload.</td>
-    </tr>
-    <tr>
-        <td>ActiveX controls should be used with caution.</td>
-        <td>Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.</td>
-        <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see <a href="/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking" data-raw-source="[Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking)">Out-of-date ActiveX control blocking</a>.</td>
-    </tr>
-    <tr>
-         <td>Resilient File System (ReFS) isn&#39;t currently supported with WIP.</td>
-        <td>Trying to save or transfer WIP files to ReFS will fail.</td>
-        <td>Format drive for NTFS, or use a different drive.</td>
-    </tr>
-    <tr>
-        <td>WIP isn’t turned on if any of the following folders have the <b>MakeFolderAvailableOfflineDisabled</b> option set to <b>False</b>:
-            <ul>
-                <li>AppDataRoaming</li>
-                <li>Desktop</li>
-                <li>StartMenu</li>
-                <li>Documents</li>
-                <li>Pictures</li>
-                <li>Music</li>
-                <li>Videos</li>
-                <li>Favorites</li>
-                <li>Contacts</li>
-                <li>Downloads</li>
-                <li>Links</li>
-                <li>Searches</li>
-                <li>SavedGames</li>
-            </ul>
-        </td>
-        <td>WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.</td>
-        <td>Don’t set the <b>MakeFolderAvailableOfflineDisabled</b> option to <b>False</b> for any of the specified folders.  You can configure this parameter, as described <a href="/windows-server/storage/folder-redirection/disable-offline-files-on-folders" data-raw-source="[here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)">here</a>.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.
-        </td>
-    </tr>
-    <tr>
-        <td>Only enlightened apps can be managed without device enrollment
-        </td>
-        <td>If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.</td>
-        <td>If all apps need to be managed, enroll the device for MDM.
-        </td>
-    </tr>
-    <tr>
-        <td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can&#39;t access it.<br/>        </td>
-        <td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. 
-        </td>
-        <td>If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
-        </td>
-      </tr>
-    <tr>
-        <td>OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.</td>
-        <td>OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.</td>
-        <td>"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
-1. Close the notebook in OneNote.
-2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
-3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
-
-Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut.  Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.</td>    
-    </tr>
-    <tr>
-        <td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <b>Work</b> files, and are therefore not protected.
-        </td>
-        <td>If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. 
-        </td>
-        <td>It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
-        </td>
-    </tr>
-</table>
+|Limitation|How it appears|Workaround|
+|--- |--- |--- |
+|Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.|**If you’re using Azure RMS:** Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.**If you’re not using Azure RMS:** Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.|Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.We strongly recommend educating employees about how to limit or eliminate the need for this decryption.|
+|Direct Access is incompatible with WIP.|Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.|We recommend that you use VPN for client access to your intranet resources. <p>**Note** VPN is optional and isn’t required by WIP.|
+|**NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.|The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.|If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.|
+|Cortana can potentially allow data leakage if it’s on the allowed apps list.|If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.|We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.|
+|WIP is designed for use by a single user per device.|A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.|We recommend only having one user per managed device.|
+|Installers copied from an enterprise network file share might not work properly.|An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.|To fix this, you can:<li>Start the installer directly from the file share.<p>-OR-<li>Decrypt the locally copied files needed by the installer.<p>-OR-<li>Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.|
+|Changing your primary Corporate Identity isn’t supported.|You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.|Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.|
+|Redirected folders with Client-Side Caching are not compatible with WIP.|Apps might encounter access errors while attempting to read a cached, offline file.|Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<p>**Note** For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)". If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).|
+|An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.|Data copied from the WIP-managed device is marked as **Work**.Data copied to the WIP-managed device is not marked as **Work**.Local **Work** data copied to the WIP-managed device remains **Work** data.**Work** data that is copied between two apps in the same session remains ** data.|Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.|
+|You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.|A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.|Open File Explorer and change the file ownership to **Personal** before you upload.|
+|ActiveX controls should be used with caution.|Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.|We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).|
+|Resilient File System (ReFS) isn't currently supported with WIP.|Trying to save or transfer WIP files to ReFS will fail.|Format drive for NTFS, or use a different drive.|
+|WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:<li>AppDataRoaming<li>Desktop<li>StartMenu<li>Documents<li>Pictures<li>Music<li>Videos<li>Favorites<li>Contacts<li>Downloads<li>Links<li>Searches<li>SavedGames|WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.|Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders.  You can configure this parameter, as described [here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)".If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)".|
+|Only enlightened apps can be managed without device enrollment|If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.|If all apps need to be managed, enroll the device for MDM.|
+|By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.|Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.|If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.|
+|OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.|OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.|"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:<ol><li> Close the notebook in OneNote.<li>Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.<li>Copy the notebook folder and Paste it back into the OneDrive for Business folder.</ol><p>Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut.  Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.|
+|Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.|If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.|It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.|
 
 > [!NOTE]
 > When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. 
 
-
-
-
 > [!NOTE]
 > Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index c2b7cb2188..0bc4cc6341 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -31,141 +31,20 @@ You can try any of the processes included in these scenarios, but you should foc
 >[!IMPORTANT]
 >If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
 
-<table>
-    <tr>
-        <th>Scenario</th>
-        <th>Processes</th>
-    </tr>
-    <tr>
-        <td>Encrypt and decrypt files using File Explorer.</td>
-        <td><b>For desktop:</b><br><br>
-            <ol>
-                <li>Open File Explorer, right-click a work document, and then click <b>Work</b> from the <b>File Ownership</b> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <b>Advanced</b> from the <b>General</b> tab, and then clicking <b>Details</b> from the <b>Compress or Encrypt attributes</b> area. The file should show up under the heading, <b>This enterprise domain can remove or revoke access:</b> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li>
-                <li>In File Explorer, right-click the same document, and then click <b>Personal</b> from the <b>File Ownership</b> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <b>Advanced</b> from the <b>General</b> tab, and then verifying that the <b>Details</b> button is unavailable.</li>
-            </ol>
-            <b>For mobile:</b><br><br>
-            <ol>
-                <li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <b>Select</b> to mark at least one file as work-related.</li>
-                <li>Click the elipsis (...) again, click <b>File ownership</b> from the drop down menu, and then click <b>Work</b>.<br>Make sure the file is encrypted, by locating the <b>Briefcase</b> icon next to the file name.</li>
-                <li>Select the same file, click <b>File ownership</b> from the drop down menu, and then click <b>Personal</b>.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <b>Briefcase</b> icon next to file name.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Create work documents in enterprise-allowed apps.</td>
-        <td><b>For desktop:</b><br><br>
-            <ul>
-                <li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><b>Important</b><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
-            </ul>
-            <b>For mobile:</b><br><br>
-            <ol>
-                <li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <b>Work</b> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <b>Briefcase</b> icon next to the file name.</li>
-                <li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.</li>
-                <li>Open the same document one last time, make a change to the contents, and then save it again using the <b>Personal</b> option.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <b>Briefcase</b> icon next to file name.</li>
-            </ol>
-        </td><br/>    </tr>
-    <tr>
-        <td>Block enterprise data from non-enterprise apps.</td>
-        <td>
-            <ol>
-                <li>Start an app that doesn&#39;t appear on your allowed apps list, and then try to open a work-encrypted file.<br>The app shouldn&#39;t be able to access the file.</li>
-                <li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an <b>Access Denied</b> error message.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Copy and paste from enterprise apps to non-enterprise apps.</td>
-        <td>
-            <ol>
-                <li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <b>Change to personal</b> or <b>Keep at work</b>.</li>
-                <li>Click <b>Keep at work</b>.<br>The content isn&#39;t pasted into the non-enterprise app.</li>
-                <li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to paste the content again.<br>The content is pasted into the non-enterprise app.</li>
-                <li>Try copying and pasting content between apps on your allowed apps list.<br>The content should copy and paste between apps without any warning messages.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Drag and drop from enterprise apps to non-enterprise apps.</td>
-        <td>
-            <ol>
-                <li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <b>Keep at work</b> or <b>Change to personal</b>.</li>
-                <li>Click <b>Keep at work</b>.<br>The content isn&#39;t dropped into the non-enterprise app.</li>
-                <li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to drop the content again.<br>The content is dropped into the non-enterprise app.</li>
-                <li>Try dragging and dropping content between apps on your allowed apps list.<br>The content should move between the apps without any warning messages.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Share between enterprise apps and non-enterprise apps.</td>
-        <td>
-            <ol>
-                <li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn&#39;t appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either <b>Keep at work</b> or <b>Change to personal</b>.</li>
-                <li>Click <b>Keep at work</b>.<br>The content isn&#39;t shared into Facebook.</li>
-                <li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to share the content again.<br>The content is shared into Facebook.</li>
-                <li>Try sharing content between apps on your allowed apps list.<br>The content should share between the apps without any warning messages.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Verify that Windows system components can use WIP.</td>
-        <td>
-            <ol>
-                <li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
-                <li>Open File Explorer and make sure your modified files are appearing with a <b>Lock</b> icon.</li>
-                <li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><b>Note</b><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Use WIP on NTFS, FAT, and exFAT systems.</td>
-        <td>
-            <ol>
-                <li>Start an app that uses the FAT or exFAT file system (for example a SD card or USB flash drive), and appears on your allowed apps list.</li>
-                <li>Create, edit, write, save, copy, and move files.<br>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Verify your shared files can use WIP.</td>
-        <td>
-            <ol>
-                <li>Download a file from a protected file share, making sure the file is encrypted by locating the <b>Briefcase</b> icon next to the file name.</li>
-                <li>Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.</li>
-                <li>Open an app that doesn&#39;t appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.<br>The app shouldn&#39;t be able to access the file share.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Verify your cloud resources can use WIP.</td>
-        <td>
-            <ol>
-                <li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.</li>
-                <li>Open SharePoint (or another cloud resource that&#39;s part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.</li>
-                <li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn&#39;t be able to access the sites.<br><br><b>Note</b><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <b>Work</b>.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Verify your Virtual Private Network (VPN) can be auto-triggered.</td>
-        <td>
-            <ol>
-                <li>Set up your VPN network to start based on the <b>WIPModeID</b> setting.<br>For specific info about how to do this, see the <a href="create-vpn-and-wip-policy-using-intune-azure.md" data-raw-source="[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md)">Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune</a> topic.</li>
-                <li>Start an app from your allowed apps list.<br>The VPN network should automatically start.</li>
-                <li>Disconnect from your network and then start an app that isn&#39;t on your allowed apps list.<br>The VPN shouldn&#39;t start and the app shouldn&#39;t be able to access your enterprise network.</li>
-            </ol>
-        </td>
-    </tr>
-    <tr>
-        <td>Unenroll client devices from WIP.</td>
-        <td>
-            <ul>
-                <li>Unenroll a device from WIP by going to <b>Settings</b>, click <b>Accounts</b>, click <b>Work</b>, click the name of the device you want to unenroll, and then click <b>Remove</b>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><b>Important</b><br>On desktop devices, the data isn&#39;t removed and can be recovered, so you must make sure the content is marked as <b>Revoked</b> and that access is denied for the employee. On mobile devices, the data is removed.</li>
-            </ul>
-        </td>
-    </tr>
-   
-    
-</table>
+|Scenario|Processes|
+|--- |--- |
+|Encrypt and decrypt files using File Explorer.|**For desktop:**<br><ol><li>Open File Explorer, right-click a work document, and then click **Work** from the **File Ownership** menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then clicking **Details** from the **Compress or Encrypt attributes** area. The file should show up under the heading, **This enterprise domain can remove or revoke access:** <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.<li>In File Explorer, right-click the same document, and then click **Personal** from the **File Ownership** menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then verifying that the **Details** button is unavailable.</ol>**For mobile:**<br><br><ol><li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click **Select** to mark at least one file as work-related.<li>Click the elipsis (...) again, click **File ownership** from the drop down menu, and then click **Work**.<br>Make sure the file is encrypted, by locating the **Briefcase** icon next to the file name.<li>Select the same file, click **File ownership** from the drop down menu, and then click **Personal**.<br>Make sure the file is decrypted and that you're no longer seeing the **Briefcase** icon next to file name.</ol>|
+|Create work documents in enterprise-allowed apps.|**For desktop:**<br><br><ul><li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br>**Important**<br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md), based on your deployment system.</ul>**For mobile:**<br><br><ol><li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as **Work** to a local, work-related location.<br>Make sure the document is encrypted, by locating the **Briefcase** icon next to the file name.<li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.<li>Open the same document one last time, make a change to the contents, and then save it again using the **Personal** option.<br>Make sure the file is decrypted and that you're no longer seeing the **Briefcase** icon next to file name.</ol>|
+|Block enterprise data from non-enterprise apps.|<ol><li>Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.<br>The app shouldn't be able to access the file.<li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.</ol>|
+|Copy and paste from enterprise apps to non-enterprise apps.|<ol><li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either **Change to personal** or **Keep at work**.<li>Click **Keep at work**.<br>The content isn't pasted into the non-enterprise app.<li>Repeat Step 1, but this time click **Change to personal**, and try to paste the content again.<br>The content is pasted into the non-enterprise app.<li>Try copying and pasting content between apps on your allowed apps list.<br>The content should copy and paste between apps without any warning messages.</ol>|
+|Drag and drop from enterprise apps to non-enterprise apps.|<ol><li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.<li>Click **Keep at work**.<br>The content isn't dropped into the non-enterprise app.<li>Repeat Step 1, but this time click **Change to personal**, and try to drop the content again.<br>The content is dropped into the non-enterprise app.<li>Try dragging and dropping content between apps on your allowed apps list.<br>The content should move between the apps without any warning messages.</ol>|
+|Share between enterprise apps and non-enterprise apps.|<ol><li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.<li>Click **Keep at work**.<br>The content isn't shared into Facebook.<li>Repeat Step 1, but this time click **Change to personal**, and try to share the content again.<br>The content is shared into Facebook.<li>Try sharing content between apps on your allowed apps list.<br>The content should share between the apps without any warning messages.</ol>|
+|Verify that Windows system components can use WIP.|<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.<li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br>**Note**<br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</ol>|
+|Use WIP on NTFS, FAT, and exFAT systems.|<ol><li>Start an app that uses the FAT or exFAT file system (for example a SD card or USB flash drive), and appears on your allowed apps list.<li>Create, edit, write, save, copy, and move files.<br>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</ol>|
+|Verify your shared files can use WIP.|<ol><li>Download a file from a protected file share, making sure the file is encrypted by locating the **Briefcase** icon next to the file name.<li>Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.<li>Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.<br>The app shouldn't be able to access the file share.</ol>|
+|Verify your cloud resources can use WIP.|<ol><li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.<li>Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.<li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn't be able to access the sites.<br><br>**Note**<br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as **Work**.</ol>|
+|Verify your Virtual Private Network (VPN) can be auto-triggered.|<ol><li>Set up your VPN network to start based on the **WIPModeID** setting.<br>For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md) topic.<li>Start an app from your allowed apps list.<br>The VPN network should automatically start.<li>Disconnect from your network and then start an app that isn't on your allowed apps list.<br>The VPN shouldn't start and the app shouldn't be able to access your enterprise network.</ol>|
+|Unenroll client devices from WIP.|<ul><li>Unenroll a device from WIP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br>**Important**<br>On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as **Revoked** and that access is denied for the employee. On mobile devices, the data is removed.|
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index fdd4c1c7d4..d75785dec2 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -308,58 +308,13 @@ The following table lists EMET features in relation to Windows 10 features.
 
 ### Table 5   EMET features in relation to Windows 10 features
 
-<table>
-<thead>
-<tr class="header">
-<th>Specific EMET features</th>
-<th>How these EMET features map<br />
-to Windows 10 features</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><ul>
-<li><p>DEP</p></li>
-<li><p>SEHOP</p></li>
-<li><p>ASLR (Force ASLR, Bottom-up ASLR)</p></li>
-</ul></td>
-<td><p>DEP, SEHOP, and ASLR are included in Windows 10 as configurable features. See <a href="#table-2">Table 2</a>, earlier in this topic.</p>
-<p>You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.</p></td>
-</tr>
-<tr class="even">
-<td><ul>
-<li><p>Load Library Check (LoadLib)</p></li>
-<li><p>Memory Protection Check (MemProt)</p></li>
-</ul></td>
-<td>LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See <a href="#functions-that-software-vendors-can-use-to-build-mitigations-into-apps">Table 4</a>, earlier in this topic.</td>
-</tr>
-<tr class="odd">
-<td><ul>
-<li><p>Null Page</p></li>
-</ul></td>
-<td>Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in <a href="#kernel-pool-protections">Kernel pool protections</a>, earlier in this topic.</td>
-</tr>
-<tr class="even">
-<td><ul>
-<li><p>Heap Spray</p></li>
-<li><p>EAF</p></li>
-<li><p>EAF+</p></li>
-</ul></td>
-<td>Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.</td>
-</tr>
-<tr class="odd">
-<td><ul>
-<li><p>Caller Check</p></li>
-<li><p>Simulate Execution Flow</p></li>
-<li><p>Stack Pivot</p></li>
-<li><p>Deep Hooks (an ROP "Advanced Mitigation")</p></li>
-<li><p>Anti Detours (an ROP "Advanced Mitigation")</p></li>
-<li><p>Banned Functions (an ROP "Advanced Mitigation")</p></li>
-</ul></td>
-<td>Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in <a href="#control-flow-guard">Control Flow Guard</a>, earlier in this topic.</td>
-</tr>
-</tbody>
-</table>
+|Specific EMET features|How these EMET features map to Windows 10 features|
+|--- |--- |
+|<li>DEP<li>SEHOP<li>ASLR (Force ASLR, Bottom-up ASLR)|DEP, SEHOP, and ASLR are included in Windows 10 as configurable features. See [Table 2](#table-2), earlier in this topic.You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.|
+|<li>Load Library Check (LoadLib)<li>Memory Protection Check (MemProt)|LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See [Table 4](#functions-that-software-vendors-can-use-to-build-mitigations-into-apps), earlier in this topic.|
+|Null Page|Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in [Kernel pool protections](#kernel-pool-protections), earlier in this topic.|
+|<li>Heap Spray<li>EAF<li>EAF+|Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.|
+|<li>Caller Check<li>Simulate Execution Flow<li>Stack Pivot<li>Deep Hooks (an ROP "Advanced Mitigation")<li>Anti Detours (an ROP "Advanced Mitigation")<li>Banned Functions (an ROP "Advanced Mitigation")|Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in [Control Flow Guard](#control-flow-guard), earlier in this topic.|
 
 ### Converting an EMET XML settings file into Windows 10 mitigation policies
 
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 7794832d3e..da336ab0f6 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -336,49 +336,13 @@ For more information on device health attestation, see the [Detect an unhealthy
 
 The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Hardware</th>
-<th align="left">Motivation</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>UEFI 2.3.1 or later firmware with Secure Boot enabled</p></td>
-<td align="left"><p>Required to support UEFI Secure Boot.</p>
-<p>UEFI Secure Boot ensures that the device boots only authorized code.</p>
-<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled</p></td>
-<td align="left"><p>Required to support virtualization-based security.</p>
-<div class="alert">
-<b>Note</b><br/><p>Device Guard can be enabled without using virtualization-based security.</p>
-</div>
-<div>
-
-</div></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>X64 processor</p></td>
-<td align="left"><p>Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).</p>
-<p>Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>IOMMU, such as Intel VT-d, AMD-Vi</p></td>
-<td align="left"><p>Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Trusted Platform Module (TPM) </p></td>
-<td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)</p></td>
-</tr>
-</tbody>
-</table>
+|Hardware|Motivation|
+|--- |--- |
+|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.<p>UEFI Secure Boot ensures that the device boots only authorized code.<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”|
+|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.<div class="alert">**Note:** Device Guard can be enabled without using virtualization-based security.</div>|
+|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).<p>Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies.|
+|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
+|Trusted Platform Module (TPM)|Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)|
 
 This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
 
@@ -591,36 +555,9 @@ For completeness of the measurements, see [Health Attestation CSP](/windows/clie
 
 The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">OS type</th>
-<th align="left">Key items that can be reported</th>
-</tr>
-</thead>
-<tbody>
-
-<tr class="even">
-<td align="left"><p>Windows 10 for desktop editions</p></td>
-<td align="left"><ul>
-<li><p>PCR0 measurement</p></li>
-<li><p>Secure Boot Enabled</p></li>
-<li><p>Secure Boot db matches Expected</p></li>
-<li><p>Secure Boot dbx is up to date</p></li>
-<li><p>Secure Boot policy GUID matches Expected</p></li>
-<li><p>BitLocker enabled</p></li>
-<li><p>Virtualization-based security enabled</p></li>
-<li><p>ELAM was loaded</p></li>
-<li><p>Code Integrity version is up to date</p></li>
-<li><p>Code Integrity policy hash matches Expected</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
+|OS type|Key items that can be reported|
+|--- |--- |
+|Windows 10 for desktop editions|<li>PCR0 measurement<li>Secure Boot Enabled<li>Secure Boot db matches Expected<li>Secure Boot dbx is up to date<li>Secure Boot policy GUID matches Expected<li>BitLocker enabled<li>Virtualization-based security enabled<li>ELAM was loaded<li>Code Integrity version is up to date<li>Code Integrity policy hash matches Expected|
 
 ### Leverage MDM and the Health Attestation Service
 

From eaf7c0b71e578f1818b01788ebab144bc09e3892 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Thu, 2 Dec 2021 17:46:37 +0530
Subject: [PATCH 11/73] Fixing suggestions

---
 .../identity-protection/access-control/local-accounts.md    | 6 +++---
 .../create-wip-policy-using-configmgr.md                    | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index b2a5460671..b95ead31fa 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -141,11 +141,11 @@ For details about the HelpAssistant account attributes, see the following table.
 
 |Attribute|Value|
 |--- |--- |
-|Well-Known SID/RID|S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)|
+|Well-Known SID/RID|S-1-5-&lt;domain&gt;-13 (Terminal Server User), S-1-5-&lt;domain&gt;-14 (Remote Interactive Logon)|
 |Type|User|
-|Default container|CN=Users, DC=<domain>, DC=|
+|Default container|CN=Users, DC=&lt;domain&gt;, DC=|
 |Default members|None|
-|Default member of|Domain Guests<p>Guests|
+|Default member of|Domain Guests&lt;p&gt;Guests|
 |Protected by ADMINSDHOLDER?|No|
 |Safe to move out of default container?|Can be moved out, but we do not recommend it.|
 |Safe to delegate management of this group to non-Service admins?|No|
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 43da21cd72..0022b16eb4 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -351,7 +351,7 @@ There are no default locations included with WIP, you must add each of your netw
 
      |Network location type|Format|Description|
      |--- |--- |--- |
-     |Enterprise Cloud Resources|<b>With proxy:</b> contoso.sharepoint.com,contoso.internalproxy1.com,<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><b>Without proxy:</b> contoso.sharepoint.com,contoso.visualstudio.com|Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;I&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;I&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code><p><b>Important</b><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.|
+     |Enterprise Cloud Resources|<b>With proxy:</b> contoso.sharepoint.com,contoso.internalproxy1.com,<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><b>Without proxy:</b> contoso.sharepoint.com,contoso.visualstudio.com|Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;I&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;I&quot;. For example: <code> URL &lt;,proxy&gt;, URL &lt;,proxy&gt;</code><p><b>Important</b><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;,URL &lt;,proxy&gt;,/&#42;AppCompat&#42;/</code>.|
      |Enterprise Network Domain Names (Required)|corp.contoso.com,region.contoso.com|Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the &quot;,&quot; delimiter.|
      |Proxy servers|proxy.contoso.com:80;proxy2.contoso.com:443|Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.|
      |Internal proxy servers|contoso.internalproxy1.com;contoso.internalproxy2.com|Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.|

From 6cdb6455eb09b8e107afbf7013487ec30fa3e85e Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Thu, 2 Dec 2021 18:55:53 +0530
Subject: [PATCH 12/73] Html to md table conversion- batch 27

---
 ...defender-smartscreen-available-settings.md | 213 +++---------------
 ...iately-if-unable-to-log-security-audits.md |  15 +-
 .../windows-10-mobile-security-guide.md       |  66 ++----
 .../create-a-rule-for-packaged-apps.md        |  83 ++-----
 ...ine-your-application-control-objectives.md | 150 ++----------
 ...tructure-and-applocker-rule-enforcement.md | 100 +-------
 .../document-your-application-list.md         |  76 +------
 .../document-your-applocker-rules.md          |  87 +------
 .../plan-for-applocker-policy-management.md   | 192 ++--------------
 ...ements-for-deploying-applocker-policies.md | 185 ++-------------
 ...stand-applocker-policy-design-decisions.md |  54 +----
 ...ng-the-path-rule-condition-in-applocker.md |  27 +--
 ...e-publisher-rule-condition-in-applocker.md |  29 +--
 ...restriction-policies-in-the-same-domain.md | 153 ++-----------
 .../applocker/what-is-applocker.md            | 156 ++-----------
 15 files changed, 203 insertions(+), 1383 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 14c78b9fa8..db2db95ffd 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -26,193 +26,54 @@ See [Windows 10 (and Windows 11) settings to protect devices using Intune](/intu
 
 ## Group Policy settings
 SmartScreen uses registry-based Administrative Template policy settings.
-<table>
-<tr>
-<th align="left">Setting</th>
-<th align="left">Supported on</th>
-<th align="left">Description</th>
-</tr>
-<tr>
-<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>
-<td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen<br><br>
-<b>At least Windows Server 2012, Windows 8 or Windows RT</b></td>
-<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
-</tr>
-<tr>
-<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
-<td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
-<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br> This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.</p><p><b>Important:</b> Using a trustworthy browser helps ensure that these protections work as expected.</p></td>
-</tr>
-<tr>
-<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
-<td>Microsoft Edge on Windows 10 or Windows 11</td>
-<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
-</tr>
-<tr>
-<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p><b>Windows 10, Version 1511 and 1607:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
-<td>Microsoft Edge on Windows 10, version 1511 or later</td>
-<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.</td>
-</tr>
-<tr>
-<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p><b>Windows 10, Version 1511 and 1607:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
-<td>Microsoft Edge on Windows 10, version 1511 or later</td>
-<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.</td>
-</tr>
-<tr>
-<td>Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter</td>
-<td>Internet Explorer 9 or later</td>
-<td>This policy setting prevents the employee from managing Microsoft Defender SmartScreen.<p>If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.<p>If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.</td>
-</tr>
-<tr>
-<td>Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings</td>
-<td>Internet Explorer 8 or later</td>
-<td>This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.</td>
-</tr>
-<tr>
-<td>Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet</td>
-<td>Internet Explorer 9 or later</td>
-<td>This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.</td>
-</tr>
-</table>
+
+Setting|Supported on|Description|
+|--- |--- |--- |
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen<p>**At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen. <p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.<p>**Important:**  Using a trustworthy browser helps ensure that these protections work as expected.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen. <p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.|
+|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.<p>If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.|
+|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
+|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
+
 
 ## MDM settings
 If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support  desktop computers running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune.  <br><br> 
 For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser).
-<table>
-<tr>
-<th align="left">Setting</th>
-<th align="left">Supported versions</th>
-<th align="left">Details</th>
-</tr>
-<tr>
-<td>AllowSmartScreen</td>
-<td>Windows 10</td>
-<td>
-<ul>
-<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen</li>
-<li><b>Data type.</b> Integer</li>
-<li><b>Allowed values:</b><ul>
-<li><b>0 .</b> Turns off Microsoft Defender SmartScreen in Edge.</li>
-<li><b>1.</b> Turns on Microsoft Defender SmartScreen in Edge.</li></ul></li></ul>
-</td>
-</tr>
-<tr>
-<td>EnableAppInstallControl</td>
-<td>Windows 10, version 1703</td>
-<td>
-<ul>
-<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl</li>
-<li><b>Data type.</b> Integer</li>
-<li><b>Allowed values:</b><ul>
-<li><b>0 .</b> Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.</li>
-<li><b>1.</b> Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.</li></ul></li></ul>
-</td>
-</tr>
-<tr>
-<td>EnableSmartScreenInShell</td>
-<td>Windows 10, version 1703</td>
-<td>
-<ul>
-<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell</li>
-<li><b>Data type.</b> Integer</li>
-<li><b>Allowed values:</b><ul>
-<li><b>0 .</b> Turns off Microsoft Defender SmartScreen in Windows for app and file execution.</li>
-<li><b>1.</b> Turns on Microsoft Defender SmartScreen in Windows for app and file execution.</li></ul></li></ul>
-</td>
-</tr>
-<tr>
-<td>PreventOverrideForFilesInShell</td>
-<td>Windows 10, version 1703</td>
-<td>
-<ul>
-<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell</li>
-<li><b>Data type.</b> Integer</li>
-<li><b>Allowed values:</b><ul>
-<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.</li>
-<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.</li></ul></li></ul>
-</td>
-</tr>
-<tr>
-<td>PreventSmartScreenPromptOverride</td>
-<td>Windows 10, Version 1511 and Windows 11</td>
-<td>
-<ul>
-<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride</li>
-<li><b>Data type.</b> Integer</li>
-<li><b>Allowed values:</b><ul>
-<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings.</li>
-<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings.</li></ul></li></ul>
-</td>
-</tr>
-<tr>
-<td>PreventSmartScreenPromptOverrideForFiles</td>
-<td>Windows 10, Version 1511 and Windows 11</td>
-<td>
-<ul>
-<li><b>URI full path.</b> ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles</li>
-<li><b>Data type.</b> Integer</li>
-<li><b>Allowed values:</b><ul>
-<li><b>0 .</b> Employees can ignore Microsoft Defender SmartScreen warnings for files.</li>
-<li><b>1.</b> Employees can't ignore Microsoft Defender SmartScreen warnings for files.</li></ul></li></ul>
-</td>
-</tr>
-</table>
+
+|Setting|Supported versions|Details|
+|--- |--- |--- |
+|AllowSmartScreen|Windows 10|<li>**URI full path.**  ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen<li>**Data type.**  Integer**Allowed values:**<ul><li>**0 .**  Turns off Microsoft Defender SmartScreen in Edge.<li>**1.**  Turns on Microsoft Defender SmartScreen in Edge.|
+|EnableAppInstallControl|Windows 10, version 1703|<li>**URI full path.**  ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl<li>**Data type.**  Integer**Allowed values:**<ul><li>**0 .**  Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.<li>**1.**  Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.|
+|EnableSmartScreenInShell|Windows 10, version 1703|<li>**URI full path.**  ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell<li>**Data type.**  Integer**Allowed values:**<ul><li>**0 .**  Turns off Microsoft Defender SmartScreen in Windows for app and file execution.<li>**1.**  Turns on Microsoft Defender SmartScreen in Windows for app and file execution.|
+|PreventOverrideForFilesInShell|Windows 10, version 1703|<li>**URI full path.**  ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell<li>**Data type.**  Integer**Allowed values:**<ul><li>**0 .**  Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.<li>**1.**  Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.|
+|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|<li>**URI full path.**  ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride<li>**Data type.**  Integer**Allowed values:**<ul><li>**0 .**  Employees can ignore Microsoft Defender SmartScreen warnings.<li>**1.**  Employees can't ignore Microsoft Defender SmartScreen warnings.|
+|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|<li>**URI full path.**  ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles<li>**Data type.**  Integer**Allowed values:**<ul><li>**0 .**  Employees can ignore Microsoft Defender SmartScreen warnings for files.<li>**1.**  Employees can't ignore Microsoft Defender SmartScreen warnings for files.|
 
 ## Recommended Group Policy and MDM settings for your organization
 By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
 
 To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
-<table>
-<tr>
-<th align="left">Group Policy setting</th>
-<th align="left">Recommendation</th>
-</tr>
-<tr>
-<td>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)</td>
-<td><b>Enable.</b> Turns on Microsoft Defender SmartScreen.</td>
-</tr>
-<tr>
-<td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)</td>
-<td><b>Enable.</b> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
-</tr>
-<tr>
-<td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later) </td>
-<td><b>Enable.</b> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
-</tr>
-<tr>
-<td>Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen</td>
-<td><b>Enable with the Warn and prevent bypass option.</b> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.</td>
-</tr>
-</table>
-<p>
-<table>
-<tr>
-<th align="left">MDM setting</th>
-<th align="left">Recommendation</th>
-</tr>
-<tr>
-<td>Browser/AllowSmartScreen</td>
-<td><b>1.</b> Turns on Microsoft Defender SmartScreen.</td>
-</tr>
-<tr>
-<td>Browser/PreventSmartScreenPromptOverride</td>
-<td><b>1.</b> Stops employees from ignoring warning messages and continuing to a potentially malicious website.</td>
-</tr>
-<tr>
-<td>Browser/PreventSmartScreenPromptOverrideForFiles</td>
-<td><b>1.</b> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
-</tr>
-<tr>
-<td>SmartScreen/EnableSmartScreenInShell</td>
-<td><b>1.</b> Turns on Microsoft Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.</td>
-</tr>
-<tr>
-<td>SmartScreen/PreventOverrideForFilesInShell</td>
-<td><b>1.</b> Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.</td>
-</tr>
-</table> 
+
+|Group Policy setting|Recommendation|
+|--- |--- |
+|Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)|**Enable.**  Turns on Microsoft Defender SmartScreen.|
+|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)|**Enable.**  Stops employees from ignoring warning messages and continuing to a potentially malicious website.|
+|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)|**Enable.**  Stops employees from ignoring warning messages and continuing to download potentially malicious files.|
+|Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen|**Enable with the Warn and prevent bypass option.**  Stops employees from ignoring warning messages about malicious files downloaded from the Internet.|
+
+|MDM setting|Recommendation|
+|--- |--- |
+|Browser/AllowSmartScreen|**1.**  Turns on Microsoft Defender SmartScreen.|
+|Browser/PreventSmartScreenPromptOverride|**1.**  Stops employees from ignoring warning messages and continuing to a potentially malicious website.|
+|Browser/PreventSmartScreenPromptOverrideForFiles|**1.**  Stops employees from ignoring warning messages and continuing to download potentially malicious files.|
+|SmartScreen/EnableSmartScreenInShell|**1.**  Turns on Microsoft Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.|
+|SmartScreen/PreventOverrideForFilesInShell|**1.**  Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.|
 
 ## Related topics
+
 - [Threat protection](../index.md)
 
 - [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index dc462f0224..7cc7a09a81 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -30,18 +30,9 @@ Describes the best practices, location, values, management practices, and securi
 The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**.
 
 With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears:
-<table>
-<colgroup>
-<col width="100%" />
-</colgroup>
-<tbody>
-<tr class="odd">
-<td align="left"><p>STOP: C0000244 {Audit Failed}</p>
-<p>An attempt to generate a security audit failed.</p></td>
-</tr>
-</tbody>
-</table>
- 
+
+**STOP: C0000244 {Audit Failed}**: An attempt to generate a security audit failed.
+
 To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired.
 
 If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident.
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index 264a762b9c..8f680ea6ff 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -156,59 +156,21 @@ Windows 10 Mobile supports both [FIPS 140 standards](http://csrc.nist.gov/groups
 The best way to fight malware is prevention. Windows 10 Mobile provides strong malware resistance through secured hardware, startup process defenses, core operating system architecture, and application-level protections.
 The table below outlines how Windows 10 Mobile mitigates specific malware threats.
 
-<table>
-<colgroup>
-<col width="40%" />
-<col width="60%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Threat</th>
-<th align="left">Windows 10 Mobile mitigation</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
-<td align="left"><p>All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Bootkits start malware before Windows starts.</p></td>
-<td align="left"><p>UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.</p></td>
-<td align="left"><p>Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>An app infects other apps or the operating system with malware.</p></td>
-<td align="left"><p>All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>An unauthorized app or malware attempts to start on the device.</p></td>
-<td align="left"><p>All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>User-level malware exploits a vulnerability in the system or an application and owns the device.</p></td>
-<td align="left"><p>Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.</p>
-<p>Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Users access a dangerous website without knowledge of the risk.</p></td>
-<td align="left"><p>The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Malware exploits a vulnerability in a browser add-on.</p></td>
-<td align="left"><p>Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.</p></td>
-<td align="left"><p>Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.</p></td>
-</tr>
-</tbody>
-</table>
+|Threat|Windows 10 Mobile mitigation|
+|--- |--- |
+|Firmware bootkits replace the firmware with malware.|All certified devices include Unified Extensible Firmware (UEFI) with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.|
+|Bootkits start malware before Windows starts.|UEFI with Secure Boot verifies Windows bootloader integrity to help ensure that no malicious operating system can start before Windows.|
+|System or driver rootkits (typically malicious software that hides from the operating system) start kernel- level malware while Windows is starting, before antimalware solutions can start.|Windows Trusted Boot verifies Windows boot components, including Microsoft drivers. Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure that Trusted Boot and other boot components successfully checked the system.|
+|An app infects other apps or the operating system with malware.|All Windows 10 Mobile apps run inside an AppContainer that isolates them from all other processes and sensitive operating system components. Apps cannot access any resources outside their AppContainer.|
+|An unauthorized app or malware attempts to start on the device.|All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.|
+|User-level malware exploits a vulnerability in the system or an application and owns the device.|Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.<p>Protected Processes isolates non-trusted processes from each other and from sensitive operating system components.|
+|Users access a dangerous website without knowledge of the risk.|The Windows Defender SmartScreen URL Reputation feature prevents users from going to a malicious website that may try to exploit the browser and take control of the device.|
+|Malware exploits a vulnerability in a browser add-on.|Microsoft Edge is an app built on the Universal Windows Platform (UWP) that does not run legacy binary extensions, including Microsoft ActiveX and browser helper objects frequently used for toolbars, which eliminates these risks.|
+|A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.|Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.|
 
->**Note:** The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
+
+>[!NOTE]
+> The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
 
 ### <a href="" id="companion-devices"></a>UEFI with Secure Boot
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index f983e81eba..9c9dc7f558 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -50,76 +50,21 @@ You can perform this task by using the Group Policy Management Console for an Ap
 3.  On the **Before You Begin** page, select **Next**.
 4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
 5.  On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
-    <table>
-    <colgroup>
-    <col width="33%" />
-    <col width="33%" />
-    <col width="33%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Selection</th>
-    <th align="left">Description</th>
-    <th align="left">Example</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p><b>Use an installed packaged app as a reference</b></p></td>
-    <td align="left"><p>If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.</p></td>
-    <td align="left"><p>You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><b>Use a packaged app installer as a reference</b></p></td>
-    <td align="left"><p>If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.</p></td>
-    <td align="left"><p>Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.</p></td>
-    </tr>
-    </tbody>
-    </table>
-     
+
+    |Selection|Description|Example|
+    |--- |--- |--- |
+    |**Use an installed packaged app as a reference**|If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.|You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.|
+    |**Use a packaged app installer as a reference**|If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.|Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.|
+
     The following table describes setting the scope for the packaged app rule.
-    <table>
-    <colgroup>
-    <col width="33%" />
-    <col width="33%" />
-    <col width="33%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Selection</th>
-    <th align="left">Description</th>
-    <th align="left">Example</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>Applies to <b>Any publisher</b></p></td>
-    <td align="left"><p>This is the least restrictive scope condition for an <b>Allow</b> rule. It permits every packaged app to run or install.</p>
-    <p>Conversely, if this is a <b>Deny</b> rule, then this option is the most restrictive because it denies all apps from installing or running.</p></td>
-    <td align="left"><p>You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Applies to a specific <b>Publisher</b></p></td>
-    <td align="left"><p>This scopes the rule to all apps published by a particular publisher.</p></td>
-    <td align="left"><p>You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>Applies to a <b>Package name</b></p></td>
-    <td align="left"><p>This scopes the rule to all packages that share the publisher name and package name as the reference file.</p></td>
-    <td align="left"><p>You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p>Applies to a <b>Package version</b></p></td>
-    <td align="left"><p>This scopes the rule to a particular version of the package.</p></td>
-    <td align="left"><p>You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p>Applying custom values to the rule</p></td>
-    <td align="left"><p>Selecting the <b>Use custom values</b> check box allows you to adjust the scope fields for your particular circumstance.</p></td>
-    <td align="left"><p>You want to allow users to install all Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the <b>Use custom values</b> check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.</p></td>
-    </tr>
-    </tbody>
-    </table>
+
+    |Selection|Description|Example|
+    |--- |--- |--- |
+    |Applies to **Any publisher**|This is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install. <p>Conversely, if this is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running.|You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.|
+    |Applies to a specific **Publisher**|This scopes the rule to all apps published by a particular publisher.|You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.|
+    |Applies to a **Package name**|This scopes the rule to all packages that share the publisher name and package name as the reference file.|You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.|
+    |Applies to a **Package version**|This scopes the rule to a particular version of the package.|You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.|
+    |Applying custom values to the rule|Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance.|You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.|
      
 6.  Select **Next**.
 7.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index e4bdbbc2b7..594f737b63 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -37,137 +37,23 @@ There are management and maintenance costs associated with a list of allowed app
 
 Use the following table to develop your own objectives and determine which application control feature best addresses those objectives.
 
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Application control function</th>
-<th align="left">SRP</th>
-<th align="left">AppLocker</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Scope</p></td>
-<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
-<td align="left"><p>AppLocker policies apply only to the support versions of Windows listed in <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Policy creation</p></td>
-<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
-<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
-<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Policy maintenance</p></td>
-<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
-<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Policy application</p></td>
-<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
-<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Enforcement mode</p></td>
-<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.</p>
-<p>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
-<td align="left"><p>By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>File types that can be controlled</p></td>
-<td align="left"><p>SRP can control the following file types:</p>
-<ul>
-<li><p>Executables</p></li>
-<li><p>DLLs</p></li>
-<li><p>Scripts</p></li>
-<li><p>Windows Installers</p></li>
-</ul>
-<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
-<td align="left"><p>AppLocker can control the following file types:</p>
-<ul>
-<li><p>Executables</p></li>
-<li><p>DLLs</p></li>
-<li><p>Scripts</p></li>
-<li><p>Windows Installers</p></li>
-<li><p>Packaged apps and installers</p></li>
-</ul>
-<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Designated file types</p></td>
-<td align="left"><p>SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.</p></td>
-<td align="left"><p>AppLocker doesn't support this. AppLocker currently supports the following file extensions:</p>
-<ul>
-<li><p>Executables (.exe, .com)</p></li>
-<li><p>DLLs (.ocx, .dll)</p></li>
-<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
-<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
-<li><p>Packaged app installers (.appx)</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Rule types</p></td>
-<td align="left"><p>SRP supports four types of rules:</p>
-<ul>
-<li><p>Hash</p></li>
-<li><p>Path</p></li>
-<li><p>Signature</p></li>
-<li><p>Internet zone</p></li>
-</ul></td>
-<td align="left"><p>AppLocker supports three types of rules:</p>
-<ul>
-<li><p>Hash</p></li>
-<li><p>Path</p></li>
-<li><p>Publisher</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Editing the hash value</p></td>
-<td align="left"><p>SRP allows you to select a file to hash.</p></td>
-<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Support for different security levels</p></td>
-<td align="left"><p>With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
-<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
-<td align="left"><p>AppLocker does not support security levels.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
-<td align="left"><p>Unable</p></td>
-<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
-<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
-<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Support for rule exceptions</p></td>
-<td align="left"><p>SRP does not support rule exceptions</p></td>
-<td align="left"><p>AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Support for audit mode</p></td>
-<td align="left"><p>SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
-<td align="left"><p>AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Support for exporting and importing policies</p></td>
-<td align="left"><p>SRP does not support policy import/export.</p></td>
-<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Rule enforcement</p></td>
-<td align="left"><p>Internally, SRP rules enforcement happens in user-mode, which is less secure.</p></td>
-<td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.</p></td>
-</tr>
-</tbody>
-</table>
+|Application control function|SRP|AppLocker|
+|--- |--- |--- |
+|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in[Requirements to use AppLocker](requirements-to-use-applocker.md).|
+|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
+|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
+|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
+|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.<p>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.|
+|File types that can be controlled|SRP can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<li>Packaged apps and installers<p>AppLocker maintains a separate rule collection for each of the five file types.|
+|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this. AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>DLLs (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
+|Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<p>Internet zone|AppLocker supports three types of rules:<li>Hash<li>Path<li>Publisher|
+|Editing the hash value|SRP allows you to select a file to hash.|AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.|
+|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
+|Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
+|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
+|Support for rule exceptions|SRP does not support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.|
+|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.|
+|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.|
+|Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.|
  
 For more general info, see <a href="applocker-overview.md" data-raw-source="[AppLocker](applocker-overview.md)">AppLocker</a>.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 252fb96ede..f21a48c714 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -43,96 +43,16 @@ To complete this AppLocker planning document, you should first complete the foll
 After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
 
 The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.
-<table>
-<colgroup>
-<col width="12%" />
-<col width="12%" />
-<col width="12%" />
-<col width="12%" />
-<col width="12%" />
-<col width="12%" />
-<col width="12%" />
-<col width="12%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
-<th align="left">Apps</th>
-<th align="left">Installation path</th>
-<th align="left">Use default rule or define new rule condition</th>
-<th align="left">Allow or deny</th>
-<th align="left">GPO name</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Teller-East and Teller-West</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Teller Software</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>HR-All</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Check Payout</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p>HR-AppLockerHRRules</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Time Sheet Organizer</p>
-<p></p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p>
-<p></p></td>
-<td align="left"><p>File is not signed; create a file hash condition</p>
-<p></p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Internet Explorer 7</p></td>
-<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Deny</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Use a default rule for the Windows path</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-</tr>
-</tbody>
-</table>
- 
+
+|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|
+|--- |--- |--- |--- |--- |--- |--- |--- |
+|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|
+||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||
+|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|
+||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||
+||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition|Deny||
+||||Windows files|C:\Windows|Use a default rule for the Windows path|Allow||
+
 ## Next steps
 
 After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index 33ffa59ce9..5f360731db 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -42,70 +42,18 @@ Record the name of the app, whether it is signed as indicated by the publisher's
 Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices.
 
 The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules.
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
-<th align="left">Apps</th>
-<th align="left">Installation path</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Teller-East and Teller-West</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Teller Software</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>HR-All</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Check Payout</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Time Sheet Organizer</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Internet Explorer 7</p></td>
-<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-</tr>
-</tbody>
-</table>
- 
-&gt;<b>Note:</b>  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
+
+|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|
+|--- |--- |--- |--- |--- |
+|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|
+||||Windows files|C:\Windows|
+|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|
+||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|
+||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|
+||||Windows files|C:\Windows|
+
+>[!NOTE]
+>AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
  
 <b>Event processing</b>
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index 2db8ca7042..151e00dc31 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -46,86 +46,15 @@ Document the following items for each business group or organizational unit:
 
 The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md).
 
-<table>
-<colgroup>
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-<col width="14%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
-<th align="left">Applications</th>
-<th align="left">Installation path</th>
-<th align="left">Use default rule or define new rule condition</th>
-<th align="left">Allow or deny</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Teller-East and Teller-West</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Teller Software</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>HR-All</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Check Payout</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Time Sheet Organizer</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
-<td align="left"><p>File is not signed; create a file hash condition</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Internet Explorer 7</p></td>
-<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Use the default rule for the Windows path</p></td>
-<td align="left"><p></p></td>
-</tr>
-</tbody>
-</table>
+|Business group|Organizational unit|Implement AppLocker?|Applications|Installation path|Use default rule or define new rule condition|Allow or deny|
+|--- |--- |--- |--- |--- |--- |--- |
+|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition||
+||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp||
+|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition||
+||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition||
+||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition||
+||||Windows files|C:\Windows|Use the default rule for the Windows path||
  
-
 ## Next steps
 
 For each rule, determine whether to use the allow or deny option, and then complete the following tasks:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index b114297f17..44d6d198a7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -143,103 +143,15 @@ The three key areas to determine for AppLocker policy management are:
 
 The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
 
-<table>
-<colgroup>
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
-<th align="left">Apps</th>
-<th align="left">Installation path</th>
-<th align="left">Use default rule or define new rule condition</th>
-<th align="left">Allow or deny</th>
-<th align="left">GPO name</th>
-<th align="left">Support policy</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Teller-East and Teller-West</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Teller Software</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
-<td align="left"><p>Web help</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p>
-<p></p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Help desk</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>HR-All</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Check Payout</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p>HR-AppLockerHRRules</p></td>
-<td align="left"><p>Web help</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Time Sheet Organizer</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
-<td align="left"><p>File is not signed; create a file hash condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Web help</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Internet Explorer 7</p></td>
-<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Deny</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Web help</p>
-<p></p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Use the default rule for the Windows path</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Help desk</p></td>
-</tr>
-</tbody>
-</table>
- 
+|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy|
+|--- |--- |--- |--- |--- |--- |--- |--- |--- |
+|Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|Web help|
+||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help desk|
+|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|Web help|
+||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help|
+||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition|Deny||Web help|
+||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help desk|
+
 The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
 
 **Event processing policy**
@@ -248,83 +160,17 @@ One discovery method for app usage is to set the AppLocker enforcement mode to *
 
 The following table is an example of what to consider and record.
 
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">AppLocker event collection location</th>
-<th align="left">Archival policy</th>
-<th align="left">Analyzed?</th>
-<th align="left">Security policy</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
-<td align="left"><p>Standard</p></td>
-<td align="left"><p>None</p></td>
-<td align="left"><p>Standard</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
-<td align="left"><p>60 months</p></td>
-<td align="left"><p>Yes, summary reports monthly to managers</p></td>
-<td align="left"><p>Standard</p></td>
-</tr>
-</tbody>
-</table>
+|Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy|
+|--- |--- |--- |--- |--- |
+|Bank Tellers|Forwarded to: AppLocker Event Repository on srvBT093|Standard|None|Standard|
+|Human Resources|DO NOT FORWARD. srvHR004|60 months|Yes, summary reports monthly to managers|Standard|
  
 <b>Policy maintenance policy</b>
 When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
 The following table is an example of what to consider and record.
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">Rule update policy</th>
-<th align="left">Application decommission policy</th>
-<th align="left">Application version policy</th>
-<th align="left">Application deployment policy</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Planned: Monthly through business office triage</p>
-<p>Emergency: Request through help desk</p></td>
-<td align="left"><p>Through business office triage</p>
-<p>30-day notice required</p></td>
-<td align="left"><p>General policy: Keep past versions for 12 months</p>
-<p>List policies for each application</p></td>
-<td align="left"><p>Coordinated through business office</p>
-<p>30-day notice required</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>Planned: Monthly through HR triage</p>
-<p>Emergency: Request through help desk</p></td>
-<td align="left"><p>Through HR triage</p>
-<p>30-day notice required</p></td>
-<td align="left"><p>General policy: Keep past versions for 60 months</p>
-<p>List policies for each application</p></td>
-<td align="left"><p>Coordinated through HR</p>
-<p>30-day notice required</p></td>
-</tr>
-</tbody>
-</table>
\ No newline at end of file
+
+|Business group|Rule update policy|Application decommission policy|Application version policy|Application deployment policy|
+|--- |--- |--- |--- |--- |
+|Bank Tellers|Planned: Monthly through business office triage<p>Emergency: Request through help desk|Through business office triage<p>30-day notice required|General policy: Keep past versions for 12 months<p>List policies for each application|Coordinated through business office<p>30-day notice required|
+|Human Resources|Planned: Monthly through HR triage<p>Emergency: Request through help desk|Through HR triage<p>30-day notice required|General policy: Keep past versions for 60 months<p>List policies for each application|Coordinated through HR<p>30-day notice required|
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 85f6eb11a3..4b22f44415 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -41,181 +41,28 @@ The following requirements must be met or addressed before you deploy your AppLo
 
 An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
 
-<table>
-<colgroup>
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-<col width="11%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
-<th align="left">Apps</th>
-<th align="left">Installation path</th>
-<th align="left">Use default rule or define new rule condition</th>
-<th align="left">Allow or deny</th>
-<th align="left">GPO name</th>
-<th align="left">Support policy</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Teller-East and Teller-West</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Teller software</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p>Tellers</p></td>
-<td align="left"><p>Web help</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p>
-<p></p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Help Desk</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Time Sheet Organizer</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
-<td align="left"><p>File is not signed; create a file hash condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Web help</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>HR-All</p></td>
-<td align="left"><p>Yes</p></td>
-<td align="left"><p>Check Payout</p></td>
-<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p>HR</p></td>
-<td align="left"><p>Web help</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Internet Explorer 7</p></td>
-<td align="left"><p>C:\Program Files\Internet Explorer&lt;/p&gt;</td>
-<td align="left"><p>File is signed; create a publisher condition</p></td>
-<td align="left"><p>Deny</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Help Desk</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Windows files</p></td>
-<td align="left"><p>C:\Windows</p></td>
-<td align="left"><p>Use the default rule for the Windows path</p></td>
-<td align="left"><p>Allow</p></td>
-<td align="left"><p></p></td>
-<td align="left"><p>Help Desk</p></td>
-</tr>
-</tbody>
-</table>
+|Business group|Organizational unit|Implement AppLocker?|Apps|Installation path|Use default rule or define new rule condition|Allow or deny|GPO name|Support policy|
+|--- |--- |--- |--- |--- |--- |--- |--- |--- |
+|Bank Tellers|Teller-East and Teller-West|Yes|Teller software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers|Web help|
+||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help Desk|
+||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help|
+|Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR|Web help|
+||||Internet Explorer 7|C:\Program Files\Internet Explorer</p>|File is signed; create a publisher condition|Deny||Help Desk|
+||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help Desk|
  
 <b>Event processing policy</b>
 
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">AppLocker event collection location</th>
-<th align="left">Archival policy</th>
-<th align="left">Analyzed?</th>
-<th align="left">Security policy</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Forwarded to: srvBT093</p></td>
-<td align="left"><p>Standard</p></td>
-<td align="left"><p>None</p></td>
-<td align="left"><p>Standard</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>Do not forward</p>
-<p></p></td>
-<td align="left"><p>60 months</p></td>
-<td align="left"><p>Yes; summary reports monthly to managers</p></td>
-<td align="left"><p>Standard</p></td>
-</tr>
-</tbody>
-</table>
+|Business group|AppLocker event collection location|Archival policy|Analyzed?|Security policy|
+|--- |--- |--- |--- |--- |
+|Bank Tellers|Forwarded to: srvBT093|Standard|None|Standard|
+|Human Resources|Do not forward|60 months|Yes; summary reports monthly to managers|Standard|
  
 <b>Policy maintenance policy</b>
 
-<table>
-<colgroup>
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-<col width="20%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Business group</th>
-<th align="left">Rule update policy</th>
-<th align="left">App decommission policy</th>
-<th align="left">App version policy</th>
-<th align="left">App deployment policy</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Planned: Monthly through business office triage</p>
-<p>Emergency: Request through Help Desk</p></td>
-<td align="left"><p>Through business office triage; 30-day notice required</p></td>
-<td align="left"><p>General policy: Keep past versions for 12 months</p>
-<p>List policies for each application</p></td>
-<td align="left"><p>Coordinated through business office; 30-day notice required</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Human Resources</p></td>
-<td align="left"><p>Planned: Through HR triage</p>
-<p>Emergency: Request through Help Desk</p></td>
-<td align="left"><p>Through HR triage; 30-day notice required</p>
-<p></p></td>
-<td align="left"><p>General policy: Keep past versions for 60 months</p>
-<p>List policies for each application</p></td>
-<td align="left"><p>Coordinated through HR; 30-day notice required</p></td>
-</tr>
-</tbody>
-</table>
+|Business group|Rule update policy|App decommission policy|App version policy|App deployment policy|
+|--- |--- |--- |--- |--- |
+|Bank Tellers|Planned: Monthly through business office triage<p>Emergency: Request through Help Desk|Through business office triage; 30-day notice required|General policy: Keep past versions for 12 months<p>List policies for each application|Coordinated through business office; 30-day notice required|
+|Human Resources|Planned: Through HR triage<p>Emergency: Request through Help Desk|Through HR triage; 30-day notice required|General policy: Keep past versions for 60 months<p>List policies for each application|Coordinated through HR; 30-day notice required|
  
 ### <a href="" id="bkmk-reqsupportedos"></a>Supported operating systems
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 2d5fca2ebb..7c3e95c7e8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -98,57 +98,11 @@ Most organizations have evolved app control policies and methods over time. With
 ### Which Windows desktop and server operating systems are running in your organization?
 
 If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system.
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Possible answers</th>
-<th align="left">Design considerations</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Your organization&#39;s computers are running a combination of the following operating systems:</p>
-<ul>
-<li><p>Windows 11</p></li>
-<li><p>Windows 10</p></li>
-<li><p>Windows 8</p></li>
-<li><p>Windows 7</p></li>
-<li><p>Windows Vista</p></li>
-<li><p>Windows XP</p></li>
-<li><p>Windows Server 2012</p></li>
-<li><p>Windows Server 2008 R2</p></li>
-<li><p>Windows Server 2008</p></li>
-<li><p>Windows Server 2003</p></li>
-</ul></td>
-<td align="left"><p>AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>.</p>
-<div class="alert">
-<b>Note</b><br/><p>If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</p>
-</div>
-<div>
 
-</div>
-<p>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Your organization&#39;s computers are running only the following operating systems:</p>
-<ul>
-<li><p>Windows 11</p></li>
-<li><p>Windows 10</p></li>
-<li><p>Windows 8.1</p></li>
-<li><p>Windows 8</p></li>
-<li><p>Windows 7</p></li>
-<li><p>Windows Server 2012 R2</p></li>
-<li><p>Windows Server 2012</p></li>
-<li><p>Windows Server 2008 R2</p></li>
-</ul></td>
-<td align="left"><p>Use AppLocker to create your application control policies.</p></td>
-</tr>
-</tbody>
-</table>
+|Possible answers|Design considerations|
+|--- |--- |
+|Your organization's computers are running a combination of the following operating systems:<li>Windows 11<li>Windows 10<li>Windows 8<li>Windows 7<li>Windows Vista<li>Windows XP<li>Windows Server 2012<li>Windows Server 2008 R2<li>Windows Server 2008<li>Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).<div class="alert"> **Note:** If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</div><p>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.|
+|Your organization's computers are running only the following operating systems:<li>Windows 11<li>Windows 10<li>Windows 8.1<li>Windows 8<li>Windows 7<li>Windows Server 2012 R2<li>Windows Server 2012<li>Windows Server 2008 R2|Use AppLocker to create your application control policies.|
 
 ### Are there specific groups in your organization that need customized application control policies?
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 0eb3e887ba..4aa28b9f43 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -35,30 +35,9 @@ The path condition identifies an application by its location in the file system
 
 When creating a rule that uses a deny action, path conditions are less secure than publisher and file hash conditions for preventing access to a file because a user could easily copy the file to a different location than the location specified in the rule. Because path rules specify locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file under that location will be allowed to run, including within users' profiles. The following table describes the advantages and disadvantages of the path condition.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Path condition advantages</th>
-<th align="left">Path condition disadvantages</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><ul>
-<li><p>You can easily control many folders or a single file.</p></li>
-<li><p>You can use the asterisk (*) as a wildcard character within path rules.</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.</p></li>
-<li><p>You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
+|Path condition advantages|Path condition disadvantages|
+|--- |--- |
+|<li>You can easily control many folders or a single file.<li>You can use the asterisk (*) as a wildcard character within path rules.|<li>It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.<li>You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.|
 
 AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index 86cc3ed874..55d9299a0f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -35,32 +35,9 @@ Publisher conditions can be made only for files that are digitally signed; this
 Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages 
 of the publisher condition.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Publisher condition advantages</th>
-<th align="left">Publisher condition disadvantages</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><ul>
-<li><p>Frequent updating is not required.</p></li>
-<li><p>You can apply different values within a certificate.</p></li>
-<li><p>A single rule can be used to allow an entire product suite.</p></li>
-<li><p>You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.</p></li>
-</ul></td>
-<td align="left"><ul>
-<li><p>The file must be signed.</p></li>
-<li><p>Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.</p></li>
-</ul></td>
-</tr>
-</tbody>
-</table>
+|Publisher condition advantages|Publisher condition disadvantages|
+|--- |--- |
+|<li>Frequent updating is not required.<li>You can apply different values within a certificate.<li>A single rule can be used to allow an entire product suite.<li>You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|<li>The file must be signed.<li>Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.|
  
 Wildcard characters can be used as values in the publisher rule fields according to the following specifications:
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index a22f94b741..d7bb4ad515 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -38,139 +38,26 @@ Windows Server 2008 R2, Windows 7 and later. It is recommended that you auth
 Windows 7 and later, the SRP policies are ignored.
 
 The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Application control function</th>
-<th align="left">SRP</th>
-<th align="left">AppLocker</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Scope</p></td>
-<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
-<td align="left"><p>AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Policy creation</p></td>
-<td align="left"><p>SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.</p></td>
-<td align="left"><p>AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.</p>
-<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Policy maintenance</p></td>
-<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
-<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Policy application</p></td>
-<td align="left"><p>SRP policies are distributed through Group Policy.</p></td>
-<td align="left"><p>AppLocker policies are distributed through Group Policy.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Enforcement mode</p></td>
-<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.</p>
-<p>SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
-<td align="left"><p>AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>File types that can be controlled</p></td>
-<td align="left"><p>SRP can control the following file types:</p>
-<ul>
-<li><p>Executables</p></li>
-<li><p>Dlls</p></li>
-<li><p>Scripts</p></li>
-<li><p>Windows Installers</p></li>
-</ul>
-<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.</p></td>
-<td align="left"><p>AppLocker can control the following file types:</p>
-<ul>
-<li><p>Executables</p></li>
-<li><p>Dlls</p></li>
-<li><p>Scripts</p></li>
-<li><p>Windows Installers</p></li>
-<li><p>Packaged apps and installers</p></li>
-</ul>
-<p>AppLocker maintains a separate rule collection for each of the five file types.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Designated file types</p></td>
-<td align="left"><p>SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.</p></td>
-<td align="left"><p>AppLocker currently supports the following file extensions:</p>
-<ul>
-<li><p>Executables (.exe, .com)</p></li>
-<li><p>Dlls (.ocx, .dll)</p></li>
-<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
-<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
-<li><p>Packaged app installers (.appx)</p></li>
-</ul></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Rule types</p></td>
-<td align="left"><p>SRP supports four types of rules:</p>
-<ul>
-<li><p>Hash</p></li>
-<li><p>Path</p></li>
-<li><p>Signature</p></li>
-<li><p>Internet zone</p></li>
-</ul></td>
-<td align="left"><p>AppLocker supports three types of rules:</p>
-<ul>
-<li><p>File hash</p></li>
-<li><p>Path</p></li>
-<li><p>Publisher</p></li>
-</ul></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Editing the hash value</p></td>
-<td align="left"><p>In Windows XP, you could use SRP to provide custom hash values.</p>
-<p>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.</p></td>
-<td align="left"><p>AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Support for different security levels</p></td>
-<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
-<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
-<td align="left"><p>AppLocker does not support security levels.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Manage Packaged apps and Packaged app installers.</p></td>
-<td align="left"><p>Not supported</p></td>
-<td align="left"><p>.appx is a valid file type which AppLocker can manage.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Targeting a rule to a user or a group of users</p></td>
-<td align="left"><p>SRP rules apply to all users on a particular computer.</p></td>
-<td align="left"><p>AppLocker rules can be targeted to a specific user or a group of users.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Support for rule exceptions</p></td>
-<td align="left"><p>SRP does not support rule exceptions.</p></td>
-<td align="left"><p>AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Support for audit mode</p></td>
-<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
-<td align="left"><p>AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Support for exporting and importing policies</p></td>
-<td align="left"><p>SRP does not support policy import/export.</p></td>
-<td align="left"><p>AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Rule enforcement</p></td>
-<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode, which is less secure.</p></td>
-<td align="left"><p>Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.</p></td>
-</tr>
-</tbody>
-</table>
+
+|Application control function|SRP|AppLocker|
+|--- |--- |--- |
+|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.|
+|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
+|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
+|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
+|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.<p>SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.|
+|File types that can be controlled|SRP can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<li>Packaged apps and installers<p>AppLocker maintains a separate rule collection for each of the five file types.|
+|Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>Dlls (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
+|Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<li>Internet zone|AppLocker supports three types of rules:<li>File hash<li>Path<li>Publisher|
+|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.<p>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.|
+|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
+|Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.|
+|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
+|Support for rule exceptions|SRP does not support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.|
+|Support for audit mode|SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.|
+|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.|
+|Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.|
+
  
  
  
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index 3629a929f5..1196a83dee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -53,145 +53,33 @@ For information about the application control scenarios that AppLocker addresses
 
 The following table compares AppLocker to Software Restriction Policies.
 
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Feature</th>
-<th align="left">Software Restriction Policies</th>
-<th align="left">AppLocker</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Rule scope</p></td>
-<td align="left"><p>All users</p></td>
-<td align="left"><p>Specific user or group</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Rule conditions provided</p></td>
-<td align="left"><p>File hash, path, certificate, registry path, and Internet zone</p></td>
-<td align="left"><p>File hash, path, and publisher</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Rule types provided</p></td>
-<td align="left"><p>Defined by the security levels:</p>
-<ul>
-<li><p>Disallowed</p></li>
-<li><p>Basic User</p></li>
-<li><p>Unrestricted</p></li>
-</ul></td>
-<td align="left"><p>Allow and deny</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Default rule action</p></td>
-<td align="left"><p>Unrestricted</p></td>
-<td align="left"><p>Implicit deny</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Audit-only mode</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Wizard to create multiple rules at one time</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Policy import or export</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Rule collection</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Windows PowerShell support</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Custom error messages</p></td>
-<td align="left"><p>No</p></td>
-<td align="left"><p>Yes</p></td>
-</tr>
-</tbody>
-</table>
+|Feature|Software Restriction Policies|AppLocker|
+|--- |--- |--- |
+|Rule scope|All users|Specific user or group|
+|Rule conditions provided|File hash, path, certificate, registry path, and Internet zone|File hash, path, and publisher|
+|Rule types provided|Defined by the security levels:<li>Disallowed<li>Basic User<li>Unrestricted|Allow and deny|
+|Default rule action|Unrestricted|Implicit deny|
+|Audit-only mode|No|Yes|
+|Wizard to create multiple rules at one time|No|Yes|
+|Policy import or export|No|Yes|
+|Rule collection|No|Yes|
+|Windows PowerShell support|No|Yes|
+|Custom error messages|No|Yes|
 
 <b>Application control function differences</b>
 
 The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker.
-<table>
-<colgroup>
-<col width="33%" />
-<col width="33%" />
-<col width="33%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th align="left">Application control function</th>
-<th align="left">SRP</th>
-<th align="left">AppLocker</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td align="left"><p>Operating system scope</p></td>
-<td align="left"><p>SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.</p></td>
-<td align="left"><p>AppLocker policies apply only to those supported operating system versions and editions listed in <a href="requirements-to-use-applocker.md" data-raw-source="[Requirements to use AppLocker](requirements-to-use-applocker.md)">Requirements to use AppLocker</a>. But these systems can also use SRP.</p>
-<div class="alert">
-<b>Note</b><br/><p>Use different GPOs for SRP and AppLocker rules.</p>
-</div>
-<div>
 
-</div></td>
-</tr>
-<tr class="even">
-<td align="left"><p>User support</p></td>
-<td align="left"><p>SRP allows users to install applications as an administrator.</p></td>
-<td align="left"><p>AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.</p>
-<p>AppLocker permits customization of error messages to direct users to a Web page for help.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Policy maintenance</p></td>
-<td align="left"><p>SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).</p></td>
-<td align="left"><p>AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.</p>
-<p>AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Policy management infrastructure</p></td>
-<td align="left"><p>To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
-<td align="left"><p>To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Block malicious scripts</p></td>
-<td align="left"><p>Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.</p></td>
-<td align="left"><p>AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Manage software installation</p></td>
-<td align="left"><p>SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.</p></td>
-<td align="left"><p>The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.</p></td>
-</tr>
-<tr class="odd">
-<td align="left"><p>Manage all software on the computer</p></td>
-<td align="left"><p>All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user&#39;s device, except software that is installed in the Windows folder, Program Files folder, or subfolders.</p></td>
-<td align="left"><p>Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.</p></td>
-</tr>
-<tr class="even">
-<td align="left"><p>Different policies for different users</p></td>
-<td align="left"><p>Rules are applied uniformly to all users on a particular device.</p></td>
-<td align="left"><p>On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.</p></td>
-</tr>
-</tbody>
-</table>
+|Application control function|SRP|AppLocker|
+|--- |--- |--- |
+|Operating system scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to those supported operating system versions and editions listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). But these systems can also use SRP.<div class="alert">**Note:** Use different GPOs for SRP and AppLocker rules.</div>|
+|User support|SRP allows users to install applications as an administrator.|AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
+|Policy maintenance|SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).|AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.<p>AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.|
+|Policy management infrastructure|To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|
+|Block malicious scripts|Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.|
+|Manage software installation|SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.|The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.|
+|Manage all software on the computer|All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.|Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.|
+|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.|
 
 ## Related topics
 

From 4c39fc5d17d3853b205df96ff4439a23b440a462 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Fri, 3 Dec 2021 12:36:19 +0530
Subject: [PATCH 13/73] Converted tables

---
 .../mdm/policy-csp-system.md                  | 68 ++++---------------
 1 file changed, 14 insertions(+), 54 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 78a94359dc..f5067a2490 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1305,33 +1305,13 @@ The following list shows the supported values:
 <a href="" id="system-limitdiagnosticlogcollection"></a>**System/LimitDiagnosticLogCollection**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>
@@ -1374,33 +1354,13 @@ The following list shows the supported values:
 <a href="" id="system-limitdumpcollection"></a>**System/LimitDumpCollection**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>

From 741195cbf7f9f13f3a4265175989975d9396dd93 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Mon, 6 Dec 2021 19:58:53 +0530
Subject: [PATCH 14/73] Converted table into text

---
 .../create-wip-policy-using-configmgr.md      | 67 ++++++++++++++++---
 1 file changed, 57 insertions(+), 10 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 0022b16eb4..682fe9fc29 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -349,16 +349,63 @@ There are no default locations included with WIP, you must add each of your netw
 
    ![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png)
 
-     |Network location type|Format|Description|
-     |--- |--- |--- |
-     |Enterprise Cloud Resources|<b>With proxy:</b> contoso.sharepoint.com,contoso.internalproxy1.com,<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><b>Without proxy:</b> contoso.sharepoint.com,contoso.visualstudio.com|Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;I&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;I&quot;. For example: <code> URL &lt;,proxy&gt;, URL &lt;,proxy&gt;</code><p><b>Important</b><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;,URL &lt;,proxy&gt;,/&#42;AppCompat&#42;/</code>.|
-     |Enterprise Network Domain Names (Required)|corp.contoso.com,region.contoso.com|Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the &quot;,&quot; delimiter.|
-     |Proxy servers|proxy.contoso.com:80;proxy2.contoso.com:443|Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.|
-     |Internal proxy servers|contoso.internalproxy1.com;contoso.internalproxy2.com|Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.|
-     |Enterprise IPv4 Range (Required)|<b>Starting IPv4 Address:</b> 3.4.0.1<br><b>Ending IPv4 Address:</b> 3.4.255.254<br><b>Custom URI:</b> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254|Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.|
-     |Enterprise IPv6 Range|<b>Starting IPv6 Address:</b> 2a01:110::<br><b>Ending IPv6 Address:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br><b>Custom URI:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff|Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.|
-     |Neutral Resources|sts.contoso.com,sts.contoso2.com|Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the &quot;,&quot; delimiter.|
-     
+     - **Enterprise Cloud Resources**: Specify the cloud resources to be treated as corporate and protected by WIP.
+
+         For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
+
+         If you have multiple resources, you must separate them using the `|` delimiter. If you don't use proxy servers, you must also include the `,` delimiter just before the `|`. For example: URL `<,proxy>|URL <,proxy>`.
+
+         **Format examples**:
+
+         - **With proxy**: `contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com`
+
+         - **Without proxy**: `contoso.sharepoint.com|contoso.visualstudio.com`
+
+         >[!Important]
+         > In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
+
+     - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
+
+         This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
+
+         If you have multiple resources, you must separate them using the "," delimiter.
+
+         **Format examples**: `corp.contoso.com,region.contoso.com`
+
+     - **Proxy servers**: Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
+
+         This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
+
+         If you have multiple resources, you must separate them using the ";" delimiter.
+
+         **Format examples**: `proxy.contoso.com:80;proxy2.contoso.com:443`
+
+     - **Internal proxy servers**: Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
+
+         This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
+
+         If you have multiple resources, you must separate them using the ";" delimiter.
+
+         **Format examples**: `contoso.internalproxy1.com;contoso.internalproxy2.com`
+
+     - **Enterprise IPv4 Range (Required)**: Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+         If you have multiple ranges, you must separate them using the "," delimiter.
+
+         **Format examples**: **Starting IPv4 Address:** `3.4.0.1`, **Ending IPv4 Address:** `3.4.255.254`, **Custom URI:** `3.4.0.1-3.4.255.254`, `10.0.0.1-10.255.255.254`
+
+     - **Enterprise IPv6 Range**: Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+         If you have multiple ranges, you must separate them using the "," delimiter.
+
+         **Format examples**: **Starting IPv6 Address:** `2a01:110::`, **Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff` **Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`,`fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
+
+     - **Neutral Resources**: Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection.
+
+         If you have multiple resources, you must separate them using the "," delimiter.
+
+         **Format examples**: `sts.contoso.com,sts.contoso2.com`
+
 3. Add as many locations as you need, and then click **OK**.
 
    The **Add or edit corporate network definition** box closes.

From c51f83a04304111d6e17121a538ab9a02d75007e Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 13:05:08 -0500
Subject: [PATCH 15/73] Note, headers

---
 .../access-control/local-accounts.md          | 50 +++++++++----------
 1 file changed, 23 insertions(+), 27 deletions(-)

diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index ae3cbe8e26..f4a2c31d2b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -94,15 +94,11 @@ In comparison, on the Windows client operating system, a user with a local user
 
 In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
 
-**Note**  
-Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
-
- 
-
-**Important**  
-Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
-
- 
+> [!IMPORTANT]
+> 
+> - Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
+>
+> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled. 
 
 ### <a href="" id="sec-guest"></a>Guest account
 
@@ -141,11 +137,11 @@ For details about the HelpAssistant account attributes, see the following table.
 
 |Attribute|Value|
 |--- |--- |
-|Well-Known SID/RID|S-1-5-&lt;domain&gt;-13 (Terminal Server User), S-1-5-&lt;domain&gt;-14 (Remote Interactive Logon)|
+|Well-Known SID/RID|`S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)`|
 |Type|User|
-|Default container|CN=Users, DC=&lt;domain&gt;, DC=|
+|Default container|`CN=Users, DC=<domain>, DC=`|
 |Default members|None|
-|Default member of|Domain Guests&lt;p&gt;Guests|
+|Default member of|Domain Guests<br/><br/>Guests|
 |Protected by ADMINSDHOLDER?|No|
 |Safe to move out of default container?|Can be moved out, but we do not recommend it.|
 |Safe to delegate management of this group to non-Service admins?|No|
@@ -195,8 +191,8 @@ The SYSTEM account is used by the operating system and by services that run unde
 
 On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
 
-**Note**  
-To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
+> [!NOTE]
+> To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
 
 ### NETWORK SERVICE 
 The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
@@ -213,8 +209,8 @@ You can use Local Users and Groups to assign rights and permissions on the local
 
 You cannot use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
 
-**Note**  
-You use Active Directory Users and Computers to manage users and groups in Active Directory.
+> [!NOTE]
+> You use Active Directory Users and Computers to manage users and groups in Active Directory.
 
 You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using a variety of PowerShell cmdlets and other scripting technologies.
 
@@ -234,8 +230,8 @@ The other approaches that can be used to restrict and protect user accounts with
 
 Each of these approaches is described in the following sections.
 
-**Note**  
-These approaches do not apply if all administrative local accounts are disabled.
+> [!NOTE]
+> These approaches do not apply if all administrative local accounts are disabled.
 
  
 
@@ -266,11 +262,11 @@ The following table shows the Group Policy and registry settings that are used t
 ||Registry value type|DWORD|
 ||Registry value data|0|
 
->[!NOTE]
->You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
+> [!NOTE]
+> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
  
 
-**To enforce local account restrictions for remote access**
+#### To enforce local account restrictions for remote access
 
 1.  Start the **Group Policy Management** Console (GPMC).
 
@@ -340,8 +336,8 @@ The following table shows the Group Policy and registry settings that are used t
 
 Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that the credentials for local accounts that are stolen from a compromised operating system cannot be used to compromise additional computers that use the same credentials.
 
-**Note**  
-In order to perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
+> [!NOTE]
+> To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
 
  
 
@@ -356,7 +352,7 @@ The following table shows the Group Policy settings that are used to deny networ
 ||Policy name|[Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)|
 ||Policy setting|Local account and member of Administrators group|
 
-**To deny network logon to all local administrator accounts**
+#### To deny network logon to all local administrator accounts
 
 1.  Start the **Group Policy Management** Console (GPMC).
 
@@ -402,8 +398,8 @@ The following table shows the Group Policy settings that are used to deny networ
 
 11. Create links to all other OUs that contain servers.
 
-    **Note**  
-    You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
+    > [!NOTE]
+    > You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
 
 
 ### <a href="" id="sec-create-unique-passwords"></a>Create unique passwords for local accounts with administrative rights
@@ -429,4 +425,4 @@ The following resources provide additional information about technologies that a
 
 -   [Security Identifiers](security-identifiers.md)
 
--   [Access Control Overview](access-control.md)
\ No newline at end of file
+-   [Access Control Overview](access-control.md)

From 3ac1832a355d2b3dd36df40689ba86091eff4b09 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 13:22:06 -0500
Subject: [PATCH 16/73] Moved table content to bullets

---
 .../vpn/vpn-authentication.md                 | 54 ++++++++++++++++---
 1 file changed, 48 insertions(+), 6 deletions(-)

diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 85fac35f0e..70d6af4858 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -23,12 +23,54 @@ In addition to older and less-secure password-based authentication methods (whic
 
 Windows supports a number of EAP authentication methods. 
 
-|Method|Details|
-|--- |--- |
-|EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)|<li>User name and password authentication<li>Winlogon credentials- can specify authentication with computer sign-in credentials|
-|EAP-Transport Layer Security (EAP-TLS)|<p>Supports the following types of certificate authentication <li>Certificate with keys in the software Key Storage Provider (KSP)<li>Certificate with keys in Trusted Platform Module (TPM) KSP<li>Smart card certificates<li>Windows Hello for Business certificate<p>Certificate filtering<li>Certificate filtering can be enabled to search for a particular certificate to use to authenticate with<li>Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based<p>Server validation- with TLS, server validation can be toggled on or off<li>Server name-specify the server to validate<li>Server certificate- trusted root certificate to validate the server<li>Notification-specify if the user should get a notification asking whether to trust the server or not|
-|[Protected Extensible Authentication Protocol (PEAP)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754179(v=ws.11))|<p>Server validation with PEAP,- server validation can be toggled on or off<li>Server name- specify the server to validate<li>Server certificate- trusted root certificate to validate the server<li>Notification- specify if the user should get a notification asking whether to trust the server or not<p>Inner method- the outer method creates a secure tunnel inside while the inner method is used to complete the authentication<li>EAP-MSCHAPv2<li>EAP-TLS<p>Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.<p>[Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.|
-|Tunneled Transport Layer Security (TTLS)|**Inner method**<p>Non-EAP<li>Password Authentication Protocol (PAP)<li>CHAP<li>MSCHAP<li>MSCHAPv2<p>EAP<li>MSCHAPv2<li>TLS<p>Server validation: in TTLS, the server must be validated. The following can be configured:<li>Server name<li>Trusted root certificate for server certificate<li>Whether there should be a server validation notification|
+- EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2):
+  - User name and password authentication
+  - Winlogon credentials - can specify authentication with computer sign-in credentials
+
+- EAP-Transport Layer Security (EAP-TLS):
+  - Supports the following types of certificate authentication:
+    - Certificate with keys in the software Key Storage Provider (KSP)
+    - Certificate with keys in Trusted Platform Module (TPM) KSP
+    - Smart card certificates
+    - Windows Hello for Business certificate
+
+  - Certificate filtering:
+    - Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
+    - Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
+
+  - Server validation - with TLS, server validation can be toggled on or off:
+    - Server name - specify the server to validate
+    - Server certificate - trusted root certificate to validate the server
+    - Notification - specify if the user should get a notification asking whether to trust the server or not
+
+- [Protected Extensible Authentication Protocol (PEAP)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754179(v=ws.11)):
+  - Server validation - with PEAP, server validation can be toggled on or off:
+    - Server name - specify the server to validate
+    - Server certificate - trusted root certificate to validate the server
+    - Notification - specify if the user should get a notification asking whether to trust the server or not
+
+  - Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication:
+    - EAP-MSCHAPv2
+    - EAP-TLS
+
+  - Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
+
+  - [Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
+
+- Tunneled Transport Layer Security (TTLS)
+  - Inner method
+    - Non-EAP
+      - Password Authentication Protocol (PAP)
+      - CHAP
+      - MSCHAP
+      - MSCHAPv2
+    - EAP
+      - MSCHAPv2
+      - TLS
+  - Server validation: in TTLS, the server must be validated. The following can be configured:
+    - Server name
+    - Trusted root certificate for server certificate
+    - Whether there should be a server validation notification
 
 For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
 

From 3d48e23da0cf840e1b298c92e92db11a386f23a8 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 13:33:37 -0500
Subject: [PATCH 17/73] notes

---
 ...olumes-and-storage-area-networks-with-bitlocker.md | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 52c7c436f9..052dd0fee8 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -33,14 +33,16 @@ BitLocker can protect both physical disk resources and cluster shared volumes ve
 
 BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS).
 
->**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/).
+> [!IMPORTANT]
+> SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/).
  
 Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on 
 BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
 
 Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
 
->**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
+> [!NOTE]
+> Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
  
 For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This action is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
 
@@ -57,7 +59,8 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote
 
 4.  Registry-based auto-unlock key
 
->**Note:**  A Windows Server 2012 or later domain controller is required for this feature to work properly.
+> [!NOTE]
+> A Windows Server 2012 or later domain controller is required for this feature to work properly.
  
 ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
 
@@ -189,4 +192,4 @@ Also take these considerations into account for BitLocker on clustered storage:
 -   If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) will automatically resume conversion when the volume is online to the cluster.
 -   If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster.
 -   If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance.
--   If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode.
\ No newline at end of file
+-   If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode.

From 836285a2e7d40434c2b1a27ca6fadd26943ff78d Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 13:40:29 -0500
Subject: [PATCH 18/73] table spacing; note

---
 .../app-behavior-with-wip.md                          | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 966c02209f..e69017b1e0 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -33,18 +33,15 @@ To avoid the automatic encryption of data, developers can enlighten apps by addi
 
 We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
 
->[!IMPORTANT]
->After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
-
->[!Note]
->For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
+> [!IMPORTANT]
+> After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted. For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
 
 ## Unenlightened app behavior
 This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
 
 |App rule setting|Networking policy configuration|
 |--- |--- |
-|**Not required.** App connects to enterprise cloud resources directly, using an IP address.|<p>**Name-based policies, without the /&#42;AppCompat&#42;/ string:**<li>App is entirely blocked from both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can’t access local Work files.<p>**Name-based policies, using the /&#42;AppCompat&#42;/ string or proxy-based policies:**<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.<li>No encryption is applied.<li>App can’t access local Work files.|
+|**Not required.** App connects to enterprise cloud resources directly, using an IP address.| **Name-based policies, without the `/*AppCompat*/` string:**<li>App is entirely blocked from both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can’t access local Work files.<br/><br/>**Name-based policies, using the `/*AppCompat*/` string or proxy-based policies:**<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.<li>No encryption is applied.<li>App can’t access local Work files.|
 |**Not required.** App connects to enterprise cloud resources, using a hostname.|<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.<li>No encryption is applied.<li>App can’t access local Work files.|
 |**Allow.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>Auto-encryption is applied.<li>App can access local Work files.|
 |**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can access local Work files.|
@@ -59,4 +56,4 @@ This table includes info about how enlightened apps might behave, based on your
 |**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li> App protects work data and leaves personal data unprotected.<li> App can access local Work files.|
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

From b6c7c0c1a2fb0649f42bf722dc9fe769c90c436b Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 14:15:50 -0500
Subject: [PATCH 19/73] spacing

---
 .../create-wip-policy-using-configmgr.md           | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index d39b536489..8a0ecac521 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -392,13 +392,21 @@ There are no default locations included with WIP, you must add each of your netw
 
          If you have multiple ranges, you must separate them using the "," delimiter.
 
-         **Format examples**: **Starting IPv4 Address:** `3.4.0.1`, **Ending IPv4 Address:** `3.4.255.254`, **Custom URI:** `3.4.0.1-3.4.255.254`, `10.0.0.1-10.255.255.254`
+         **Format examples**:
+
+         - **Starting IPv4 Address:** `3.4.0.1`
+         - **Ending IPv4 Address:** `3.4.255.254`
+         - **Custom URI:** `3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254`
 
      - **Enterprise IPv6 Range**: Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
 
          If you have multiple ranges, you must separate them using the "," delimiter.
 
-         **Format examples**: **Starting IPv6 Address:** `2a01:110::`, **Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff` **Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`,`fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
+         **Format examples**:
+
+         - **Starting IPv6 Address:** `2a01:110::`
+         - **Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
+         - **Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
 
      - **Neutral Resources**: Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection.
 
@@ -476,4 +484,4 @@ After you've created your WIP policy, you'll need to deploy it to your organizat
 
 - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
 
-- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
\ No newline at end of file
+- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)

From ec06595acb9f636814e70476c45676d19bb76ba6 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 16:03:25 -0500
Subject: [PATCH 20/73] Moved text from table to bullets

---
 .../limitations-with-wip.md                   | 152 +++++++++++++++---
 1 file changed, 128 insertions(+), 24 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 2692a84a58..f694cd6c2c 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -22,30 +22,134 @@ ms.localizationpriority: medium
 **Applies to:**
 -   Windows 10, version 1607 and later
 
-This table provides info about the most common problems you might encounter while running WIP in your organization.
+This following list provides info about the most common problems you might encounter while running WIP in your organization.
 
-|Limitation|How it appears|Workaround|
-|--- |--- |--- |
-|Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.|**If you’re using Azure RMS:** Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.**If you’re not using Azure RMS:** Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.|Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.We strongly recommend educating employees about how to limit or eliminate the need for this decryption.|
-|Direct Access is incompatible with WIP.|Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.|We recommend that you use VPN for client access to your intranet resources. <p>**Note** VPN is optional and isn’t required by WIP.|
-|**NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.|The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.|If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.|
-|Cortana can potentially allow data leakage if it’s on the allowed apps list.|If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.|We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.|
-|WIP is designed for use by a single user per device.|A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.|We recommend only having one user per managed device.|
-|Installers copied from an enterprise network file share might not work properly.|An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.|To fix this, you can:<li>Start the installer directly from the file share.<p>-OR-<li>Decrypt the locally copied files needed by the installer.<p>-OR-<li>Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.|
-|Changing your primary Corporate Identity isn’t supported.|You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.|Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.|
-|Redirected folders with Client-Side Caching are not compatible with WIP.|Apps might encounter access errors while attempting to read a cached, offline file.|Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<p>**Note** For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)". If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).|
-|An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.|Data copied from the WIP-managed device is marked as **Work**.Data copied to the WIP-managed device is not marked as **Work**.Local **Work** data copied to the WIP-managed device remains **Work** data.**Work** data that is copied between two apps in the same session remains ** data.|Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.|
-|You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.|A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.|Open File Explorer and change the file ownership to **Personal** before you upload.|
-|ActiveX controls should be used with caution.|Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.|We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).|
-|Resilient File System (ReFS) isn't currently supported with WIP.|Trying to save or transfer WIP files to ReFS will fail.|Format drive for NTFS, or use a different drive.|
-|WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:<li>AppDataRoaming<li>Desktop<li>StartMenu<li>Documents<li>Pictures<li>Music<li>Videos<li>Favorites<li>Contacts<li>Downloads<li>Links<li>Searches<li>SavedGames|WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.|Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders.  You can configure this parameter, as described [here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)".If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)".|
-|Only enlightened apps can be managed without device enrollment|If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.|If all apps need to be managed, enroll the device for MDM.|
-|By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.|Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.|If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.|
-|OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.|OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.|"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:<ol><li> Close the notebook in OneNote.<li>Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.<li>Copy the notebook folder and Paste it back into the OneDrive for Business folder.</ol><p>Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut.  Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.|
-|Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.|If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.|It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.|
+- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
+  - **How it appears**:
+    - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
+    - If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
+
+  - **Workaround**: Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
+
+    We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
+
+- **Limitation**: Direct Access is incompatible with WIP.
+  - **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
+  - **Workaround**: We recommend that you use VPN for client access to your intranet resources.
+
+    > [!NOTE]
+    > VPN is optional and isn’t required by WIP.
+
+- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
+  - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
+  - **Workaround**: If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
+
+- **Limitation**: Cortana can potentially allow data leakage if it’s on the allowed apps list.
+  - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
+  - **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
+
+- **Limitation**: WIP is designed for use by a single user per device.
+  - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.
+  - **Workaround**: We recommend only having one user per managed device.
+
+- **Limitation**: Installers copied from an enterprise network file share might not work properly.
+  - **How it appears**: An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
+  - **Workaround**: To fix this, you can:
+    - Start the installer directly from the file share.
+
+      OR
+
+    - Decrypt the locally copied files needed by the installer.
+
+      OR
+
+    - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
+
+- **Limitation**: Changing your primary Corporate Identity isn’t supported.
+  - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
+  - **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
+
+- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP.
+  - **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
+  - **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
+
+    > [!NOTE]
+    > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)". If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
+
+- **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
+  - **How it appears**: 
+    - Data copied from the WIP-managed device is marked as **Work**.
+    - Data copied to the WIP-managed device is not marked as **Work**.
+    - Local **Work** data copied to the WIP-managed device remains **Work** data.
+    - **Work** data that is copied between two apps in the same session remains ** data.
+
+  - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
+
+- **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
+  - **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
+  - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
+
+- **Limitation**: ActiveX controls should be used with caution.
+  - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
+  - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
+
+    For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
+
+- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP.
+  - **How it appears**:Trying to save or transfer WIP files to ReFS will fail.
+  - **Workaround**: Format drive for NTFS, or use a different drive.
+
+- **Limitation**: WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
+  - AppDataRoaming
+  - Desktop
+  - StartMenu
+  - Documents
+  - Pictures
+  - Music
+  - Videos
+  - Favorites
+  - Contacts
+  - Downloads
+  - Links
+  - Searches
+  - SavedGames
+
+  <br/>
+
+  - **How it appears**: WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
+  - **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders.  You can configure this parameter, as described [here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)".
+
+    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline.
+
+    For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
+
+- **Limitation**: Only enlightened apps can be managed without device enrollment
+  - **How it appears**: If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps.
+
+    Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.
+
+  - **Workaround**: If all apps need to be managed, enroll the device for MDM.
+
+- **Limitation**: By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.
+  - **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
+  - **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
+
+- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.
+  - **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
+  - **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
+
+    1. Close the notebook in OneNote.
+    2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
+    3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
+
+    Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.
+
+- **Limitation**: Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.
+  - **How it appears**: If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
+  - **Workaround**: It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
 
 > [!NOTE]
-> When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. 
-
-> [!NOTE]
-> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+>
+> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. 
+> 
+> - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

From b9200ffdb7883e46bb50dc6a5df640a6df37be84 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 16:32:35 -0500
Subject: [PATCH 21/73] Moved text from table into bullets

---
 .../testing-scenarios-for-wip.md              | 138 ++++++++++++++++--
 1 file changed, 123 insertions(+), 15 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index d9f157125e..247a47ecf5 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -31,20 +31,128 @@ You can try any of the processes included in these scenarios, but you should foc
 >[!IMPORTANT]
 >If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
 
-|Scenario|Processes|
-|--- |--- |
-|Encrypt and decrypt files using File Explorer.|**For desktop:**<br><ol><li>Open File Explorer, right-click a work document, and then click **Work** from the **File Ownership** menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then clicking **Details** from the **Compress or Encrypt attributes** area. The file should show up under the heading, **This enterprise domain can remove or revoke access:** <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.<li>In File Explorer, right-click the same document, and then click **Personal** from the **File Ownership** menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then verifying that the **Details** button is unavailable.</ol>**For mobile:**<br><br><ol><li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click **Select** to mark at least one file as work-related.<li>Click the elipsis (...) again, click **File ownership** from the drop down menu, and then click **Work**.<br>Make sure the file is encrypted, by locating the **Briefcase** icon next to the file name.<li>Select the same file, click **File ownership** from the drop down menu, and then click **Personal**.<br>Make sure the file is decrypted and that you're no longer seeing the **Briefcase** icon next to file name.</ol>|
-|Create work documents in enterprise-allowed apps.|**For desktop:**<br><br><ul><li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br>**Important**<br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md), based on your deployment system.</ul>**For mobile:**<br><br><ol><li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as **Work** to a local, work-related location.<br>Make sure the document is encrypted, by locating the **Briefcase** icon next to the file name.<li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.<li>Open the same document one last time, make a change to the contents, and then save it again using the **Personal** option.<br>Make sure the file is decrypted and that you're no longer seeing the **Briefcase** icon next to file name.</ol>|
-|Block enterprise data from non-enterprise apps.|<ol><li>Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.<br>The app shouldn't be able to access the file.<li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.</ol>|
-|Copy and paste from enterprise apps to non-enterprise apps.|<ol><li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either **Change to personal** or **Keep at work**.<li>Click **Keep at work**.<br>The content isn't pasted into the non-enterprise app.<li>Repeat Step 1, but this time click **Change to personal**, and try to paste the content again.<br>The content is pasted into the non-enterprise app.<li>Try copying and pasting content between apps on your allowed apps list.<br>The content should copy and paste between apps without any warning messages.</ol>|
-|Drag and drop from enterprise apps to non-enterprise apps.|<ol><li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.<li>Click **Keep at work**.<br>The content isn't dropped into the non-enterprise app.<li>Repeat Step 1, but this time click **Change to personal**, and try to drop the content again.<br>The content is dropped into the non-enterprise app.<li>Try dragging and dropping content between apps on your allowed apps list.<br>The content should move between the apps without any warning messages.</ol>|
-|Share between enterprise apps and non-enterprise apps.|<ol><li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.<li>Click **Keep at work**.<br>The content isn't shared into Facebook.<li>Repeat Step 1, but this time click **Change to personal**, and try to share the content again.<br>The content is shared into Facebook.<li>Try sharing content between apps on your allowed apps list.<br>The content should share between the apps without any warning messages.</ol>|
-|Verify that Windows system components can use WIP.|<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.<li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br>**Note**<br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</ol>|
-|Use WIP on NTFS, FAT, and exFAT systems.|<ol><li>Start an app that uses the FAT or exFAT file system (for example a SD card or USB flash drive), and appears on your allowed apps list.<li>Create, edit, write, save, copy, and move files.<br>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</ol>|
-|Verify your shared files can use WIP.|<ol><li>Download a file from a protected file share, making sure the file is encrypted by locating the **Briefcase** icon next to the file name.<li>Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.<li>Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.<br>The app shouldn't be able to access the file share.</ol>|
-|Verify your cloud resources can use WIP.|<ol><li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.<li>Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.<li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn't be able to access the sites.<br><br>**Note**<br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as **Work**.</ol>|
-|Verify your Virtual Private Network (VPN) can be auto-triggered.|<ol><li>Set up your VPN network to start based on the **WIPModeID** setting.<br>For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md) topic.<li>Start an app from your allowed apps list.<br>The VPN network should automatically start.<li>Disconnect from your network and then start an app that isn't on your allowed apps list.<br>The VPN shouldn't start and the app shouldn't be able to access your enterprise network.</ol>|
-|Unenroll client devices from WIP.|<ul><li>Unenroll a device from WIP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br>**Important**<br>On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as **Revoked** and that access is denied for the employee. On mobile devices, the data is removed.|
+- **Encrypt and decrypt files using File Explorer**:
+
+  1. Open File Explorer, right-click a work document, and then click **Work** from the **File Ownership** menu.
+
+      Make sure the file is encrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then clicking **Details** from the **Compress or Encrypt attributes** area. The file should show up under the heading, **This enterprise domain can remove or revoke access:** `*<your_enterprise_identity>*`. For example, `contoso.com`.
+
+  2. In File Explorer, right-click the same document, and then click **Personal** from the **File Ownership** menu.
+
+      Make sure the file is decrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then verifying that the **Details** button is unavailable.
+
+- **Create work documents in enterprise-allowed apps**: Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
+
+  Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
+
+  > [!IMPORTANT]
+  > Certain file types like `.exe` and `.dll`, along with certain file paths, such as `%windir%` and `%programfiles%` are excluded from automatic encryption.
+
+  For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md), based on your deployment system.
+
+- **Block enterprise data from non-enterprise apps**:
+
+  1. Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
+
+      The app shouldn't be able to access the file.
+
+  2. Try double-clicking or tapping on the work-encrypted file. If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.
+
+- **Copy and paste from enterprise apps to non-enterprise apps**:
+
+  1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
+
+      You should see a WIP-related warning box, asking you to click either **Change to personal** or **Keep at work**.
+
+  2. Click **Keep at work**. The content isn't pasted into the non-enterprise app.
+  3. Repeat Step 1, but this time click **Change to personal**, and try to paste the content again.
+
+      The content is pasted into the non-enterprise app.
+
+  4. Try copying and pasting content between apps on your allowed apps list. The content should copy and paste between apps without any warning messages.
+
+- **Drag and drop from enterprise apps to non-enterprise apps**:
+
+  1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
+
+      You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.
+
+  2. Click **Keep at work**. The content isn't dropped into the non-enterprise app.
+  3. Repeat Step 1, but this time click **Change to personal**, and try to drop the content again.
+
+      The content is dropped into the non-enterprise app.
+
+  4. Try dragging and dropping content between apps on your allowed apps list. The content should move between the apps without any warning messages.
+
+- **Share between enterprise apps and non-enterprise apps**: 
+
+  1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
+
+      You should see a WIP-related warning box, asking you to click either **Keep at work** or **Change to personal**.
+
+  2. Click **Keep at work**. The content isn't shared into Facebook.
+  3. Repeat Step 1, but this time click **Change to personal**, and try to share the content again.
+
+      The content is shared into Facebook.
+
+  4. Try sharing content between apps on your allowed apps list. The content should share between the apps without any warning messages.
+
+- **Verify that Windows system components can use WIP**:
+
+  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
+
+      Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
+
+  2. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.
+  3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
+
+      > [!NOTE]
+      > Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.
+      > 
+      > A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
+
+- **Use WIP on NTFS, FAT, and exFAT systems**:
+
+  1. Start an app that uses the FAT or exFAT file system (for example a SD card or USB flash drive), and appears on your allowed apps list.
+  2. Create, edit, write, save, copy, and move files. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.
+
+- **Verify your shared files can use WIP**:
+
+  1. Download a file from a protected file share, making sure the file is encrypted by locating the **Briefcase** icon next to the file name.
+  2. Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
+  3. Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
+
+      The app shouldn't be able to access the file share.
+
+- **Verify your cloud resources can use WIP**:
+
+  1. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
+  2. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
+
+      Both browsers should respect the enterprise and personal boundary.
+
+  3. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
+
+      IE11 shouldn't be able to access the sites.
+
+      > [!NOTE]
+      > Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as **Work**.
+
+- **Verify your Virtual Private Network (VPN) can be auto-triggered**:
+
+  1. Set up your VPN network to start based on the **WIPModeID** setting. For specific info, see [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md).
+  2. Start an app from your allowed apps list. The VPN network should automatically start.
+  3. Disconnect from your network and then start an app that isn't on your allowed apps list.
+
+      The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
+
+- **Unenroll client devices from WIP**: Unenroll a device from WIP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.
+
+  The device should be removed and all of the enterprise content for that managed account should be gone.
+
+  > [!IMPORTANT]
+  > On client devices, the data isn't removed and can be recovered. So, you must make sure the content is marked as **Revoked** and that access is denied for the employee.
+
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

From 53137f8b7ebc9735af2afaf8c4399220a8be2586 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 17:46:23 -0500
Subject: [PATCH 22/73] Spacing

---
 ...defender-smartscreen-available-settings.md | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index db2db95ffd..39945ec254 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -29,14 +29,14 @@ SmartScreen uses registry-based Administrative Template policy settings.
 
 Setting|Supported on|Description|
 |--- |--- |--- |
-|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen<p>**At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen. <p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
-|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.<p>**Important:**  Using a trustworthy browser helps ensure that these protections work as expected.|
-|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen. <p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
-|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.|
-|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<p>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.|
-|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.<p>If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.|
-|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
-|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.<p>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<p>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<br/><br/>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen<br/><br/>**At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen. <br/><br/>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<br/><br/>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. <br/><br/>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.<br/><br/>This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.<br/><br/>**Important:**  Using a trustworthy browser helps ensure that these protections work as expected.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<br/><br/>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)<br/><br/>**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen. <br/><br/>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<br/><br/>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. <br/><br/>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<br/><br/>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)<br/><br/>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<br/><br/>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<br/><br/>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<br/><br/>**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)<br/><br/>**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<br/><br/>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<br/><br/>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.|
+|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.<br/><br/>If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.<br/><br/>If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.|
+|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.<br/><br/>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<br/><br/>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
+|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.<br/><br/>If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.<br/><br/>If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
 
 
 ## MDM settings
@@ -59,9 +59,9 @@ To better help you protect your organization, we recommend turning on and using
 
 |Group Policy setting|Recommendation|
 |--- |--- |
-|Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)|**Enable.**  Turns on Microsoft Defender SmartScreen.|
-|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)|**Enable.**  Stops employees from ignoring warning messages and continuing to a potentially malicious website.|
-|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<p>dministrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)|**Enable.**  Stops employees from ignoring warning messages and continuing to download potentially malicious files.|
+|Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)|**Enable.**  Turns on Microsoft Defender SmartScreen.|
+|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)|**Enable.**  Stops employees from ignoring warning messages and continuing to a potentially malicious website.|
+|Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)<br/><br/>Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)|**Enable.**  Stops employees from ignoring warning messages and continuing to download potentially malicious files.|
 |Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen|**Enable with the Warn and prevent bypass option.**  Stops employees from ignoring warning messages about malicious files downloaded from the Internet.|
 
 |MDM setting|Recommendation|
@@ -69,8 +69,8 @@ To better help you protect your organization, we recommend turning on and using
 |Browser/AllowSmartScreen|**1.**  Turns on Microsoft Defender SmartScreen.|
 |Browser/PreventSmartScreenPromptOverride|**1.**  Stops employees from ignoring warning messages and continuing to a potentially malicious website.|
 |Browser/PreventSmartScreenPromptOverrideForFiles|**1.**  Stops employees from ignoring warning messages and continuing to download potentially malicious files.|
-|SmartScreen/EnableSmartScreenInShell|**1.**  Turns on Microsoft Defender SmartScreen in Windows.<p>Requires at least Windows 10, version 1703.|
-|SmartScreen/PreventOverrideForFilesInShell|**1.**  Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<p>Requires at least Windows 10, version 1703.|
+|SmartScreen/EnableSmartScreenInShell|**1.**  Turns on Microsoft Defender SmartScreen in Windows.<br/><br/>Requires at least Windows 10, version 1703.|
+|SmartScreen/PreventOverrideForFilesInShell|**1.**  Stops employees from ignoring warning messages about malicious files downloaded from the Internet.<br/><br/>Requires at least Windows 10, version 1703.|
 
 ## Related topics
 
@@ -78,4 +78,4 @@ To better help you protect your organization, we recommend turning on and using
 
 - [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)
 
-- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
\ No newline at end of file
+- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)

From 512e9691e182f1c32c6815c49f78629e59380d57 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 17:57:49 -0500
Subject: [PATCH 23/73] Spacing

---
 .../applocker/create-a-rule-for-packaged-apps.md     | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index 9c9dc7f558..1c676d9236 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -60,12 +60,12 @@ You can perform this task by using the Group Policy Management Console for an Ap
 
     |Selection|Description|Example|
     |--- |--- |--- |
-    |Applies to **Any publisher**|This is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install. <p>Conversely, if this is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running.|You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.|
-    |Applies to a specific **Publisher**|This scopes the rule to all apps published by a particular publisher.|You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.|
-    |Applies to a **Package name**|This scopes the rule to all packages that share the publisher name and package name as the reference file.|You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.|
-    |Applies to a **Package version**|This scopes the rule to a particular version of the package.|You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.|
-    |Applying custom values to the rule|Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance.|You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.|
-     
+    |Applies to **Any publisher**|This is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install. <br/><br/>Conversely, if this is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.|
+    |Applies to a specific **Publisher** | This scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
+    |Applies to a **Package name** | This scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
+    |Applies to a **Package version** | This scopes the rule to a particular version of the package. | You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
+    |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. |
+
 6.  Select **Next**.
 7.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
 8.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.

From 3817da3402d62eb1d68b2d5df08fd7129e501cb3 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 18:03:13 -0500
Subject: [PATCH 24/73] spacing

---
 .../determine-your-application-control-objectives.md   | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index 594f737b63..bb43e3b175 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -40,15 +40,15 @@ Use the following table to develop your own objectives and determine which appli
 |Application control function|SRP|AppLocker|
 |--- |--- |--- |
 |Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in[Requirements to use AppLocker](requirements-to-use-applocker.md).|
-|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
+|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<br/><br/>AppLocker permits customization of error messages to direct users to a Web page for help.|
 |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
 |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.<p>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.|
-|File types that can be controlled|SRP can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<li>Packaged apps and installers<p>AppLocker maintains a separate rule collection for each of the five file types.|
+|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.<br/><br/>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.|
+|File types that can be controlled|SRP can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<br/><br/>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>DLLs<li>Scripts<li>Windows Installers<li>Packaged apps and installers<br/><br/>AppLocker maintains a separate rule collection for each of the five file types.|
 |Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this. AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>DLLs (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
-|Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<p>Internet zone|AppLocker supports three types of rules:<li>Hash<li>Path<li>Publisher|
+|Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<br/><br/>Internet zone|AppLocker supports three types of rules:<li>Hash<li>Path<li>Publisher|
 |Editing the hash value|SRP allows you to select a file to hash.|AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.|
-|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
+|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<br/><br/>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
 |Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.|
 |Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
 |Support for rule exceptions|SRP does not support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.|

From 4373e3b264a508a69293c3e529c03b6c33725145 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 18:12:38 -0500
Subject: [PATCH 25/73] Replaced caution with important

---
 .../applocker/plan-for-applocker-policy-management.md          | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 44d6d198a7..2f5df9dc7c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -87,7 +87,8 @@ As new apps are deployed or existing apps are updated by the software publisher,
 
 You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013).
 
->**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+> [!IMPORTANT]
+> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
  
 **New version of a supported app**
 

From 258d4349b1197d386b0d13fd589f6555085b5a45 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 18:19:49 -0500
Subject: [PATCH 26/73] Notes

---
 .../understand-applocker-policy-design-decisions.md    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 7c3e95c7e8..c14abfaefc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -57,7 +57,8 @@ You might need to control a limited number of apps because they access sensitive
 | Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.|
 |Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.|
 
->**Important:**  The following list contains files or types of files that cannot be managed by AppLocker:
+> [!IMPORTANT]
+> The following list contains files or types of files that cannot be managed by AppLocker:
 
 -   AppLocker does not protect against running 16-bit DOS binaries in an NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe.
 
@@ -65,7 +66,8 @@ You might need to control a limited number of apps because they access sensitive
 
 -   AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros.
 
-    >**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
+  > [!IMPORTANT]
+  > You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded.
 
 -   AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules.
 
@@ -101,7 +103,7 @@ If your organization supports multiple Windows operating systems, app control po
 
 |Possible answers|Design considerations|
 |--- |--- |
-|Your organization's computers are running a combination of the following operating systems:<li>Windows 11<li>Windows 10<li>Windows 8<li>Windows 7<li>Windows Vista<li>Windows XP<li>Windows Server 2012<li>Windows Server 2008 R2<li>Windows Server 2008<li>Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).<div class="alert"> **Note:** If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.</div><p>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.|
+|Your organization's computers are running a combination of the following operating systems:<li>Windows 11<li>Windows 10<li>Windows 8<li>Windows 7<li>Windows Vista<li>Windows XP<li>Windows Server 2012<li>Windows Server 2008 R2<li>Windows Server 2008<li>Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).<br/><br/> **Note:** If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.<br/><br/>AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.|
 |Your organization's computers are running only the following operating systems:<li>Windows 11<li>Windows 10<li>Windows 8.1<li>Windows 8<li>Windows 7<li>Windows Server 2012 R2<li>Windows Server 2012<li>Windows Server 2008 R2|Use AppLocker to create your application control policies.|
 
 ### Are there specific groups in your organization that need customized application control policies?
@@ -177,7 +179,7 @@ AppLocker is very effective for organizations that have application restriction
 | Possible answers | Design considerations |
 | - | - |
 | Users run without administrative rights. | Apps are installed by using an installation deployment technology.|
-| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.<br/>**Note: **AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. 
+| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.<br/><br/>**Note:** AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. 
 | Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.|
 
 ### Is the structure in Active Directory Domain Services based on the organization's hierarchy?

From 553905f9290df317179238ff89225d85bcd8eba6 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Tue, 7 Dec 2021 18:24:25 -0500
Subject: [PATCH 27/73] Removed <p>

---
 ...ware-restriction-policies-in-the-same-domain.md | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index d7bb4ad515..40d68279fe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -42,22 +42,18 @@ The following table compares the features and functions of Software Restriction
 |Application control function|SRP|AppLocker|
 |--- |--- |--- |
 |Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.|
-|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<p>AppLocker permits customization of error messages to direct users to a Web page for help.|
+|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<br/><br/>AppLocker permits customization of error messages to direct users to a Web page for help.|
 |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
 |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.<p>SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.|
-|File types that can be controlled|SRP can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<p>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<li>Packaged apps and installers<p>AppLocker maintains a separate rule collection for each of the five file types.|
+|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.<br/><br/>SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.|
+|File types that can be controlled|SRP can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<br/><br/>SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<li>Packaged apps and installers<br/><br/>AppLocker maintains a separate rule collection for each of the five file types.|
 |Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>Dlls (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
 |Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<li>Internet zone|AppLocker supports three types of rules:<li>File hash<li>Path<li>Publisher|
-|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.<p>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.|
-|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
+|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.<br/><br/>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.|
+|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<br/><br/>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.|
 |Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.|
 |Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
 |Support for rule exceptions|SRP does not support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.|
 |Support for audit mode|SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.|
 |Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.|
 |Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.|
-
- 
- 
- 

From 9e74247d6bacfa18683625ed00eb9c319b8934e0 Mon Sep 17 00:00:00 2001
From: Daniel Simpson <dansimp@microsoft.com>
Date: Tue, 7 Dec 2021 15:46:10 -0800
Subject: [PATCH 28/73] Update
 bitlocker-device-encryption-overview-windows-10.md

---
 .../bitlocker-device-encryption-overview-windows-10.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index cbd4a6c3a0..2b18579a8c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -142,6 +142,6 @@ Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage
 * Enforces the BitLocker encryption policy options that you set for your enterprise.
 * Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
 * Offers an IT-customizable recovery user experience.
-* Supports Windows 11 and Windows 10.
+* Supports Windows 10.
 
-For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/) on the MDOP TechCenter.
\ No newline at end of file
+For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/) on the MDOP TechCenter.

From edd381a30c95ee42a51b0644237cbd2756d6976d Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Tue, 7 Dec 2021 16:51:29 -0800
Subject: [PATCH 29/73] Fix broken note

---
 .../hello-for-business/hello-manage-in-organization.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index d687edd606..5610f8e167 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -123,7 +123,7 @@ All PIN complexity policies, are grouped separately from feature enablement and
 
 >[!NOTE]
 > Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
-
+>
 ><b>Examples</b>
 >
 >The following are configured using computer Group Policy:

From b1379d4c1c4e4a65d77ccc2c429b9bee04beb858 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Tue, 7 Dec 2021 16:55:16 -0800
Subject: [PATCH 30/73] Correct markup of warning

---
 ...ared-volumes-and-storage-area-networks-with-bitlocker.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 052dd0fee8..df18662e36 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -67,7 +67,9 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote
 BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster:
 
 1.  Install the BitLocker Drive Encryption feature if it is not already installed.
+
 2.  Ensure the disk is formatted NTFS and has a drive letter assigned to it.
+
 3.  Identify the name of the cluster with Windows PowerShell.
 
     ```powershell
@@ -80,9 +82,11 @@ BitLocker encryption is available for disks before or after addition to a cluste
     Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
     ```
 
-    >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
+    > [!WARNING]
+    > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
      
 5.  Repeat the preceding steps for each disk in the cluster.
+
 6.  Add the volume(s) to the cluster.
 
 ### Turning on BitLocker for a clustered disk using Windows PowerShell

From b6e8f02ce1b2d307b3d08992a2cdaaf5c1fda66c Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Tue, 7 Dec 2021 16:57:24 -0800
Subject: [PATCH 31/73] Corrected font weight of table headings

Table headings are bold by default. Adding formatting for bold results in a lighter weight font than is standard on the platform (unless the table has the correct markup for a "data matrix" table).
---
 ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index df18662e36..efd311bfe6 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -167,7 +167,7 @@ Unlike CSV2.0 volumes, physical disk resources can only be accessed by one clust
 
 The following table contains information about both Physical Disk Resources (that is, traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
 
-|**Action**|**On owner node of failover volume**|**On Metadata Server (MDS) of CSV**|**On (Data Server) DS of CSV**|**Maintenance Mode**|
+| Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode |
 |--- |--- |--- |--- |--- |
 |**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed|
 |**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed|

From c60321901d9c72dd9c78c3a460cc64caade187a4 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Tue, 7 Dec 2021 16:58:43 -0800
Subject: [PATCH 32/73] Corrected markup of a warning

---
 ...ared-volumes-and-storage-area-networks-with-bitlocker.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index efd311bfe6..d176a4f457 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -117,7 +117,9 @@ When the cluster service owns a disk resource already, it needs to be set into m
     ```powershell
     Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
     ```
-    >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
+
+    > [!WARNING]
+    > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
      
 6.  Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode:
 
@@ -182,7 +184,7 @@ The following table contains information about both Physical Disk Resources (tha
 |**Shrink**|Allowed|Allowed|Blocked|Allowed|
 |**Extend**|Allowed|Allowed|Blocked|Allowed|
 
->[!NOTE]
+> [!NOTE]
 > Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
  
 In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.

From f887e48403dcd847e4452f2c18bdd0ecaf0874a6 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Tue, 7 Dec 2021 17:24:15 -0800
Subject: [PATCH 33/73] Correct markup of notes

---
 .../windows-10-mobile-security-guide.md               | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index 8f680ea6ff..cd44f7491b 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -44,7 +44,8 @@ Because Windows Hello is supported across all Windows 10 devices, organizations
 
 Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors.
 
->**Note:** When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+> [!NOTE]
+> When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
 
 ### <a href="" id="secured-credentials"></a>Secured credentials
 
@@ -61,7 +62,8 @@ Windows Hello supports three biometric sensor scenarios:
 - **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
 - **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
 
->Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
+> [!NOTE]
+> Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
 
 All three of these biometric factors – face, finger, and iris – are unique to an individual. To capture enough data to uniquely identify an individual, a biometric scanner might initially capture images in multiple conditions or with additional details. For example, an iris scanner will capture images of both eyes or both eyes with and without eyeglasses or contact lenses.
 
@@ -169,7 +171,7 @@ The table below outlines how Windows 10 Mobile mitigates specific malware threat
 |A website that includes malicious code exploits a vulnerability in the web browser to run malware on the client device.|Microsoft Edge includes Enhanced Protected Mode, which uses AppContainer-based sandboxing to help protect the system against vulnerabilities that at attacker may discover in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.|
 
 
->[!NOTE]
+> [!NOTE]
 > The Windows 10 Mobile devices use a System on a Chip (SoC) design provided by SoC vendors such as Qualcomm. With this architecture, the SoC vendor and device manufacturers provide the pre-UEFI bootloaders and the UEFI environment. The UEFI environment implements the UEFI Secure Boot standard described in section 27 of the UEFI specification, which can be found at [www.uefi.org/specs]( http://www.uefi.org/specs). This standard describes the process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI-based device before they are executed.
 
 ### <a href="" id="companion-devices"></a>UEFI with Secure Boot
@@ -199,7 +201,8 @@ Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard
 
 Many assume that original equipment manufacturers (OEMs) must implant a TPM in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 Mobile supports only firmware TPM that complies with the 2.0 standard. Windows does not differentiate between discrete and firmware-based solutions because both must meet the same implementation and security requirements. Therefore, any Windows 10 feature that can take advantage of TPM can be used with Windows 10 Mobile.
 
->Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
+> [!NOTE]
+> Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
 
 Several Windows 10 Mobile security features require TPM:
 - Virtual smart cards

From 8d897f4da6983ed50c54b34592f9cc4b0374f836 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 8 Dec 2021 08:59:34 +0530
Subject: [PATCH 34/73] Html to md table-Sweep batch 28

---
 .../client-management/mdm/bitlocker-csp.md    | 774 ++++++------------
 .../mdm/policy-csp-update.md                  |  40 +-
 .../provisioning-packages.md                  |  12 -
 3 files changed, 268 insertions(+), 558 deletions(-)

diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 456fbbd28c..c0d680c371 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -68,24 +68,16 @@ Defines the root node for the BitLocker configuration service provider.
 Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|No|No|
+|Education|No|No|
+|Mobile|Yes|Yes|
+
 <!--/SupportedSKUs-->
 
 Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
@@ -124,24 +116,16 @@ Data type is integer. Supported operations are Add, Get, Replace, and Delete.
 Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|Yes|Yes|
+
 <!--/SupportedSKUs-->
 Data type is integer. Sample value for this node to enable this policy: 1.
 Supported operations are Add, Get, Replace, and Delete.
@@ -193,24 +177,16 @@ If you want to disable this policy, use the following SyncML:
 Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
 <!--/Description-->
 <!--SupportedValues-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedValues-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -276,26 +252,16 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
 Allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -347,26 +313,16 @@ If you disable or do not configure this setting, the identification field is not
 Allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -400,26 +356,16 @@ If this policy is disabled, the options of "Require additional authentication at
 Allows users to configure whether or not enhanced startup PINs are used with BitLocker.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -456,26 +402,16 @@ If you disable or do not configure this policy setting, enhanced PINs will not b
 Allows you to configure whether standard users are allowed to change BitLocker PIN or password that is used to protect the operating system drive.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -512,26 +448,16 @@ Sample value for this node to disable this policy is:
 Allows users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -574,26 +500,16 @@ When the Windows Recovery Environment is not enabled and this policy is not enab
 Allows you to configure the encryption type that is used by BitLocker.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -633,26 +549,16 @@ For more information about the tool to manage BitLocker, see [Manage-bde](/windo
 This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -741,26 +647,16 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
 This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -818,26 +714,16 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
 (PrebootRecoveryInfo_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -907,26 +793,16 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
 This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -1004,26 +880,16 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
 This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -1110,26 +976,16 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
 This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-   
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -1179,26 +1035,16 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
 Allows you to configure the encryption type on fixed data drives that is used by BitLocker.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -1240,26 +1086,16 @@ For more information about the tool to manage BitLocker, see [Manage-bde](/windo
 This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -1320,26 +1156,16 @@ Disabling the policy will let the system choose the default behaviors. If you wa
 Allows you to configure the encryption type that is used by BitLocker.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -1375,26 +1201,16 @@ If this policy is disabled or not configured, the BitLocker Setup Wizard asks th
 Allows you to control the use of BitLocker on removable data drives.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
@@ -1445,26 +1261,16 @@ Allows the admin to disable the warning prompt for other disk encryption on the
 > [!Warning]
 > When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 The following list shows the supported values:
@@ -1509,26 +1315,16 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
 
 If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 The expected values for this policy are:
@@ -1564,26 +1360,16 @@ This setting initiates a client-driven recovery password refresh after an OS dri
 <!--/Description-->
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 
 Value type is int. Supported operations are Add, Delete, Get, and Replace.
@@ -1619,26 +1405,16 @@ Each server-side recovery key rotation is represented by a request ID. The serve
 - RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
 - RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 
 Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
@@ -1664,26 +1440,16 @@ Interior node. Supported operation is Get.
 This node reports compliance state of device encryption on the system. 
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 
 <!--SupportedValues-->
@@ -1732,26 +1498,16 @@ Status code can be one of the following:
 - 0 - Pass
 - Any other code - Failure HRESULT
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 <!--/SupportedSKUs-->
 
 Value type is int. Supported operation is Get.
@@ -1767,26 +1523,16 @@ This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
 This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
 <!--/Description-->
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Home</th>
-    <th>Pro</th>
-    <th>Business</th>
-    <th>Enterprise</th>
-    <th>Education</th>
-    <th>Mobile</th>
-    
-</tr>
-<tr>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/checkmark.png" alt="check mark" /></td>
-    <td><img src="images/crossmark.png" alt="cross mark" /></td>
-    
-</tr>
-</table> 
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|No|No|
+
 
 <!--/SupportedSKUs-->
 
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index a2120ee9fb..e3bcc31993 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -2422,38 +2422,14 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
 <a href="" id="update-productversion"></a>**Update/ProductVersion**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 8f3f00962f..6c9e724c17 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -86,18 +86,6 @@ The following table describes settings that you can configure using the wizards
 | Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✔️ | ❌ |
 | Developer Setup | Enable Developer Mode  | ❌ | ❌ | ✔️ |
 
-
-<!-- <table><tr><td align="left"><strong>Step</strong></td><td align="left"><strong>Description</strong></td><td><strong>Desktop wizard</strong></td><td align="center"><strong>Mobile wizard</strong></td><td><strong>Kiosk wizard</strong></td><td><strong>HoloLens wizard</strong></td></tr> -->
-<!-- <tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></br>(Only device name and upgrade key)</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
-<!-- <tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
-<!-- <tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no33"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
-<!-- <tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no44"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no66"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no55"/></td></tr> -->
-<!-- <tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no77"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no88"/></td></tr> -->
-<!-- <tr><td valign="top">Add certificates</td><td valign="top">Include a certificate file in the provisioning package.</td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no99"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr> -->
-<!-- <tr><td valign="top">Configure kiosk account and app</td><td valign="top">Create local account to run the kiosk mode app,</br>specify the app to run in kiosk mode</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no00"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no111"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no222"/></td></tr> -->
-<!-- <tr><td valign="top">Configure kiosk common settings</td><td valign="top">Set tablet mode,</br>configure welcome and shutdown screens,</br>turn off timeout settings</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no333"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no555"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no666"/></td></tr> -->
-<!-- <tr><td valign="top">Developer Setup</td><td valign="top">Enable Developer Mode.</td><td align="center" valign="top"><img src="../images/crossmark.png" alt="n777o"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no444"/></td><td align="center" valign="top"><img src="../images/crossmark.png" alt="no888"/></td><td align="center" valign="top"><img src="../images/checkmark.png" alt="yes"/></td></tr></table> -->
-
 - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
 - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
 - [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard)

From 6376d7074957baf11e3d42ccf6ebb1d22d69ca91 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 8 Dec 2021 12:41:31 +0530
Subject: [PATCH 35/73] Sweep 2

---
 ...release-notes-for-appv-for-windows-1703.md | 157 ++-
 .../change-history-for-mdm-documentation.md   | 970 ++----------------
 .../set-up-shared-or-guest-pc.md              | 199 ++--
 .../upgrade/windows-10-edition-upgrades.md    | 109 +-
 windows/deployment/wds-boot-support.md        |  66 +-
 .../windows-10-deployment-scenarios.md        | 131 +--
 windows/deployment/windows-10-poc-mdt.md      |  26 +-
 windows/deployment/windows-10-poc.md          | 315 ++----
 8 files changed, 454 insertions(+), 1519 deletions(-)

diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 8765ba9fa6..a6f88ea7a3 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -19,90 +19,81 @@ ms.author: greglin
 
 The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10 version 1703 and later
 
-<table border="1">
-    <thead>
-        <th>Problem</th>
-        <th>Workaround</th>
-    </thead>
-    <tbody>
-        <tr>
-            <td>Unable to manually create a system-owned folder needed for the <code>set-AppVClientConfiguration</code> PowerShell cmdlet when using the <i>PackageInstallationRoot</i>, <i>IntegrationRootUser</i>, or <i>IntegrationRootGlobal</i> parameters.</td>
-            <td>Don&#39;t create this file manually, instead let the <code>Add-AppVClientPackage</code> cmdlet auto-generate it.</td>
-        </tr>
-        <tr>
-            <td>Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.</td>
-            <td>Make sure you have the complete App-V package or the MSI file from the original app.</td>
-        </tr>
-        <tr>
-            <td>Unable to modify the locale for auto-sequencing.</td>
-            <td>Open the <code>C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml</code> file and include the language code for your locale. For example, if you wanted Spanish (Spain), you&#39;d use: <strong>es-ES</strong>.</td>
-        </tr>
-        <tr>
-            <td>Filetype and protocol handlers aren&#39;t registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the <strong>Settings &gt; Apps&gt; Default Apps</strong> area.</td>
-            <td>The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the <strong>&lt;appv:Extensions&gt;</strong> tag:
-<pre><code>
-&lt;appv:Extension Category="AppV.URLProtocol"&gt;
-    &lt;appv:URLProtocol&gt;
-        &lt;appv:Name&gt;ftp&lt;/appv:Name&gt;
-        &lt;appv:ApplicationURLProtocol&gt;
-            &lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
-            &lt;appv:ShellCommands&gt;
-                &lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
-                &lt;appv:ShellCommand&gt;
-                    &lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
-                    &lt;appv:Name&gt;open&lt;/appv:Name&gt;
-                    &lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
-                    &lt;appv:DdeExec&gt;
-                        &lt;appv:DdeCommand /&gt;
-                    &lt;/appv:DdeExec&gt;
-                &lt;/appv:ShellCommand&gt;
-            &lt;/appv:ShellCommands&gt;
-        &lt;/appv:ApplicationURLProtocol&gt;
-    &lt;/appv:URLProtocol&gt;
-&lt;/appv:Extension&gt;
-&lt;appv:Extension Category="AppV.URLProtocol"&gt;
-    &lt;appv:URLProtocol&gt;
-        &lt;appv:Name&gt;http&lt;/appv:Name&gt;
-        &lt;appv:ApplicationURLProtocol&gt;
-            &lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
-            &lt;appv:ShellCommands&gt;
-                &lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
-                &lt;appv:ShellCommand&gt;
-                    &lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
-                    &lt;appv:Name&gt;open&lt;/appv:Name&gt;
-                    &lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
-                    &lt;appv:DdeExec&gt;
-                        &lt;appv:DdeCommand /&gt;
-                    &lt;/appv:DdeExec&gt;
-                &lt;/appv:ShellCommand&gt;
-            &lt;/appv:ShellCommands&gt;
-        &lt;/appv:ApplicationURLProtocol&gt;
-    &lt;/appv:URLProtocol&gt;
-&lt;/appv:Extension&gt;
-&lt;appv:Extension Category="AppV.URLProtocol"&gt;
-    &lt;appv:URLProtocol&gt;
-        &lt;appv:Name&gt;https&lt;/appv:Name&gt;
-        &lt;appv:ApplicationURLProtocol&gt;
-            &lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
-            &lt;appv:ShellCommands&gt;
-                &lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
-                &lt;appv:ShellCommand&gt;
-                    &lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
-                    &lt;appv:Name&gt;open&lt;/appv:Name&gt;
-                    &lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
-                    &lt;appv:DdeExec&gt;
-                        &lt;appv:DdeCommand /&gt;
-                    &lt;/appv:DdeExec&gt;
-                &lt;/appv:ShellCommand&gt;
-            &lt;/appv:ShellCommands&gt;
-        &lt;/appv:ApplicationURLProtocol&gt;
-    &lt;/appv:URLProtocol&gt;
-&lt;/appv:Extension&gt;
-</code></pre><br/>            </td>
-        </tr>
-    </tbody>
-</table>
+- **Problem**: Unable to manually create a system-owned folder needed for the `set-AppVClientConfiguration` PowerShell cmdlet when using the PackageInstallationRoot, IntegrationRootUser, or IntegrationRootGlobal parameters.
 
+     **Workaround**: Don't create this file manually, instead let the `Add-AppVClientPackage` cmdlet auto-generate it.
+
+- **Problem**: Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.
+
+     **Workaround**: Make sure you have the complete App-V package or the MSI file from the original app.
+
+- **Problem**: Unable to modify the locale for auto-sequencing.
+
+     **Workaround**: Open the `C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml` file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: es-ES.
+
+- **Problem**: Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the Settings > Apps> Default Apps area.
+
+     **Workaround**: The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the `<appv:Extensions>` tag:
+
+```xml
+<appv:Extension Category="AppV.URLProtocol">
+    <appv:URLProtocol>
+        <appv:Name>ftp</appv:Name>
+        <appv:ApplicationURLProtocol>
+            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+            <appv:ShellCommands>
+                <appv:DefaultCommand>open</appv:DefaultCommand>
+                <appv:ShellCommand>
+                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                    <appv:Name>open</appv:Name>
+                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                    <appv:DdeExec>
+                        <appv:DdeCommand />
+                    </appv:DdeExec>
+                </appv:ShellCommand>
+            </appv:ShellCommands>
+        </appv:ApplicationURLProtocol>
+    </appv:URLProtocol>
+</appv:Extension>
+<appv:Extension Category="AppV.URLProtocol">
+    <appv:URLProtocol>
+        <appv:Name>http</appv:Name>
+        <appv:ApplicationURLProtocol>
+            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+            <appv:ShellCommands>
+                <appv:DefaultCommand>open</appv:DefaultCommand>
+                <appv:ShellCommand>
+                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                    <appv:Name>open</appv:Name>
+                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                    <appv:DdeExec>
+                        <appv:DdeCommand />
+                    </appv:DdeExec>
+                </appv:ShellCommand>
+            </appv:ShellCommands>
+        </appv:ApplicationURLProtocol>
+    </appv:URLProtocol>
+</appv:Extension>
+<appv:Extension Category="AppV.URLProtocol">
+    <appv:URLProtocol>
+        <appv:Name>https</appv:Name>
+        <appv:ApplicationURLProtocol>
+            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+            <appv:ShellCommands>
+                <appv:DefaultCommand>open</appv:DefaultCommand>
+                <appv:ShellCommand>
+                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                    <appv:Name>open</appv:Name>
+                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                    <appv:DdeExec>
+                        <appv:DdeCommand />
+                    </appv:DdeExec>
+                </appv:ShellCommand>
+            </appv:ShellCommands>
+        </appv:ApplicationURLProtocol>
+    </appv:URLProtocol>
+</appv:Extension>
+```
 
 ## Related resources list
 For information that can help with troubleshooting App-V for Windows client, see:
diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index 8036d19764..6665d6c4ea 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -179,907 +179,141 @@ This article lists new and updated articles for the Mobile Device Management (MD
 
 ## August 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="bitlocker-csp.md" data-raw-source="[BitLocker CSP](bitlocker-csp.md)">BitLocker CSP</a></td>
-<td><p>Added support for Windows 10 Pro starting in the version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="office-csp.md" data-raw-source="[Office CSP](office-csp.md)">Office CSP</a></td>
-<td><p>Added FinalStatus setting in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="remotewipe-csp.md" data-raw-source="[RemoteWipe CSP](remotewipe-csp.md)">RemoteWipe CSP</a></td>
-<td><p>Added new settings in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="tenantlockdown-csp.md" data-raw-source="[TenantLockdown CSP](tenantlockdown-csp.md)">TenantLockdown CSP</a></td>
-<td><p>Added new CSP in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="windowsdefenderapplicationguard-csp.md" data-raw-source="[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)">WindowsDefenderApplicationGuard CSP</a></td>
-<td><p>Added new settings in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="policy-ddf-file.md" data-raw-source="[Policy DDF file](policy-ddf-file.md)">Policy DDF file</a></td>
-<td><p>Posted an updated version of the Policy DDF for Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies in Windows 10, version 1809:</p>
-<ul>
-<li>Browser/AllowFullScreenMode</li>
-<li>Browser/AllowPrelaunch</li>
-<li>Browser/AllowPrinting</li>
-<li>Browser/AllowSavingHistory</li>
-<li>Browser/AllowSideloadingOfExtensions</li>
-<li>Browser/AllowTabPreloading</li>
-<li>Browser/AllowWebContentOnNewTabPage</li>
-<li>Browser/ConfigureFavoritesBar</li>
-<li>Browser/ConfigureHomeButton</li>
-<li>Browser/ConfigureKioskMode</li>
-<li>Browser/ConfigureKioskResetAfterIdleTimeout</li>
-<li>Browser/ConfigureOpenMicrosoftEdgeWith</li>
-<li>Browser/ConfigureTelemetryForMicrosoft365Analytics</li>
-<li>Browser/PreventCertErrorOverrides</li>
-<li>Browser/SetHomeButtonURL</li>
-<li>Browser/SetNewTabPageURL</li>
-<li>Browser/UnlockHomeButton</li>
-<li>Experience/DoNotSyncBrowserSettings</li>
-<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
-<li>Kerberos/UPNNameHints</li>
-<li>Privacy/AllowCrossDeviceClipboard</li>
-<li>Privacy/DisablePrivacyExperience</li>
-<li>Privacy/UploadUserActivities</li>
-<li>System/AllowDeviceNameInDiagnosticData</li>
-<li>System/ConfigureMicrosoft365UploadEndpoint</li>
-<li>System/DisableDeviceDelete</li>
-<li>System/DisableDiagnosticDataViewer</li>
-<li>Storage/RemovableDiskDenyWriteAccess</li>
-<li>Update/UpdateNotificationLevel</li>
-</ul>
-<p>Start/DisableContextMenus - added in Windows 10, version 1803.</p>
-<p>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.</p>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[BitLocker CSP](bitlocker-csp.md)|Added support for Windows 10 Pro starting in the version 1809.|
+|[Office CSP](office-csp.md)|Added FinalStatus setting in Windows 10, version 1809.|
+|[RemoteWipe CSP](remotewipe-csp.md)|Added new settings in Windows 10, version 1809.|
+|[TenantLockdown CSP](tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
+|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
+|[Policy DDF file](policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<p>Start/DisableContextMenus - added in Windows 10, version 1803.<p>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
 
 ## July 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="assignedaccess-csp.md" data-raw-source="[AssignedAccess CSP](assignedaccess-csp.md)">AssignedAccess CSP</a></td>
-<td><p>Added the following note:</p>
-<ul>
-<li>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="passportforwork-csp.md" data-raw-source="[PassportForWork  CSP](passportforwork-csp.md)">PassportForWork  CSP</a></td>
-<td><p>Added new settings in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="enterprisemodernappmanagement-csp.md" data-raw-source="[EnterpriseModernAppManagement  CSP](enterprisemodernappmanagement-csp.md)">EnterpriseModernAppManagement  CSP</a></td>
-<td><p>Added NonRemovable setting under AppManagement node in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="win32compatibilityappraiser-csp.md" data-raw-source="[Win32CompatibilityAppraiser  CSP](win32compatibilityappraiser-csp.md)">Win32CompatibilityAppraiser  CSP</a></td>
-<td><p>Added new configuration service provider in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="windowslicensing-csp.md" data-raw-source="[WindowsLicensing  CSP](windowslicensing-csp.md)">WindowsLicensing  CSP</a></td>
-<td><p>Added S mode settings and SyncML examples in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="supl-csp.md" data-raw-source="[SUPL CSP](supl-csp.md)">SUPL CSP</a></td>
-<td><p>Added 3 new certificate nodes in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="defender-csp.md" data-raw-source="[Defender CSP](defender-csp.md)">Defender CSP</a></td>
-<td><p>Added a new node Health/ProductStatus in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="bitlocker-csp.md" data-raw-source="[BitLocker CSP](bitlocker-csp.md)">BitLocker CSP</a></td>
-<td><p>Added a new node AllowStandardUserEncryption in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="devdetail-csp.md" data-raw-source="[DevDetail CSP](devdetail-csp.md)">DevDetail CSP</a></td>
-<td><p>Added a new node SMBIOSSerialNumber in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies in Windows 10, version 1809:</p>
-<ul>
-<li>ApplicationManagement/LaunchAppAfterLogOn</li>
-<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
-<li>Authentication/EnableFastFirstSignIn (Preview mode only)</li>
-<li>Authentication/EnableWebSignIn (Preview mode only)</li>
-<li>Authentication/PreferredAadTenantDomainName</li>
-<li>Defender/CheckForSignaturesBeforeRunningScan</li>
-<li>Defender/DisableCatchupFullScan </li>
-<li>Defender/DisableCatchupQuickScan </li>
-<li>Defender/EnableLowCPUPriority</li>
-<li>Defender/SignatureUpdateFallbackOrder</li>
-<li>Defender/SignatureUpdateFileSharesSources</li>
-<li>DeviceGuard/ConfigureSystemGuardLaunch</li>
-<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
-<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
-<li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>
-<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</li>
-<li>DmaGuard/DeviceEnumerationPolicy</li>
-<li>Experience/AllowClipboardHistory</li>
-<li>Security/RecoveryEnvironmentAuthentication</li>
-<li>TaskManager/AllowEndTask</li>
-<li>WindowsDefenderSecurityCenter/DisableClearTpmButton</li>
-<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning</li>
-<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl</li>
-<li>WindowsLogon/DontDisplayNetworkSelectionUI</li>
-</ul>
-<p>Recent changes:</p>
-<ul>
-<li>DataUsage/SetCost3G - deprecated in Windows 10, version 1809.</li>
-</ul>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:<p>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.|
+|[PassportForWork  CSP](passportforwork-csp.md)|Added new settings in Windows 10, version 1809.|
+|[EnterpriseModernAppManagement  CSP](enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.|
+|[Win32CompatibilityAppraiser  CSP](win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.|
+|[WindowsLicensing  CSP](windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.|
+|[SUPL CSP](supl-csp.md)|Added 3 new certificate nodes in Windows 10, version 1809.|
+|[Defender CSP](defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.|
+|[BitLocker CSP](bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.|
+|[DevDetail CSP](devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>ApplicationManagement/LaunchAppAfterLogOn<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures <li>Authentication/EnableFastFirstSignIn (Preview mode only)<li>Authentication/EnableWebSignIn (Preview mode only)<li>Authentication/PreferredAadTenantDomainName<li>Defender/CheckForSignaturesBeforeRunningScan<li>Defender/DisableCatchupFullScan <li>Defender/DisableCatchupQuickScan <li>Defender/EnableLowCPUPriority<li>Defender/SignatureUpdateFallbackOrder<li>Defender/SignatureUpdateFileSharesSources<li>DeviceGuard/ConfigureSystemGuardLaunch<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<li>DeviceInstallation/PreventDeviceMetadataFromNetwork<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<li>DmaGuard/DeviceEnumerationPolicy<li>Experience/AllowClipboardHistory<li>Security/RecoveryEnvironmentAuthentication<li>TaskManager/AllowEndTask<li>WindowsDefenderSecurityCenter/DisableClearTpmButton<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<li>WindowsLogon/DontDisplayNetworkSelectionUI<p>Recent changes:<li>DataUsage/SetCost3G - deprecated in Windows 10, version 1809.|
 
 ## June 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="wifi-csp.md" data-raw-source="[Wifi CSP](wifi-csp.md)">Wifi CSP</a></td>
-<td><p>Added a new node WifiCost in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="diagnose-mdm-failures-in-windows-10.md" data-raw-source="[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)">Diagnose MDM failures in Windows 10</a></td>
-<td><p>Recent changes:</p>
-<ul>
-<li>Added procedure for collecting logs remotely from Windows 10 Holographic.</li>
-<li>Added procedure for downloading the MDM Diagnostic Information log.</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="bitlocker-csp.md" data-raw-source="[BitLocker CSP](bitlocker-csp.md)">BitLocker CSP</a></td>
-<td><p>Added new node AllowStandardUserEncryption in Windows 10, version 1809.</p>
-</td></tr>
-<tr>
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Recent changes:</p>
-<ul>
-<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.</li>
-<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.</li>
-<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.</li>
-<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.</li>
-<li>System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.</li>
-<li>Security/RequireDeviceEncryption is supported in the Home SKU.</li>
-<li>Start/StartLayout - added a table of SKU support information.</li>
-<li>Start/ImportEdgeAssets - added a table of SKU support information.</li>
-</ul>
-<p>Added the following new policies in Windows 10, version 1809:</p>
-<ul>
-<li>Update/EngagedRestartDeadlineForFeatureUpdates</li>
-<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates</li>
-<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates</li>
-<li>Update/SetDisablePauseUXAccess</li>
-<li>Update/SetDisableUXWUAccess</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="wirednetwork-csp.md" data-raw-source="[WiredNetwork CSP](wirednetwork-csp.md)">WiredNetwork CSP</a></td>
-<td>New CSP added in Windows 10, version 1809.
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Wifi CSP](wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.|
+|[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:<li>Added procedure for collecting logs remotely from Windows 10 Holographic.<li>Added procedure for downloading the MDM Diagnostic Information log.|
+|[BitLocker CSP](bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.|
+|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:<li>AccountPoliciesAccountLockoutPolicy<li>AccountLockoutDuration - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.<li>System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.<li>Security/RequireDeviceEncryption is supported in the Home SKU.<li>Start/StartLayout - added a table of SKU support information.<li>Start/ImportEdgeAssets - added a table of SKU support information.<p>Added the following new policies in Windows 10, version 1809:<li>Update/EngagedRestartDeadlineForFeatureUpdates<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<li>Update/SetDisablePauseUXAccess<li>Update/SetDisableUXWUAccess|
+|[WiredNetwork CSP](wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.|
 
 ## May 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="policy-ddf-file.md" data-raw-source="[Policy DDF file](policy-ddf-file.md)">Policy DDF file</a></td>
-<td><p>Updated the DDF files in the Windows 10 version 1703 and 1709.</p>
-<ul>
-<li><a href="https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml" data-raw-source="[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)">Download the Policy DDF file for Windows 10, version 1709</a></li>
-<li><a href="https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml" data-raw-source="[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)">Download the Policy DDF file for Windows 10, version 1703</a></li>
-</ul>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Policy DDF file](policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
 
 ## April 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="windowsdefenderapplicationguard-csp.md" data-raw-source="[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)">WindowsDefenderApplicationGuard CSP</a></td>
-<td><p>Added the following node in Windows 10, version 1803:</p>
-<ul>
-<li>Settings/AllowVirtualGPU</li>
-<li>Settings/SaveFilesToHost</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="\networkproxy--csp.md" data-raw-source="[NetworkProxy CSP](\networkproxy--csp.md)">NetworkProxy CSP</a></td>
-<td><p>Added the following node in Windows 10, version 1803:</p>
-<ul>
-<li>ProxySettingsPerUser</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="accounts-csp.md" data-raw-source="[Accounts CSP](accounts-csp.md)">Accounts CSP</a></td>
-<td><p>Added a new CSP in Windows 10, version 1803.</p>
-</td></tr>
-<tr>
-<td><a href="https://aka.ms/mmat" data-raw-source="[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)">MDM Migration Analysis Tool (MMAT)</a></td>
-<td><p>Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.</p>
-</td></tr>
-<tr>
-<td><a href="configuration-service-provider-reference.md#csp-ddf-files-download" data-raw-source="[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)">CSP DDF files download</a></td>
-<td><p>Added the DDF download of Windows 10, version 1803 configuration service providers.</p>
-</td></tr>
-<tr>
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies for Windows 10, version 1803:</p>
-<ul>
-<li>Bluetooth/AllowPromptedProximalConnections</li>
-<li>KioskBrowser/EnableEndSessionButton</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
-</ul>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:<li>Settings/AllowVirtualGPU<li>Settings/SaveFilesToHost|
+|[NetworkProxy CSP](\networkproxy--csp.md)|Added the following node in Windows 10, version 1803:<li>ProxySettingsPerUser|
+|[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
+|[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.|
+|[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Bluetooth/AllowPromptedProximalConnections<li>KioskBrowser/EnableEndSessionButton<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers|
 
 ## March 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="euiccs-csp.md" data-raw-source="[eUICCs CSP](euiccs-csp.md)">eUICCs CSP</a></td>
-<td><p>Added the following node in Windows 10, version 1803:</p>
-<ul>
-<li>IsEnabled</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="devicestatus-csp.md" data-raw-source="[DeviceStatus CSP](devicestatus-csp.md)">DeviceStatus CSP</a></td>
-<td><p>Added the following node in Windows 10, version 1803:</p>
-<ul>
-<li>OS/Mode</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="understanding-admx-backed-policies.md" data-raw-source="[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)">Understanding ADMX-backed policies</a></td>
-<td><p>Added the following videos:</p>
-<ul>
-<li><a href="https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121" data-raw-source="[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)">How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune</a></li>
-<li><a href="https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73" data-raw-source="[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)">How to import a custom ADMX file to a device using Intune</a></li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="accountmanagement-csp.md" data-raw-source="[AccountManagement CSP](accountmanagement-csp.md)">AccountManagement CSP</a></td>
-<td><p>Added a new CSP in Windows 10, version 1803.</p>
-</td></tr>
-<tr>
-<td><a href="rootcacertificates-csp.md" data-raw-source="[RootCATrustedCertificates CSP](rootcacertificates-csp.md)">RootCATrustedCertificates CSP</a></td>
-<td><p>Added the following node in Windows 10, version 1803:</p>
-<ul>
-<li>UntrustedCertificates</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies for Windows 10, version 1803:</p>
-<ul>
-<li>ApplicationDefaults/EnableAppUriHandlers</li>
-<li>ApplicationManagement/MSIAllowUserControlOverInstall</li>
-<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</li>
-<li>Connectivity/AllowPhonePCLinking</li>
-<li>Notifications/DisallowCloudNotification</li>
-<li>Notifications/DisallowTileNotification</li>
-<li>RestrictedGroups/ConfigureGroupMembership</li>
-</ul>
-<p>The following existing policies were updated:</p>
-<ul>
-<li>Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.</li>
-<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML</li>
-<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.</li>
-</ul>
-<p>Added a new section:</p>
-<ul>
-<li><a href="/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy" data-raw-source="[[Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md)">[Policies in Policy CSP supported by Group Policy</a> - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.</li>
-</ul>
-</td></tr>
-<tr>
-<td><a href="policy-csp-bluetooth.md" data-raw-source="[Policy CSP - Bluetooth](policy-csp-bluetooth.md)">Policy CSP - Bluetooth</a></td>
-<td><p>Added new section <a href="policy-csp-bluetooth.md#servicesallowedlist-usage-guide" data-raw-source="[ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide)">ServicesAllowedList usage guide</a>.</p>
-</td></tr>
-<tr>
-<td><a href="multisim-csp.md" data-raw-source="[MultiSIM CSP](multisim-csp.md)">MultiSIM CSP</a></td>
-<td><p>Added SyncML examples and updated the settings descriptions.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="remotewipe-csp.md" data-raw-source="[RemoteWipe CSP](remotewipe-csp.md)">RemoteWipe CSP</a></td>
-<td><p>Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.</p>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[eUICCs CSP](euiccs-csp.md)|Added the following node in Windows 10, version 1803:<li>IsEnabled|
+|[DeviceStatus CSP](devicestatus-csp.md)|Added the following node in Windows 10, version 1803:<li>OS/Mode|
+|[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:<li>[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)<li>[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)|
+|[AccountManagement CSP](accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.|
+|[RootCATrustedCertificates CSP](rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:<li>UntrustedCertificates|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>ApplicationDefaults/EnableAppUriHandlers<li>ApplicationManagement/MSIAllowUserControlOverInstall<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges<li>Connectivity/AllowPhonePCLinking<li>Notifications/DisallowCloudNotification<li>Notifications/DisallowTileNotification<li>RestrictedGroups/ConfigureGroupMembership<p>The following existing policies were updated:<li>Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.<p>Added a new section:<li>[[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
+|[Policy CSP - Bluetooth](policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).|
+|[MultiSIM CSP](multisim-csp.md)|Added SyncML examples and updated the settings descriptions.|
+|[RemoteWipe CSP](remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.|
 
 ## February 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies for Windows 10, version 1803:</p>
-<ul>
-<li>Display/DisablePerProcessDpiForApps</li>
-<li>Display/EnablePerProcessDpi</li>
-<li>Display/EnablePerProcessDpiForApps</li>
-<li>Experience/AllowWindowsSpotlightOnSettings</li>
-<li>TextInput/ForceTouchKeyboardDockedState</li>
-<li>TextInput/TouchKeyboardDictationButtonAvailability</li>
-<li>TextInput/TouchKeyboardEmojiButtonAvailability</li>
-<li>TextInput/TouchKeyboardFullModeAvailability</li>
-<li>TextInput/TouchKeyboardHandwritingModeAvailability</li>
-<li>TextInput/TouchKeyboardNarrowModeAvailability</li>
-<li>TextInput/TouchKeyboardSplitModeAvailability</li>
-<li>TextInput/TouchKeyboardWideModeAvailability</li>
-<ul>
-</td></tr>
-<tr class="odd">
-<td><a href="vpnv2-profile-xsd.md" data-raw-source="[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)">VPNv2 ProfileXML XSD</a></td>
-<td><p>Updated the XSD and Plug-in profile example for VPNv2 CSP.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="assignedaccess-csp.md" data-raw-source="[AssignedAccess CSP](assignedaccess-csp.md)">AssignedAccess CSP</a></td>
-<td><p>Added the following nodes in Windows 10, version 1803:</p>
-<ul>
-<li>Status</li>
-<li>ShellLauncher</li>
-<li>StatusConfiguration</li>
-</ul>
-<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="multisim-csp.md" data-raw-source="[MultiSIM CSP](multisim-csp.md)">MultiSIM CSP</a></td>
-<td><p>Added a new CSP in Windows 10, version 1803.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="enterprisemodernappmanagement-csp.md" data-raw-source="[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)">EnterpriseModernAppManagement CSP</a></td>
-<td><p>Added the following node in Windows 10, version 1803:</p>
-<ul>
-<li>MaintainProcessorArchitectureOnUpdate</li>
-</ul>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Display/DisablePerProcessDpiForApps<li>Display/EnablePerProcessDpi<li>Display/EnablePerProcessDpiForApps<li>Experience/AllowWindowsSpotlightOnSettings<li>TextInput/ForceTouchKeyboardDockedState<li>TextInput/TouchKeyboardDictationButtonAvailability<li>TextInput/TouchKeyboardEmojiButtonAvailability<li>TextInput/TouchKeyboardFullModeAvailability<li>TextInput/TouchKeyboardHandwritingModeAvailability<li>TextInput/TouchKeyboardNarrowModeAvailability<li>TextInput/TouchKeyboardSplitModeAvailability<li>TextInput/TouchKeyboardWideModeAvailability|
+|[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.|
+|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Status<li>ShellLauncher<li>StatusConfiguration<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.|
+|[MultiSIM CSP](multisim-csp.md)|Added a new CSP in Windows 10, version 1803.|
+|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:<li>MaintainProcessorArchitectureOnUpdate|
 
 ## January 2018
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies for Windows 10, version 1803:</p>
-<ul>
-<li>Browser/AllowConfigurationUpdateForBooksLibrary</li>
-<li>Browser/AlwaysEnableBooksLibrary</li>
-<li>Browser/EnableExtendedBooksTelemetry</li>
-<li>Browser/UseSharedFolderForBooks</li>
-<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp</li>
-<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp</li>
-<li>DeliveryOptimization/DOGroupIdSource</li>
-<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth</li>
-<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth</li>
-<li>DeliveryOptimization/DORestrictPeerSelectionBy</li>
-<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth</li>
-<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth</li>
-<li>KioskBrowser/BlockedUrlExceptions</li>
-<li>KioskBrowser/BlockedUrls</li>
-<li>KioskBrowser/DefaultURL</li>
-<li>KioskBrowser/EnableHomeButton</li>
-<li>KioskBrowser/EnableNavigationButtons</li>
-<li>KioskBrowser/RestartOnIdleTime</li>
-<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
-<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
-<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
-<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
-<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
-<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
-<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
-<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
-<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
-<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
-<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li>
-<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
-<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
-<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
-<li>RestrictedGroups/ConfigureGroupMembership</li>
-<li>Search/AllowCortanaInAAD</li>
-<li>Search/DoNotUseWebResults</li>
-<li>Security/ConfigureWindowsPasswords</li>
-<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally</li>
-<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode</li>
-<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode</li>
-<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode</li>
-<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode</li>
-<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode</li>
-<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</li>
-<li>TaskScheduler/EnableXboxGameSaveTask</li>
-<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</li>
-<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
-<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
-<li>UserRights/AccessFromNetwork</li>
-<li>UserRights/ActAsPartOfTheOperatingSystem</li>
-<li>UserRights/AllowLocalLogOn</li>
-<li>UserRights/BackupFilesAndDirectories</li>
-<li>UserRights/ChangeSystemTime</li>
-<li>UserRights/CreateGlobalObjects</li>
-<li>UserRights/CreatePageFile</li>
-<li>UserRights/CreatePermanentSharedObjects</li>
-<li>UserRights/CreateSymbolicLinks</li>
-<li>UserRights/CreateToken</li>
-<li>UserRights/DebugPrograms</li>
-<li>UserRights/DenyAccessFromNetwork</li>
-<li>UserRights/DenyLocalLogOn</li>
-<li>UserRights/DenyRemoteDesktopServicesLogOn</li>
-<li>UserRights/EnableDelegation</li>
-<li>UserRights/GenerateSecurityAudits</li>
-<li>UserRights/ImpersonateClient</li>
-<li>UserRights/IncreaseSchedulingPriority</li>
-<li>UserRights/LoadUnloadDeviceDrivers</li>
-<li>UserRights/LockMemory</li>
-<li>UserRights/ManageAuditingAndSecurityLog</li>
-<li>UserRights/ManageVolume</li>
-<li>UserRights/ModifyFirmwareEnvironment</li>
-<li>UserRights/ModifyObjectLabel</li>
-<li>UserRights/ProfileSingleProcess</li>
-<li>UserRights/RemoteShutdown</li>
-<li>UserRights/RestoreFilesAndDirectories</li>
-<li>UserRights/TakeOwnership</li>
-<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI</li>
-<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI</li>
-<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery</li>
-<li>WindowsDefenderSecurityCenter/HideSecureBoot</li>
-<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
-</ul>
-<p>Added the following policies the were added in Windows 10, version 1709</p>
-<ul>
-<li>DeviceLock/MinimumPasswordAge</li>
-<li>Settings/AllowOnlineTips</li>
-<li>System/DisableEnterpriseAuthProxy </li>
-</ul>
-<p>Security/RequireDeviceEncryption - updated to show it is supported in desktop.</p>
-</tr>
-<tr class="odd">
-<td><a href="bitlocker-csp.md" data-raw-source="[BitLocker CSP](bitlocker-csp.md)">BitLocker CSP</a></td>
-<td><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="enterprisemodernappmanagement-csp.md" data-raw-source="[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)">EnterpriseModernAppManagement CSP</a></td>
-<td><p>Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="dmclient-csp.md" data-raw-source="[DMClient CSP](dmclient-csp.md)">DMClient CSP</a></td>
-<td><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:</p>
-<ul>
-<li>AADSendDeviceToken</li>
-<li>BlockInStatusPage</li>
-<li>AllowCollectLogsButton</li>
-<li>CustomErrorText</li>
-<li>SkipDeviceStatusPage</li>
-<li>SkipUserStatusPage</li>
-</ul>
-</td></tr>
-<tr class="odd">
-<td><a href="defender-csp.md" data-raw-source="[Defender CSP](defender-csp.md)">Defender CSP</a></td>
-<td><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="uefi-csp.md" data-raw-source="[UEFI CSP](uefi-csp.md)">UEFI CSP</a></td>
-<td><p>Added a new CSP in Windows 10, version 1803.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="update-csp.md" data-raw-source="[Update CSP](update-csp.md)">Update CSP</a></td>
-<td><p>Added the following nodes in Windows 10, version 1803:</p>
-<ul>
-<li>Rollback</li>
-<li>Rollback/FeatureUpdate</li>
-<li>Rollback/QualityUpdateStatus</li>
-<li>Rollback/FeatureUpdateStatus</li>
-</ul>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Browser/AllowConfigurationUpdateForBooksLibrary<li>Browser/AlwaysEnableBooksLibrary<li>Browser/EnableExtendedBooksTelemetry<li>Browser/UseSharedFolderForBooks<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp<li>DeliveryOptimization/DOGroupIdSource<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth<li>DeliveryOptimization/DORestrictPeerSelectionBy<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth<li>KioskBrowser/BlockedUrlExceptions<li>KioskBrowser/BlockedUrls<li>KioskBrowser/DefaultURL<li>KioskBrowser/EnableHomeButton<li>KioskBrowser/EnableNavigationButtons<li>KioskBrowser/RestartOnIdleTime<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode<li>RestrictedGroups/ConfigureGroupMembership<li>Search/AllowCortanaInAAD<li>Search/DoNotUseWebResults<li>Security/ConfigureWindowsPasswords<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode<li>TaskScheduler/EnableXboxGameSaveTask<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode<li>Update/ConfigureFeatureUpdateUninstallPeriod<li>UserRights/AccessCredentialManagerAsTrustedCaller<li>UserRights/AccessFromNetwork<li>UserRights/ActAsPartOfTheOperatingSystem<li>UserRights/AllowLocalLogOn<li>UserRights/BackupFilesAndDirectories<li>UserRights/ChangeSystemTime<li>UserRights/CreateGlobalObjects<li>UserRights/CreatePageFile<li>UserRights/CreatePermanentSharedObjects<li>UserRights/CreateSymbolicLinks<li>UserRights/CreateToken<li>UserRights/DebugPrograms<li>UserRights/DenyAccessFromNetwork<li>UserRights/DenyLocalLogOn<li>UserRights/DenyRemoteDesktopServicesLogOn<li>UserRights/EnableDelegation<li>UserRights/GenerateSecurityAudits<li>UserRights/ImpersonateClient<li>UserRights/IncreaseSchedulingPriority<li>UserRights/LoadUnloadDeviceDrivers<li>UserRights/LockMemory<li>UserRights/ManageAuditingAndSecurityLog<li>UserRights/ManageVolume<li>UserRights/ModifyFirmwareEnvironment<li>UserRights/ModifyObjectLabel<li>UserRights/ProfileSingleProcess<li>UserRights/RemoteShutdown<li>UserRights/RestoreFilesAndDirectories<li>UserRights/TakeOwnership<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery<li>WindowsDefenderSecurityCenter/HideSecureBoot<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting<p>Added the following policies the were added in Windows 10, version 1709<li>DeviceLock/MinimumPasswordAge<li>Settings/AllowOnlineTips<li>System/DisableEnterpriseAuthProxy<li>Security/RequireDeviceEncryption - updated to show it is supported in desktop.|
+|[BitLocker CSP](bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.|
+|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.|
+|[DMClient CSP](dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:<li>AADSendDeviceToken<li>BlockInStatusPage<li>AllowCollectLogsButton<li>CustomErrorText<li>SkipDeviceStatusPage<li>SkipUserStatusPage|
+|[Defender CSP](defender-csp.md)|Added new node (OfflineScan) in Windows 10, version 1803.|
+|[UEFI CSP](uefi-csp.md)|Added a new CSP in Windows 10, version 1803.|
+|[Update CSP](update-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Rollback<li>Rollback/FeatureUpdate<li>Rollback/QualityUpdateStatus<li>Rollback/FeatureUpdateStatus|
 
 ## December 2017
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><a href="configuration-service-provider-reference.md" data-raw-source="[Configuration service provider reference](configuration-service-provider-reference.md)">Configuration service provider reference</a></td>
-<td><p>Added new section <a href="configuration-service-provider-reference.md#csp-ddf-files-download" data-raw-source="[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)">CSP DDF files download</a></p>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Configuration service provider reference](configuration-service-provider-reference.md)|Added new section [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|
 
 ## November 2017
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following policies for Windows 10, version 1709:</p>
-<ul>
-<li>Authentication/AllowFidoDeviceSignon</li>
-<li>Cellular/LetAppsAccessCellularData</li>
-<li>Cellular/LetAppsAccessCellularData_ForceAllowTheseApps</li>
-<li>Cellular/LetAppsAccessCellularData_ForceDenyTheseApps</li>
-<li>Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps</li>
-<li>Start/HidePeopleBar</li>
-<li>Storage/EnhancedStorageDevices</li>
-<li>Update/ManagePreviewBuilds</li>
-<li>WirelessDisplay/AllowMdnsAdvertisement</li>
-<li>WirelessDisplay/AllowMdnsDiscovery</li>
-</ul>
-<p>Added missing policies from previous releases:</p>
-<ul>
-<li>Connectivity/DisallowNetworkConnectivityActiveTest</li>
-<li>Search/AllowWindowsIndexer</li>
-</ul>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following policies for Windows 10, version 1709:<li>Authentication/AllowFidoDeviceSignon<li>Cellular/LetAppsAccessCellularData<li>Cellular/LetAppsAccessCellularData_ForceAllowTheseApps<li>Cellular/LetAppsAccessCellularData_ForceDenyTheseApps<li>Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps<li>Start/HidePeopleBar<li>Storage/EnhancedStorageDevices<li>Update/ManagePreviewBuilds<li>WirelessDisplay/AllowMdnsAdvertisement<li>WirelessDisplay/AllowMdnsDiscovery<p>Added missing policies from previous releases:<li>Connectivity/DisallowNetworkConnectivityActiveTest<li>Search/AllowWindowsIndexer|
 
 ## October 2017
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><a href="policy-ddf-file.md" data-raw-source="[Policy DDF file](policy-ddf-file.md)">Policy DDF file</a></td>
-<td><p>Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Updated the following policies:</p>
-<ul>
-<li>Defender/ControlledFolderAccessAllowedApplications - string separator is |.</li>
-<li>Defender/ControlledFolderAccessProtectedFolders - string separator is |.</li>
-</ul>
-</td></tr>
-<tr class="even">
-<td><a href="euiccs-csp.md" data-raw-source="[eUICCs CSP](euiccs-csp.md)">eUICCs CSP</a></td>
-<td><p>Added new CSP in Windows 10, version 1709.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="assignedaccess-csp.md" data-raw-source="[AssignedAccess CSP](assignedaccess-csp.md)">AssignedAccess CSP</a></td>
-<td><p>Added SyncML examples for the new Configuration node.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="dmclient-csp.md" data-raw-source="[DMClient CSP](dmclient-csp.md)">DMClient CSP</a></td>
-<td><p>Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.</p>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Policy DDF file](policy-ddf-file.md)|Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.|
+|[Policy CSP](policy-configuration-service-provider.md)|Updated the following policies:<li>Defender/ControlledFolderAccessAllowedApplications - string separator is'I' <li>Defender/ControlledFolderAccessProtectedFolders - string separator is 'I'.|
+|[eUICCs CSP](euiccs-csp.md)|Added new CSP in Windows 10, version 1709.|
+|[AssignedAccess CSP](assignedaccess-csp.md)|Added SyncML examples for the new Configuration node.|
+|[DMClient CSP](dmclient-csp.md)|Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.|
 
 ## September 2017
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies for Windows 10, version 1709:</p>
-<ul>
-<li>Authentication/AllowAadPasswordReset</li>
-<li>Handwriting/PanelDefaultModeDocked</li>
-<li>Search/AllowCloudSearch</li>
-<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
-</ul>
-<p>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.</p>
-</td></tr>
-<tr class="even">
-<td><a href="assignedaccess-csp.md" data-raw-source="[AssignedAccess CSP](assignedaccess-csp.md)">AssignedAccess CSP</a></td>
-<td><p>Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.</p>
-</td></tr>
-<tr class="odd">
-<td>Microsoft Store for Business and Microsoft Store</td>
-<td><p>Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.</p>
-</td></tr>
-<tr class="even">
-<td>The <a href="/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692" data-raw-source="[\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)">[MS-MDE2]: Mobile Device Enrollment Protocol Version 2</a></td>
-<td><p>The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:</p>
-<ul>
-<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page. </li>
-<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.</li>
-<li>DomainName - fully qualified domain name if the device is domain-joined.</li>
-</ul>
-<p>For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="enterpriseapn-csp.md" data-raw-source="[EnterpriseAPN CSP](enterpriseapn-csp.md)">EnterpriseAPN CSP</a></td>
-<td><p>Added a SyncML example.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="vpnv2-csp.md" data-raw-source="[VPNv2 CSP](vpnv2-csp.md)">VPNv2 CSP</a></td>
-<td><p>Added RegisterDNS setting in Windows 10, version 1709.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="enroll-a-windows-10-device-automatically-using-group-policy.md" data-raw-source="[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)">Enroll a Windows 10 device automatically using Group Policy</a></td>
-<td><p>Added new topic to introduce a new Group Policy for automatic MDM enrollment.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="mdm-enrollment-of-windows-devices.md" data-raw-source="[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)">MDM enrollment of Windows-based devices</a></td>
-<td><p>New features in the Settings app:</p>
-<ul>
-<li>User sees installation progress of critical policies during MDM enrollment.</li>
-<li>User knows what policies, profiles, apps MDM has configured</li>
-<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
-</ul>
-<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#manage-connections" data-raw-source="[Manage connections](mdm-enrollment-of-windows-devices.md#manage-connections)">Managing connections</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
-</td></tr>
-</tbody>
-</table>
+|New or updated article|Description|
+|--- |--- |
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Authentication/AllowAadPasswordReset<li>Handwriting/PanelDefaultModeDocked<li>Search/AllowCloudSearch<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics<p>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.|
+|[AssignedAccess CSP](assignedaccess-csp.md)|Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.|
+|Microsoft Store for Business and Microsoft Store|Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.|
+|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.<li>DomainName - fully qualified domain name if the device is domain-joined.<p>For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.|
+|[EnterpriseAPN CSP](enterpriseapn-csp.md)|Added a SyncML example.|
+|[VPNv2 CSP](vpnv2-csp.md)|Added RegisterDNS setting in Windows 10, version 1709.|
+|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Added new topic to introduce a new Group Policy for automatic MDM enrollment.|
+|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:<li>User sees installation progress of critical policies during MDM enrollment.<li>User knows what policies, profiles, apps MDM has configured<li>IT helpdesk can get detailed MDM diagnostic information using client tools<p>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)|
 
 ## August 2017
 
-<table class="mx-tdBreakAll">
-<colgroup>
-<col width="25%" />
-<col width="75%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>New or updated article</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><a href="enable-admx-backed-policies-in-mdm.md" data-raw-source="[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)">Enable ADMX-backed policies in MDM</a></td>
-<td><p>Added new step-by-step guide to enable ADMX-backed policies.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="mobile-device-enrollment.md" data-raw-source="[Mobile device enrollment](mobile-device-enrollment.md)">Mobile device enrollment</a></td>
-<td><p>Added the following statement:</p>
-<ul>
-<li>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
-</ul>
-</td></tr>
-<tr class="odd">
-<td><a href="cm-cellularentries-csp.md" data-raw-source="[CM\_CellularEntries CSP](cm-cellularentries-csp.md)">CM_CellularEntries CSP</a></td>
-<td><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="enterprisedataprotection-csp.md" data-raw-source="[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)">EnterpriseDataProtection CSP</a></td>
-<td><p>Updated the Settings/EDPEnforcementLevel values to the following:</p>
-<ul>
-<li> 0 (default) – Off / No protection (decrypts previously protected data).</li>
-<li>  1 – Silent mode (encrypt and audit only).</li>
-<li>  2 – Allow override mode (encrypt, prompt and allow overrides, and audit).</li>
-<li>  3 – Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
-</ul>
-</td></tr>
-<tr class="odd">
-<td><a href="applocker-csp.md" data-raw-source="[AppLocker CSP](applocker-csp.md)">AppLocker CSP</a></td>
-<td><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in <a href="applocker-csp.md#allow-list-examples" data-raw-source="[Allowlist examples](applocker-csp.md#allow-list-examples)">Allow list examples</a>.</p>
-</td></tr>
-<tr class="odd">
-<td><a href="devicemanageability-csp.md" data-raw-source="[DeviceManageability CSP](devicemanageability-csp.md)">DeviceManageability CSP</a></td>
-<td><p>Added the following settings in Windows 10, version 1709:</p>
-<ul>
-<li>Provider/<em>ProviderID</em>/ConfigInfo</li>
-<li> Provider/<em>ProviderID</em>/EnrollmentInfo</li>
-</ul>
-</td></tr>
-<tr class="odd">
-<td><a href="office-csp.md" data-raw-source="[Office CSP](office-csp.md)">Office CSP</a></td>
-<td><p>Added the following setting in Windows 10, version 1709:</p>
-<ul>
-<li>Installation/CurrentStatus</li>
-</ul>
-</td></tr>
-<tr class="odd">
-<td><a href="bitlocker-csp.md" data-raw-source="[BitLocker CSP](bitlocker-csp.md)">BitLocker CSP</a></td>
-<td>Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
-</td></tr>
-<tr class="odd">
-<td><a href="firewall-csp.md" data-raw-source="[Firewall CSP](firewall-csp.md)">Firewall CSP</a></td>
-<td>Updated the CSP and DDF topics. Here are the changes:
-<ul>
-<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.</li>
-<li>Changed some data types from integer to bool.</li>
-<li>Updated the list of supported operations for some settings.</li>
-<li>Added default values.</li>
-</ul>
-</td></tr>
-<tr class="odd">
-<td><a href="policy-ddf-file.md" data-raw-source="[Policy DDF file](policy-ddf-file.md)">Policy DDF file</a></td>
-<td>Added another Policy DDF file <a href="https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml" data-raw-source="[download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)">download</a> for the 8C release of Windows 10, version 1607, which added the following policies:
-<ul>
-<li>Browser/AllowMicrosoftCompatibilityList</li>
-<li>Update/DisableDualScan</li>
-<li>Update/FillEmptyContentUrls</li>
-</ul>
-</td></tr>
-<tr class="even">
-<td><a href="policy-configuration-service-provider.md" data-raw-source="[Policy CSP](policy-configuration-service-provider.md)">Policy CSP</a></td>
-<td><p>Added the following new policies for Windows 10, version 1709:</p>
-<ul>
-<li>Browser/ProvisionFavorites</li>
-<li>Browser/LockdownFavorites</li>
-<li>ExploitGuard/ExploitProtectionSettings</li>
-<li>Games/AllowAdvancedGamingServices</li>
-<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
-<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
-<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
-<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
-<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
-<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
-<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
-<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
-<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
-<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
-<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
-<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
-<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
-<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
-<li>Privacy/EnableActivityFeed</li>
-<li>Privacy/PublishUserActivities</li>
-<li>Update/DisableDualScan</li>
-<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</li>
-</ul>
-<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.</p>
-<p>Changed the names of the following policies:</p>
-<ul>
-<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications</li>
-<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders</li>
-<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess</li>
-</ul>
-<p>Added links to the additional <a href="policy-csp-bitlocker.md" data-raw-source="[ADMX-backed BitLocker policies](policy-csp-bitlocker.md)">ADMX-backed BitLocker policies</a>.</p>
-<p>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:</p>
-<ul>
-<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</li>
-<li>Start/HideAppList</li>
-</ul>
-</td></tr>
-</tbody>
-</table>
\ No newline at end of file
+|New or updated article|Description|
+|--- |--- |
+|[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.|
+|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<p>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
+|[CM_CellularEntries CSP](cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
+|[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following:<li> 0 (default) – Off / No protection (decrypts previously protected data).<li>  1 – Silent mode (encrypt and audit only).<li>  2 – Allow override mode (encrypt, prompt and allow overrides, and audit).<li>  3 – Hides overrides (encrypt, prompt but hide overrides, and audit).|
+|[AppLocker CSP](applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allow list examples](applocker-csp.md#allow-list-examples).|
+|[DeviceManageability CSP](devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:<li>Provider/ProviderID/ConfigInfo<li> Provider/ProviderID/EnrollmentInfo|
+|[Office CSP](office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus|
+|[BitLocker CSP](bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
+|[Firewall CSP](firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.<li>Changed some data types from integer to bool.<li>Updated the list of supported operations for some settings.<li>Added default values.|
+|[Policy DDF file](policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<p>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).<p>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|
\ No newline at end of file
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 0cb346ab02..d195063ef0 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -243,92 +243,137 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
         New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
         ``` 
 
-
 ## Policies set by shared PC mode
+
 Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
 
 > [!IMPORTANT]
 > It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
 
-<table border="1"> 
+### Admin Templates > Control Panel > Personalization
 
-<tr><th><p>Policy name</p></th><th><p>Value</p></th><th><p>When set?</p></th></tr> </thead>
-<tbody>
-<tr><td colspan="3"><p><strong>Admin Templates</strong> &gt; <strong>Control Panel</strong> &gt; <strong>Personalization</strong></p></td></tr> 
-<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr><td colspan="3"><p><strong>Admin Templates</strong> &gt; <strong>System</strong> &gt; <strong>Power Management</strong> &gt; <strong>Button Settings</strong></p></td></tr> 
-<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the Sleep button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td colspan="3"><p><strong>Admin Templates</strong> &gt; <strong>System</strong> &gt; <strong>Power Management</strong> &gt; <strong>Sleep Settings</strong></p></td></tr> 
-<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr> 
-<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr>
-<tr><td><p>Specify the system sleep timeout (plugged in)</p></td><td><p><em>SleepTimeout</em></p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr><td><p>Specify the system sleep timeout (on battery)</p></td><td><p><em>SleepTimeout</em></p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Turn off hybrid sleep (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Turn off hybrid sleep (on battery)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the unattended sleep timeout (plugged in)</p></td> <td> <p><em>SleepTimeout</em></p> </td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the unattended sleep timeout (on battery)</p></td> <td> <p><em>SleepTimeout</em></p> </td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Allow standby states (S1-S3) when sleeping (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Allow standby states (S1-S3) when sleeping (on battery)</p></td> <td> <p>Enabled</p></td> <td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the system hibernate timeout (plugged in)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td> <p>Specify the system hibernate timeout (on battery)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>System</strong>&gt;<strong>Power Management</strong>&gt;<strong>Video and Display Settings</strong></p></td></tr> 
-<tr> <td> <p>Turn off the display (plugged in)</p></td> <td> <p><em>SleepTimeout</em></p> </td></td><td><p>SetPowerPolicies=True</p></td></tr>
- <tr> <td> <p>Turn off the display (on battery</p></td> <td> <p><em>SleepTimeout</em></p> </td></td><td><p>SetPowerPolicies=True</p></td></tr> 
- <tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>System</strong>&gt;<strong>Power Management</strong>&gt;<strong>Energy Saver Settings</strong></p></td></tr> 
- <tr><td>Energy Saver Battery Threshold (on battery)</td><td>70</td><td>SetPowerPolicies=True</td></tr>
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>System</strong>&gt;<strong>Logon</strong></p></td></tr> 
-<tr> <td> <p>Show first sign-in animation</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Hide entry points for Fast User Switching</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Turn on convenience PIN sign-in</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Turn off picture password sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Turn off app notification on the lock screen</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Allow users to select when a password is required when resuming from connected standby</p></td> <td> <p>Disabled</p></td><td><p>SignInOnResume=True</p></td>
-</tr> 
-<tr> <td> <p>Block user from showing account details on sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>System</strong>&gt;<strong>User Profiles</strong></p></td></tr> 
-<tr> <td> <p>Turn off the advertising ID</p></td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>Windows Components </strong></p></td></tr> 
-<tr> <td> <p>Do not show Windows Tips </p> </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td> <p>Turn off Microsoft consumer experiences </p></td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr> 
-<tr> <td> <p>Microsoft Passport for Work</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Prevent the usage of OneDrive for file storage</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>Windows Components</strong>&gt;<strong>Biometrics</strong></p></td></tr> 
-<tr> <td> <p>Allow the use of biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Allow users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Allow domain users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>Windows Components</strong>&gt;<strong>Data Collection and Preview Builds</strong></p></td></tr> 
-<tr> <td> <p>Toggle user control over Insider builds</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Disable pre-release features or settings</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Do not show feedback notifications</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr><td>Allow Telemetry</td><td>Basic, 0</td><td>SetEduPolicies=True</td></tr>
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>Windows Components</strong>&gt;<strong>File Explorer</strong></p></td></tr> 
-<tr> <td> <p>Show lock in the user tile menu</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>Windows Components</strong>&gt;<strong>Maintenance Scheduler</strong></p></td></tr> 
-<tr> <td> <p>Automatic Maintenance Activation Boundary</p></td> <td> <p><em>MaintenanceStartTime</em></p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Automatic Maintenance Random Delay</p></td> <td> <p>Enabled, 2 hours</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Automatic Maintenance WakeUp Policy</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>Windows Components</strong>&gt;<strong>Windows Hello for Business</strong></p></td></tr> 
-<tr> <td> <p>Use phone sign-in</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Use Windows Hello for Business</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td> <p>Use biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Admin Templates</strong>&gt;<strong>Windows Components</strong>&gt;<strong>OneDrive</strong></p></td></tr> 
-<tr> <td> <p>Prevent the usage of OneDrive for file storage</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr> 
-<tr> <td colspan="3"> <p><strong>Windows Settings</strong>&gt;<strong>Security Settings</strong>&gt;<strong>Local Policies</strong>&gt;<strong>Security Options</strong></p></td> 
-</tr>
-<tr> <td> <p>Interactive logon: Do not display last user name</p> </td> <td> <p>Enabled, Disabled when account model is only guest</p> </td><td><p>Always</p></td></tr>
-<tr> <td> <p>Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p>Disabled</p> </td> <td><p>Always</p></td> 
-</tr> 
-<tr> <td> <p>Shutdown: Allow system to be shut down without having to log on</p> </td> <td> <p>Disabled</p> </td><td><p>Always</p></td></tr> 
-<tr> <td> <p>User Account Control: Behavior of the elevation prompt for standard users</p> </td> <td> <p>Auto deny</p> </td><td><p>Always</p></td></tr> 
-</tbody>
-</table> </br></br>
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Prevent enabling lock screen slide show|Enabled|Always|
+|Prevent changing lock screen and logon image|Enabled|Always|
 
+### Admin Templates > System > Power Management > Button Settings
 
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Select the Power button action (plugged in)|Sleep|SetPowerPolicies=True|
+|Select the Power button action (on battery)|Sleep|SetPowerPolicies=True|
+|Select the Sleep button action (plugged in)|Sleep|SetPowerPolicies=True|
+|Select the lid switch action (plugged in)|Sleep|SetPowerPolicies=True|
+|Select the lid switch action (on battery)|Sleep|SetPowerPolicies=True|
 
+### Admin Templates > System > Power Management > Sleep Settings
 
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Require a password when a computer wakes (plugged in)|Enabled|SignInOnResume=True|
+|Require a password when a computer wakes (on battery)|Enabled|SignInOnResume=True|
+|Specify the system sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
+|Specify the system sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True|
+|Turn off hybrid sleep (plugged in)|Enabled|SetPowerPolicies=True|
+|Turn off hybrid sleep (on battery)|Enabled|SetPowerPolicies=True|
+|Specify the unattended sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
+|Specify the unattended sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True|
+|Allow standby states (S1-S3) when sleeping (plugged in)|Enabled|SetPowerPolicies=True|
+|Allow standby states (S1-S3) when sleeping (on battery)|Enabled |SetPowerPolicies=True|
+|Specify the system hibernate timeout (plugged in)|Enabled, 0|SetPowerPolicies=True|
+|Specify the system hibernate timeout (on battery)|Enabled, 0|SetPowerPolicies=True|
 
+### Admin Templates>System>Power Management>Video and Display Settings
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Turn off the display (plugged in)|*SleepTimeout*|SetPowerPolicies=True|
+|Turn off the display (on battery|*SleepTimeout*|SetPowerPolicies=True|
+
+### Admin Templates>System>Power Management>Energy Saver Settings
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Energy Saver Battery Threshold (on battery)|70|SetPowerPolicies=True|
+
+### Admin Templates>System>Logon
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Show first sign-in animation|Disabled|Always|
+|Hide entry points for Fast User Switching|Enabled|Always|
+|Turn on convenience PIN sign-in|Disabled|Always|
+|Turn off picture password sign-in|Enabled|Always|
+|Turn off app notification on the lock screen|Enabled|Always|
+|Allow users to select when a password is required when resuming from connected standby|Disabled|SignInOnResume=True|
+|Block user from showing account details on sign-in|Enabled|Always|
+
+### Admin Templates>System>User Profiles
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Turn off the advertising ID|Enabled|SetEduPolicies=True|
+
+### Admin Templates>Windows Components
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Do not show Windows Tips |Enabled|SetEduPolicies=True|
+|Turn off Microsoft consumer experiences |Enabled|SetEduPolicies=True|
+|Microsoft Passport for Work|Disabled|Always|
+|Prevent the usage of OneDrive for file storage|Enabled|Always|
+
+### Admin Templates>Windows Components>Biometrics
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Allow the use of biometrics|Disabled|Always|
+|Allow users to log on using biometrics|Disabled|Always|
+|Allow domain users to log on using biometrics|Disabled|Always|
+
+### Admin Templates>Windows Components>Data Collection and Preview Builds
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Toggle user control over Insider builds|Disabled|Always| 
+|Disable pre-release features or settings|Disabled|Always|
+|Do not show feedback notifications|Enabled|Always|
+|Allow Telemetry|Basic, 0|SetEduPolicies=True|
+
+### Admin Templates>Windows Components>File Explorer
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Show lock in the user tile menu|Disabled|Always|
+
+### Admin Templates>Windows Components>Maintenance Scheduler
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Automatic Maintenance Activation Boundary|*MaintenanceStartTime*|Always|
+|Automatic Maintenance Random Delay|Enabled, 2 hours|Always|
+|Automatic Maintenance WakeUp Policy|Enabled|Always|
+
+### Admin Templates>Windows Components>Windows Hello for Business
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Use phone sign-in|Disabled|Always|
+|Use Windows Hello for Business|Disabled|Always|
+|Use biometrics|Disabled|Always|
+
+### Admin Templates>Windows Components>OneDrive
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Prevent the usage of OneDrive for file storage|Enabled|Always|
+
+### Windows Settings>Security Settings>Local Policies>Security Options
+
+|Policy Name| Value|When set?|
+|--- |--- |--- |
+|Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always|
+|Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always|
+|Shutdown: Allow system to be shut down without having to log on|Disabled|Always|
+|User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always|
\ No newline at end of file
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index e7434cf95e..c0a2fa58db 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -135,6 +135,7 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
 ### Scenario example
 
 Downgrading from Enterprise
+
 - Original edition: **Professional OEM**
 - Upgrade edition: **Enterprise**
 - Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
@@ -143,102 +144,22 @@ You can move directly from Enterprise to any valid destination edition. In this
 
 ### Supported Windows 10 downgrade paths
 
-✔ = Supported downgrade path<br>
-&nbsp;S&nbsp; = Supported; Not considered a downgrade or an upgrade<br>
-[blank] = Not supported or not a downgrade<br>
+✔ = Supported downgrade path
+S = Supported; Not considered a downgrade or an upgrade
+[blank] = Not supported or not a downgrade
 
-<br>
-<table border="0" cellpadding="1">
-    <tr>
-        <th colspan="10" align="center">Destination edition</th>
-    </tr>
-    <tr>
-        <th>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</th>
-        <th>&nbsp;</th>
-        <th>Home</th>
-        <th>Pro</th>
-        <th>Pro for Workstations</th>
-        <th>Pro Education</th>
-        <th>Education</th>
-        <th>Enterprise LTSC</th>
-        <th>Enterprise</th>
-    </tr>
-    <tr>
-        <th rowspan="9" valign="middle">Starting edition</th>
-    </tr>
-    <tr>
-        <td>Home</td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-    </tr>
-    <tr>
-        <td>Pro</td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-    </tr>
-    <tr>
-        <td>Pro for Workstations</td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-    </tr>
-    <tr>
-        <td>Pro Education</td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-    </tr>
-    <tr>
-        <td>Education</td>
-        <td></td>
-        <td align="center">✔</td>
-        <td align="center">✔</td>
-        <td align="center">✔</td>
-        <td></td>
-        <td></td>
-        <td>S</td>
-    </tr>
-    <tr>
-        <td>Enterprise LTSC</td>
-        <td></td>
-        <td align="center"></td>
-        <td align="center"></td>
-        <td align="center"></td>
-        <td align="center"></td>
-        <td></td>
-        <td></td>
-    </tr>
-    <tr>
-        <td>Enterprise</td>
-        <td></td>
-        <td align="center">✔</td>
-        <td align="center">✔</td>
-        <td align="center">✔</td>
-        <td align="center">S</td>
-        <td></td>
-        <td></td>
-    </tr>
-</table>
+**Destination Edition: (Starting)**
+
+||Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise|
+|--- |--- |--- |--- |--- |--- |--- |--- |
+|Home||||||||
+|Pro||||||||
+|Pro for Workstations||||||||
+|Pro Education||||||||
+|Education||✔|✔|✔|||S|
+|Enterprise LTSC||||||||
+|Enterprise||✔|✔|✔|S|||
 
-> 
 > **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
 
 Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index b8352c8389..d63a5a3512 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -28,64 +28,16 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install
 
 ## Deployment scenarios affected
 
-The table below provides support details for specific deployment scenarios.
+The table below provides support details for specific deployment scenarios (Boot Image Version).
+
+||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11|
+|--- |--- |--- |--- |--- |--- |
+|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.|
+|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|
+|**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.|
+|**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.|
+|**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|
 
-<br>
-<table cellpadding="1">
-    <tr>
-        <td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
-        <td>&nbsp;</td>
-        <th>Windows 10</th>
-        <th>Windows Server 2016</th>
-        <th>Windows Server 2019</th>
-        <th>Windows Server 2022</th>
-        <th>Windows 11</th>
-    </tr>
-    <tr>
-        <td rowspan="6"><i>
-    <br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>Boot image version</i></td>
-    </tr>
-    <tr>
-        <td><b>Windows 10</b></td>
-        <td>Supported, using a boot image from matching or newer version.</td>
-        <td>Supported, using a boot image from Windows 10, version 1607 or later.</td>
-        <td>Supported, using a boot image from Windows 10, version 1809 or later.</td>
-        <td>Not supported.</td>
-        <td>Not supported.</td>
-    </tr>
-    <tr>
-        <td><b>Windows Server 2016</b></td>
-        <td>Supported, using a boot image from Windows 10, version 1607 or later.</td>
-        <td>Supported.</td>
-        <td>Not supported.</td>
-        <td>Not supported.</td>
-        <td>Not supported.</td>
-    </tr>
-    <tr>
-        <td><b>Windows Server 2019</b></td>
-        <td>Supported, using a boot image from Windows 10, version 1809 or later.</td>
-        <td>Supported.</td>
-        <td>Supported.</td>
-        <td>Not supported.</td>
-        <td>Not supported.</td>
-    </tr>
-    <tr>
-        <td><b>Windows Server 2022</b></td>
-        <td>Deprecated, with a warning message.</td>
-        <td>Deprecated, with a warning message.</td>
-        <td>Deprecated, with a warning message.</td>
-        <td>Deprecated, with a warning message.</td>
-        <td>Not supported.</td>
-    </tr>
-    <tr>
-        <td><b>Windows 11</b></td>
-        <td>Not supported, blocked.</td>
-        <td>Not supported, blocked.</td>
-        <td>Not supported, blocked.</td>
-        <td>Not supported, blocked.</td>
-        <td>Not supported, blocked.</td>
-    </tr>
-   </table>
 
 ## Reason for the change
 
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 098cf03790..d7f6145692 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -23,123 +23,38 @@ ms.collection: highpri
 
 To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
 
-The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. 
+## Deployment categories
+
+The following tables summarize various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
+
 - Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
-  - Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
+   > [!NOTE]
+   >Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
 - Dynamic deployment methods enable you to configure applications and settings for specific use cases. 
 - Traditional deployment methods use existing tools to deploy operating system images.<br>&nbsp;
 
-<table border="0">
-  <tr><td align="center" bgcolor='#a0e4fa'><b>Category</b></td>
-     <td align="center" bgcolor='#a0e4fa'><b>Scenario</b></td>
-     <td align="center" bgcolor='#a0e4fa'><b>Description</b></td>
-     <td align="center" bgcolor='#a0e4fa'><b>More information</b></td></tr>
-  <tr><td align='center' valign='middle' style='width:16%; border:1;' rowspan="2">Modern</td>
-    <td align="center">
+### Modern
 
-[Windows Autopilot](#windows-autopilot)</td>
-    <td align="center"> 
-      Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
-    </td>
-    <td align="center"> 
-<a href="/windows/deployment/windows-autopilot/windows-10-autopilot">Overview of Windows Autopilot</a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center"> 
+|Scenario|Description|More information|
+|--- |--- |--- |
+|[Windows Autopilot](#windows-autopilot)|Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured|[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot)|
+|[In-place upgrade](#in-place-upgrade)|Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.|[Perform an in-place upgrade to Windows 10 with MDT](/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit)<br>[Perform an in-place upgrade to Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager)|
 
-[In-place upgrade](#in-place-upgrade)
+### Dynamic
 
- </td>
-    <td align="center"> 
-      Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
-    </td>
-    <td align="center"> 
-<a href="/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit">Perform an in-place upgrade to Windows 10 with MDT</a><br><a href="/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager">Perform an in-place upgrade to Windows 10 using Configuration Manager</a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center" rowspan="3"> 
-      Dynamic
-    </td>
-    <td align="center"> 
+|Scenario|Description|More information|
+|--- |--- |--- |
+|[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)|
+|[AAD / MDM](#dynamic-provisioning)|The device is automatically joined to AAD and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
+|[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
 
-[Subscription Activation](#windows-10-subscription-activation)
-    </td>
-    <td align="center"> 
-      Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. 
-    </td>
-    <td align="center"> 
-<a href="/windows/deployment/windows-10-enterprise-subscription-activation">Windows 10 Subscription Activation</a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center"> 
-
- [AAD / MDM](#dynamic-provisioning)
-    </td>
-    <td align="center"> 
-      The device is automatically joined to AAD and configured by MDM.
-    </td>
-    <td align="center"> 
-<a href="/windows/client-management/mdm/azure-active-directory-integration-with-mdm">Azure Active Directory integration with MDM</a>
-    </td>
-   </tr>
-  <tr>
-    <td align="center"> 
-
-   [Provisioning packages](#dynamic-provisioning)
-    </td>
-    <td align="center"> 
-      Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
-    </td>
-    <td align="center"> 
-<a href="/windows/configuration/configure-devices-without-mdm">Configure devices without MDM</a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center" rowspan="3"> 
-      Traditional
-    </td>
-    <td align="center">
-
-   [Bare metal](#new-computer)
-    </td>
-    <td align="center"> 
-      Deploy a new device, or wipe an existing device and deploy with a fresh image. 
-    </td>
-    <td align="center"> 
- <a href="/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt">Deploy a Windows 10 image using MDT</a><br><a href="/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager">Deploy Windows 10 using PXE and Configuration Manager</a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center"> 
-
-   [Refresh](#computer-refresh)
-    </td>
-    <td align="center"> 
-      Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. 
-    </td>
-    <td align="center"> 
- <a href="/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10">Refresh a Windows 7 computer with Windows 10</a><br><a href="/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager">Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
-    </td>
-  </tr>
-  <tr>
-    <td align="center"> 
-
-  [Replace](#computer-replace)
-    </td>
-    <td align="center"> 
-      Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
-    </td>
-    <td align="center"> 
- <a href="/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer">Replace a Windows 7 computer with a Windows 10 computer</a><br><a href="/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager">Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
-    </td>
-  </tr>
-</table>
-
-<br>&nbsp;
+### Traditional
 
+|Scenario|Description|More information|
+|--- |--- |--- |
+|[Bare metal](#new-computer)|Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)<br>[Deploy Windows 10 using PXE and Configuration Manager](/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager)|
+|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)<br>[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
+|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)<br>[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
 
 >[!IMPORTANT]
 >The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index c59e537d48..485e471769 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -44,23 +44,15 @@ This guide provides instructions to install and configure the Microsoft Deployme
 
 Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
 
-<br>
-
-<div>
-
-<table border="1" cellspacing="0" cellpadding="0">
-<tr><td BGCOLOR="#a0e4fa"><B>Topic</B><td BGCOLOR="#a0e4fa"><B>Description</B><td BGCOLOR="#a0e4fa"><B>Time</B>
-
-<tr><td><a href="#about-mdt" data-raw-source="[About MDT](#about-mdt)">About MDT</a><td>A high-level overview of the Microsoft Deployment Toolkit (MDT).<td>Informational
-<tr><td><a href="#install-mdt" data-raw-source="[Install MDT](#install-mdt)">Install MDT</a><td>Download and install MDT.<td>40 minutes
-<tr><td><a href="#create-a-deployment-share-and-reference-image" data-raw-source="[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)">Create a deployment share and reference image</a><td>A reference image is created to serve as the template for deploying new images.<td>90 minutes
-<tr><td><a href="#deploy-a-windows-10-image-using-mdt" data-raw-source="[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)">Deploy a Windows 10 image using MDT</a><td>The reference image is deployed in the PoC environment.<td>60 minutes
-<tr><td><a href="#refresh-a-computer-with-windows-10" data-raw-source="[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)">Refresh a computer with Windows 10</a><td>Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.<td>60 minutes
-<tr><td><a href="#replace-a-computer-with-windows-10" data-raw-source="[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)">Replace a computer with Windows 10</a><td>Back up an existing client computer, then restore this backup to a new computer.<td>60 minutes
-<tr><td><a href="#troubleshooting-logs-events-and-utilities" data-raw-source="[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)">Troubleshooting logs, events, and utilities</a><td>Log locations and troubleshooting hints.<td>Informational
-</TABLE>
-
-</div>
+|Topic|Description|Time|
+|--- |--- |--- |
+|[About MDT](#about-mdt)|A high-level overview of the Microsoft Deployment Toolkit (MDT).|Informational|
+|[Install MDT](#install-mdt)|Download and install MDT.|40 minutes|
+|[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)|A reference image is created to serve as the template for deploying new images.|90 minutes|
+|[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)|The reference image is deployed in the PoC environment.|60 minutes|
+|[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)|Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.|60 minutes|
+|[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)|Back up an existing client computer, then restore this backup to a new computer.|60 minutes|
+|[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)|Log locations and troubleshooting hints.|Informational|
 
 ## About MDT
 
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 3855f4698d..880fc20b4b 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -53,26 +53,20 @@ After completing the instructions in this guide, you will have a PoC environment
 
 Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
 
-<br>
-
-<div>
-
-<table border="1" cellspacing="0" cellpadding="0">
-<tr><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Topic</B></font></td><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Description</B></font></td><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Time</B></font></td></tr>
-<tr><td><a href="#hardware-and-software-requirements" data-raw-source="[Hardware and software requirements](#hardware-and-software-requirements)">Hardware and software requirements</a><td>Prerequisites to complete this guide.<td>Informational
-<tr><td><a href="#lab-setup" data-raw-source="[Lab setup](#lab-setup)">Lab setup</a><td>A description and diagram of the PoC environment.<td>Informational
-<tr><td><a href="#configure-the-poc-environment" data-raw-source="[Configure the PoC environment](#configure-the-poc-environment)">Configure the PoC environment</a><td>Parent topic for procedures.<td>Informational
-<tr><td><a href="#verify-support-and-install-hyper-v" data-raw-source="[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)">Verify support and install Hyper-V</a><td>Verify that installation of Hyper-V is supported, and install the Hyper-V server role.<td>10 minutes
-<tr><td><a href="#download-vhd-and-iso-files" data-raw-source="[Download VHD and ISO files](#download-vhd-and-iso-files)">Download VHD and ISO files</a><td>Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.<td>30 minutes
-<tr><td><a href="#convert-pc-to-vm" data-raw-source="[Convert PC to VM](#convert-pc-to-vm)">Convert PC to VM</a><td>Convert a physical computer on your network to a VM hosted in Hyper-V.<td>30 minutes
-<tr><td><a href="#resize-vhd" data-raw-source="[Resize VHD](#resize-vhd)">Resize VHD</a><td>Increase the storage capacity for one of the Windows Server VMs.<td>5 minutes
-<tr><td><a href="#configure-hyper-v" data-raw-source="[Configure Hyper-V](#configure-hyper-v)">Configure Hyper-V</a><td>Create virtual switches, determine available RAM for virtual machines, and add virtual machines.<td>15 minutes
-<tr><td><a href="#configure-vms" data-raw-source="[Configure service and user accounts](#configure-vms)">Configure service and user accounts</a><td>Start virtual machines and configure all services and settings.<td>60 minutes
-<tr><td><a href="#configure-vms" data-raw-source="[Configure VMs](#configure-vms)">Configure VMs</a><td>Start virtual machines and configure all services and settings.<td>60 minutes
-<tr><td><a href="#appendix-a-verify-the-configuration" data-raw-source="[Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)">Appendix A: Verify the configuration</a><td>Verify and troubleshoot network connectivity and services in the PoC environment.<td>30 minutes
-<tr><td><a href="#appendix-b-terminology-used-in-this-guide" data-raw-source="[Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)">Appendix B: Terminology in this guide</a><td>Terms used in this guide.<td>Informational
-</table>
-</div>
+|Topic|Description|Time|
+|--- |--- |--- |
+|[Hardware and software requirements](#hardware-and-software-requirements)|Prerequisites to complete this guide.|Informational|
+|[Lab setup](#lab-setup)|A description and diagram of the PoC environment.|Informational|
+|[Configure the PoC environment](#configure-the-poc-environment)|Parent topic for procedures.|Informational|
+|[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)|Verify that installation of Hyper-V is supported, and install the Hyper-V server role.|10 minutes|
+|[Download VHD and ISO files](#download-vhd-and-iso-files)|Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.|30 minutes|
+|[Convert PC to VM](#convert-pc-to-vm)|Convert a physical computer on your network to a VM hosted in Hyper-V.|30 minutes|
+|[Resize VHD](#resize-vhd)|Increase the storage capacity for one of the Windows Server VMs.|5 minutes|
+|[Configure Hyper-V](#configure-hyper-v)|Create virtual switches, determine available RAM for virtual machines, and add virtual machines.|15 minutes|
+|[Configure service and user accounts](#configure-vms)|Start virtual machines and configure all services and settings.|60 minutes|
+|[Configure VMs](#configure-vms)|Start virtual machines and configure all services and settings.|60 minutes|
+|[Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)|Verify and troubleshoot network connectivity and services in the PoC environment.|30 minutes|
+|[Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)|Terms used in this guide.|Informational|
 
 ## Hardware and software requirements
 
@@ -85,60 +79,17 @@ Hardware requirements are displayed below:
 
 <div>
 
-<table border="1" cellspacing="0" cellpadding="0">
-    <tr>
-        <td></td>
-        <td BGCOLOR="#a0e4fa"><strong><font color="#000000">Computer 1</strong> (required)</font></td>
-        <td BGCOLOR="#a0e4fa"><strong><font color="#000000">Computer 2</strong> (recommended)</font></td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Role</strong></font></td>
-        <td>Hyper-V host</td>
-        <td>Client computer</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Description</strong></font></td>
-        <td>This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.</td>
-        <td>This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>OS</strong></font></td>
-        <td>Windows 8.1/10 or Windows Server 2012/2012 R2/2016<b>*</b></td>
-        <td>Windows 7 or a later</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Edition</strong></font></td>
-        <td>Enterprise, Professional, or Education</td>
-        <td>Any</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Architecture</strong></font></td>
-        <td>64-bit</td>
-        <td>Any<BR><I>Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.</I></td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><strong>RAM</strong></td>
-        <td>8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
-        <BR>16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.</td>
-        <td>Any</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><strong>Disk</strong></td>
-        <td>200 GB available hard disk space, any format.</td>
-        <td>Any size, MBR formatted.</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>CPU</strong></font></td>
-        <td>SLAT-Capable CPU</td>
-        <td>Any</td>
-    </tr>
-    <tr>
-        <td BGCOLOR="#a0e4fa"><font color="#000000"><strong>Network</strong></font></td>
-        <td>Internet connection</td>
-        <td>Any</td>
-    </tr>
-</table>
-
+||Computer 1 (required)|Computer 2 (recommended)|
+|--- |--- |--- |
+|**Role**|Hyper-V host|Client computer|
+|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.|
+|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016*|Windows 7 or a later|
+|**Edition**|Enterprise, Professional, or Education|Any|
+|**Architecture**|64-bit|Any <p> *Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*|
+|**RAM**|8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.<br>16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
+|**Disk**|200 GB available hard disk space, any format.|Any size, MBR formatted.|
+|**CPU**|SLAT-Capable CPU|Any|
+|**Network**|Internet connection|Any|
 
 <B>\*</B><I>The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.</I>
 <BR>
@@ -236,57 +187,51 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 
 1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
 
-    **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
+     **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
 
-    After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
+     After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
 
-    <TABLE BORDER="1">
-    <tr><td> <img src="images/download_vhd.png" alt="VHD"/> </TD></TR>
-    </TABLE>
+     ![VHD](images/download_vhd.png)
 
 2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
 3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
 4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
 
-    >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
+     >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
 
 5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
 
-After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
+     After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
 
-The following displays the procedures described in this section, both before and after downloading files:
+     The following displays the procedures described in this section, both before and after downloading files:
 
-<pre>
-C:>mkdir VHD
-C:>cd VHD
-C:\VHD&gt;ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD&gt;copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
-   1 file(s) copied.
-C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD&gt;dir /B
-2012R2-poc-1.vhd
-2012R2-poc-2.vhd
-w10-enterprise.iso
-</pre>
+     <pre>
+     C:>mkdir VHD
+     C:>cd VHD
+     C:\VHD&gt;ren 9600*.vhd 2012R2-poc-1.vhd
+     C:\VHD&gt;copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+        1 file(s) copied.
+     C:\VHD ren *.iso w10-enterprise.iso
+     C:\VHD&gt;dir /B
+     2012R2-poc-1.vhd
+     2012R2-poc-2.vhd
+     w10-enterprise.iso
+     </pre>
 
 ### Convert PC to VM
 
 >Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
 
-<TABLE BORDER="2"><tr><td>
 If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
-<BR>
-<OL>
-<LI>Open the <a href="https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/" data-raw-source="[Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)">Download virtual machines</a> page.
-<LI>Under <strong>Virtual machine</strong>, choose <strong>IE11 on Win7</strong>.
-<LI>Under <strong>Select platform</strong> choose <strong>HyperV (Windows)</strong>.
-<LI>Click <strong>Download .zip</strong>. The download is 3.31 GB.
-<LI>Extract the zip file. Three directories are created.
-<LI>Open the <strong>Virtual Hard Disks</strong> directory and then copy <strong>IE11 - Win7.vhd</strong> to the <strong>C:\VHD</strong> directory.
-<LI>Rename <strong>IE11 - Win7.vhd</strong> to <strong>w7.vhd</strong> (do not rename the file to w7.vhdx).
-<LI>In step 5 of the <a href="#configure-hyper-v" data-raw-source="[Configure Hyper-V](#configure-hyper-v)">Configure Hyper-V</a> section, replace the VHD file name <strong>w7.vhdx</strong> with <strong>w7.vhd</strong>.
-</OL>
-</TABLE>
+
+1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
+2. Under **Virtual machine**, choose **IE11 on Win7**.
+3. Under **Select platform** choose **HyperV (Windows)**.
+4. Click **Download .zip**. The download is 3.31 GB.
+5. Extract the zip file. Three directories are created.
+6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
+7. Rename **IE11 - Win7.vhd** to **w7.vhd** (do not rename the file to w7.vhdx).
+8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
 
 If you have a PC available to convert to VM (computer 2):
 
@@ -301,30 +246,10 @@ If you have a PC available to convert to VM (computer 2):
 
 When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
 
-<div>
-
-<table border="1" cellspacing="0" cellpadding="0">
-    <tr>
-        <td></td>
-        <td>Architecture</td>
-        <td>Operating system</td>
-        <td>Partition style</td>
-    </tr>
-    <tr>
-        <td>Generation 1</td>
-        <td>32-bit or 64-bit</td>
-        <td>Windows 7 or later</td>
-        <td>MBR</td>
-    </tr>
-    <tr>
-        <td>Generation 2</td>
-        <td>64-bit</td>
-        <td>Windows 8 or later</td>
-        <td>MBR or GPT</td>
-    </tr>
-</table>
-
-</div>
+||Architecture|Operating system|Partition style|
+|--- |--- |--- |--- |
+|**Generation 1**|32-bit or 64-bit|Windows 7 or later|MBR|
+|**Generation 2**|64-bit|Windows 8 or later|MBR or GPT|
 
 If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
 
@@ -370,74 +295,42 @@ Number Friendly Name                  OperationalStatus                     Tota
 
 **Choosing a VM generation**
 
-The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
+The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
 
-<div>
+**Windows 7 MBR**
 
-<table border="1" cellspacing="0" cellpadding="0">
-    <tr>
-        <td>OS</td>
-        <td>Partition style</td>
-        <td>Architecture</td>
-        <td>VM generation</td>
-        <td>Procedure</td>
-    </tr>
-    <tr>
-        <td rowspan="4">Windows 7</td>
-        <td rowspan="2">MBR</td>
-        <td>32</td>
-        <td>1</td>
-        <td><a href="#prepare-a-generation-1-vm" data-raw-source="[Prepare a generation 1 VM](#prepare-a-generation-1-vm)">Prepare a generation 1 VM</a></td>
-    </tr>
-    <tr>
-        <td>64</td>
-        <td>1</td>
-        <td><a href="#prepare-a-generation-1-vm" data-raw-source="[Prepare a generation 1 VM](#prepare-a-generation-1-vm)">Prepare a generation 1 VM</a></td>
-    </tr>
-    <tr>
-        <td rowspan="2">GPT</td>
-        <td>32</td>
-        <td>N/A</td>
-        <td>N/A</td>
-    </tr>
-    <tr>
-        <td>64</td>
-        <td>1</td>
-        <td><a href="#prepare-a-generation-1-vm-from-a-gpt-disk" data-raw-source="[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)">Prepare a generation 1 VM from a GPT disk</a></td>
-    </tr>
-    <tr>
-        <td rowspan="4">Windows 8 or later</td>
-        <td rowspan="2">MBR</td>
-        <td>32</td>
-        <td>1</td>
-        <td><a href="#prepare-a-generation-1-vm" data-raw-source="[Prepare a generation 1 VM](#prepare-a-generation-1-vm)">Prepare a generation 1 VM</a></td>
-    </tr>
-    <tr>
-        <td>64</td>
-        <td>1, 2</td>
-        <td><a href="#prepare-a-generation-1-vm" data-raw-source="[Prepare a generation 1 VM](#prepare-a-generation-1-vm)">Prepare a generation 1 VM</a></td>
-    </tr>
-    <tr>
-        <td rowspan="2">GPT</td>
-        <td>32</td>
-        <td>1</td>
-        <td><a href="#prepare-a-generation-1-vm-from-a-gpt-disk" data-raw-source="[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)">Prepare a generation 1 VM from a GPT disk</a></td>
-    </tr>
-    <tr>
-        <td>64</td>
-        <td>2</td>
-        <td><a href="#prepare-a-generation-2-vm" data-raw-source="[Prepare a generation 2 VM](#prepare-a-generation-2-vm)">Prepare a generation 2 VM</a></td>
-    </tr>
-</table>
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
+|64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
 
-</div>
+**Windows 7 GPT**
+
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|N/A|N/A|
+|64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
+
+**Windows 8 or later MBR**
+
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
+|64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
+
+**Windows 8 or later GPT**
+
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
+|64|2|[Prepare a generation 2 VM](#prepare-a-generation-2-vm)|
+
+> [!NOTE]
+>
+>- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+>- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the <strong>mountvol</strong> command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
+>- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
 
-Notes:<BR>
-<UL>
-<LI>If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see <a href="#prepare-a-generation-1-vm-from-a-gpt-disk" data-raw-source="[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)">Prepare a generation 1 VM from a GPT disk</a>.
-<LI>If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the <strong>mountvol</strong> command. In this case, see <a href="#prepare-a-generation-2-vm" data-raw-source="[Prepare a generation 2 VM](#prepare-a-generation-2-vm)">Prepare a generation 2 VM</a>.
-<LI>If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see <a href="#prepare-a-generation-1-vm" data-raw-source="[Prepare a generation 1 VM](#prepare-a-generation-1-vm)">Prepare a generation 1 VM</a>.
-</UL>
 
 #### Prepare a generation 1 VM
 
@@ -1080,26 +973,18 @@ Use the following procedures to verify that the PoC environment is configured pr
 
 ## Appendix B: Terminology used in this guide
 
-<P>&nbsp;
-
-<div>
-
-<table border="1" cellspacing="0" cellpadding="0">
-<tr><TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Term</B></font>
-<TD BGCOLOR="#a0e4fa"><font color="#000000"><B>Definition</B></font>
-<tr><td>GPT<td>GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
-<tr><td>Hyper-V<td>Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
-<tr><td>Hyper-V host<td>The computer where Hyper-V is installed.
-<tr><td>Hyper-V Manager<td>The user-interface console used to view and configure Hyper-V.
-<tr><td>MBR<td>Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
-<tr><td>Proof of concept (PoC)<td>Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
-<tr><td>Shadow copy<td>A copy or &quot;snapshot&quot; of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
-<tr><td>Virtual machine (VM)<td>A VM is a virtual computer with its own operating system, running on the Hyper-V host.
-<tr><td>Virtual switch<td>A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
-<tr><td>VM snapshot<td>A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
-</TABLE>
-
-</div>
+|Term|Definition|
+|--- |--- |
+|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
+|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
+|Hyper-V host|The computer where Hyper-V is installed.|
+|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.|
+|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
+|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
+|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
+|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
+|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
+|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
 
 ## Related Topics
 

From a6ac7aafc8b7d844ebf320d5498212431335be5e Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 8 Dec 2021 12:44:51 +0530
Subject: [PATCH 36/73] Fixing suggestion

---
 windows/deployment/upgrade/windows-10-edition-upgrades.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index c0a2fa58db..3e26eb22d7 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -150,7 +150,7 @@ S = Supported; Not considered a downgrade or an upgrade
 
 **Destination Edition: (Starting)**
 
-||Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise|
+|Edition|Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise|
 |--- |--- |--- |--- |--- |--- |--- |--- |
 |Home||||||||
 |Pro||||||||

From eb01cc85cba3c9ee1921f31323690aa1d8352df8 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 8 Dec 2021 14:15:10 +0530
Subject: [PATCH 37/73] Converted table

---
 .../mdm/policy-csp-textinput.md               | 40 ++++---------------
 1 file changed, 8 insertions(+), 32 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index fe40663591..704f861562 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -623,38 +623,14 @@ This setting supports a range of values between 0 and 1.
 <a href="" id="textinput-allowtextinputsuggestionupdate"></a>**TextInput/AllowTextInputSuggestionUpdate**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>

From 5e65169f019180f2e08f6992ac869010386f5749 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 8 Dec 2021 14:18:08 +0530
Subject: [PATCH 38/73] Converted table

---
 .../mdm/policy-csp-wirelessdisplay.md         | 40 ++++---------------
 1 file changed, 8 insertions(+), 32 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 75114ad157..d61b982f66 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -136,38 +136,14 @@ The following list shows the supported values:
 <a href="" id="wirelessdisplay-allowmovementdetectiononinfrastructure"></a>**WirelessDisplay/AllowMovementDetectionOnInfrastructure**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>

From aa4250bac339d6023354a0e8164ccfab4ffcf64b Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 8 Dec 2021 14:21:05 +0530
Subject: [PATCH 39/73] Update policy-csp-virtualizationbasedtechnology.md

---
 ...olicy-csp-virtualizationbasedtechnology.md | 80 ++++---------------
 1 file changed, 16 insertions(+), 64 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
index be76aebb53..2ca5d714a9 100644
--- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -35,38 +35,14 @@ manager: dansimp
 <a href="" id="virtualizationbasedtechnology-hypervisorenforcedcodeintegrity"></a>**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>
@@ -108,38 +84,14 @@ The following are the supported values:
 <a href="" id="virtualizationbasedtechnology-requireuefimemoryattributestable"></a>**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>

From 5e4db1ef7f210a43257d395bde1756499e7bf1ae Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Wed, 8 Dec 2021 17:47:43 +0530
Subject: [PATCH 40/73] Updated table into text due to string separator '|'

---
 .../change-history-for-mdm-documentation.md   | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index 6665d6c4ea..ac52182efc 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -281,13 +281,18 @@ This article lists new and updated articles for the Mobile Device Management (MD
 
 ## October 2017
 
-|New or updated article|Description|
-|--- |--- |
-|[Policy DDF file](policy-ddf-file.md)|Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.|
-|[Policy CSP](policy-configuration-service-provider.md)|Updated the following policies:<li>Defender/ControlledFolderAccessAllowedApplications - string separator is'I' <li>Defender/ControlledFolderAccessProtectedFolders - string separator is 'I'.|
-|[eUICCs CSP](euiccs-csp.md)|Added new CSP in Windows 10, version 1709.|
-|[AssignedAccess CSP](assignedaccess-csp.md)|Added SyncML examples for the new Configuration node.|
-|[DMClient CSP](dmclient-csp.md)|Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.|
+[Policy DDF file](policy-ddf-file.md): Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
+
+[Policy CSP](policy-configuration-service-provider.md): Updated the following policies:
+
+- Defender/ControlledFolderAccessAllowedApplications - string separator is'|'
+- Defender/ControlledFolderAccessProtectedFolders - string separator is '|'.
+
+[eUICCs CSP](euiccs-csp.md): Added new CSP in Windows 10, version 1709.
+
+[AssignedAccess CSP](assignedaccess-csp.md):Added SyncML examples for the new Configuration node.
+
+[DMClient CSP](dmclient-csp.md): Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
 
 ## September 2017
 

From f32a68e118fef2279669c37a19eade76275c692e Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Wed, 8 Dec 2021 10:53:35 -0700
Subject: [PATCH 41/73] Fix links

---
 windows/security/threat-protection/index.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 7cf2f166da..0c47bc6855 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -29,18 +29,18 @@ In Windows client, hardware and software work together to help protect you from
 
 See the following articles to learn more about the different areas of Windows threat protection:
 
-- [Application Control](/windows-defender-application-control/windows-defender-application-control.md)
+- [Application Control](/windows-defender-application-control/windows-defender-application-control)
 - [Attack Surface Reduction Rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
 - [Controlled Folder Access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection)
-- [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md)
-- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
+- [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)
+- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+- [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
 - [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
-- [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md)
+- [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
 - [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
-- [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md)
+- [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security)
+- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
 
 ### Next-generation protection
 Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. 

From 5cfe05b067d4caca50c9710ba349cc7b27681f34 Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Wed, 8 Dec 2021 11:00:08 -0700
Subject: [PATCH 42/73] Apply suggestions from code review

---
 windows/security/threat-protection/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 0c47bc6855..0fd6528273 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -34,12 +34,12 @@ See the following articles to learn more about the different areas of Windows th
 - [Controlled Folder Access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection)
 - [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)
-- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 - [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
 - [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
 - [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
 - [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
-- [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security)
+- [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security.md)
 - [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
 
 ### Next-generation protection

From 022a3375abfe9b873b71343025641becab5a57c1 Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Wed, 8 Dec 2021 11:14:22 -0700
Subject: [PATCH 43/73] Update windows/security/threat-protection/index.md

---
 windows/security/threat-protection/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 0fd6528273..63927cafc8 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -29,7 +29,7 @@ In Windows client, hardware and software work together to help protect you from
 
 See the following articles to learn more about the different areas of Windows threat protection:
 
-- [Application Control](/windows-defender-application-control/windows-defender-application-control)
+- [Application Control](/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
 - [Attack Surface Reduction Rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
 - [Controlled Folder Access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection)

From 7b8742d63a912db4cc23ce07a8163b5ab2bc3e92 Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Wed, 8 Dec 2021 11:19:29 -0700
Subject: [PATCH 44/73] Update windows/security/threat-protection/index.md

---
 windows/security/threat-protection/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 63927cafc8..c76ead4afc 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -29,7 +29,7 @@ In Windows client, hardware and software work together to help protect you from
 
 See the following articles to learn more about the different areas of Windows threat protection:
 
-- [Application Control](/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
+- [Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
 - [Attack Surface Reduction Rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
 - [Controlled Folder Access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection)

From 36fd33e7dced43454db3b8d0a627de9d1cbad708 Mon Sep 17 00:00:00 2001
From: Daniel Simpson <dansimp@microsoft.com>
Date: Wed, 8 Dec 2021 11:22:37 -0800
Subject: [PATCH 45/73] sync w security book

---
 windows/hub/index.yml        | 8 ++++----
 windows/security/identity.md | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 23a3c69aae..cd0a734c01 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -179,9 +179,6 @@ conceptualContent:
         - url: /windows/security/index    
           itemType: overview
           text: Windows Enterprise Security
-        - url: /windows/privacy/index
-          itemType: overview
-          text: Windows Privacy
         - url: /windows/security/hardware
           itemType: overview
           text: Hardware security
@@ -193,10 +190,13 @@ conceptualContent:
           text: Application security
         - url: /windows/security/identity
           itemType: overview
-          text: User and identity security
+          text: Identity and privacy
         - url: /windows/security/cloud
           itemType: overview
           text: Cloud services
+        - url: /windows/privacy/index
+          itemType: overview
+          text: Windows Privacy
 
 # additionalContent section (optional)
 # Card with summary style
diff --git a/windows/security/identity.md b/windows/security/identity.md
index 0cfa07beba..7e2e8ca4b9 100644
--- a/windows/security/identity.md
+++ b/windows/security/identity.md
@@ -13,7 +13,7 @@ ms.prod: m365-security
 ms.technology: windows-sec
 ---
 
-# Windows identity and user security
+# Windows identity and privacy
  
 Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure.  Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations.
 

From be24de50d58a8e98c68a2a602c3dc705317039de Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 9 Dec 2021 18:49:53 +0530
Subject: [PATCH 46/73] i corrected sentences

as per user feedback #10193 , so i corrected it after verifying with GPO  explanation under Windows 11.
---
 .../hello-for-business/hello-manage-in-organization.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 5610f8e167..f7d07b7d3c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -59,7 +59,7 @@ The following table lists the Group Policy settings that you can configure for W
 |Minimum PIN length|Computer|<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.|
 |Expiration|Computer|<p><b>Not configured</b>: PIN does not expire.<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<p><b>Disabled</b>: PIN does not expire.|
 |History|Computer|<p><b>Not configured</b>: Previous PINs are not stored.<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<p><b>Disabled</b>: Previous PINs are not stored.<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>|
-|Require special characters|Computer|<p><b>Not configured</b>: Users cannot include a special character in their PIN<p><b>Enabled</b>: Users must include at least one special character in their PIN.<p><b>Disabled</b>: Users cannot include a special character in their PIN.|
+|Require special characters|Computer|<p><b>Not configured</b>: Windows allows, but does not require, special characters in the PIN<p><b>Enabled</b>: Windows requires the user to include at least one special character in their PIN.<p><b>Disabled</b>: Windows does not allow the user to include special characters in their PIN.|
 |Require uppercase letters|Computer|<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.|
 
 ### Phone Sign-in
@@ -168,4 +168,4 @@ If you want to use Windows Hello for Business with certificates, you'll need a d
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)

From b67fce598d8054d2c34bba296f143821e5c00ded Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 14:55:21 -0500
Subject: [PATCH 47/73] spacing

---
 ...release-notes-for-appv-for-windows-1703.md | 120 +++++++++---------
 1 file changed, 60 insertions(+), 60 deletions(-)

diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index a6f88ea7a3..4f5424f963 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -35,65 +35,65 @@ The following are known issues and workarounds for Application Virtualization (A
 
      **Workaround**: The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the `<appv:Extensions>` tag:
 
-```xml
-<appv:Extension Category="AppV.URLProtocol">
-    <appv:URLProtocol>
-        <appv:Name>ftp</appv:Name>
-        <appv:ApplicationURLProtocol>
-            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
-            <appv:ShellCommands>
-                <appv:DefaultCommand>open</appv:DefaultCommand>
-                <appv:ShellCommand>
-                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
-                    <appv:Name>open</appv:Name>
-                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
-                    <appv:DdeExec>
-                        <appv:DdeCommand />
-                    </appv:DdeExec>
-                </appv:ShellCommand>
-            </appv:ShellCommands>
-        </appv:ApplicationURLProtocol>
-    </appv:URLProtocol>
-</appv:Extension>
-<appv:Extension Category="AppV.URLProtocol">
-    <appv:URLProtocol>
-        <appv:Name>http</appv:Name>
-        <appv:ApplicationURLProtocol>
-            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
-            <appv:ShellCommands>
-                <appv:DefaultCommand>open</appv:DefaultCommand>
-                <appv:ShellCommand>
-                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
-                    <appv:Name>open</appv:Name>
-                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
-                    <appv:DdeExec>
-                        <appv:DdeCommand />
-                    </appv:DdeExec>
-                </appv:ShellCommand>
-            </appv:ShellCommands>
-        </appv:ApplicationURLProtocol>
-    </appv:URLProtocol>
-</appv:Extension>
-<appv:Extension Category="AppV.URLProtocol">
-    <appv:URLProtocol>
-        <appv:Name>https</appv:Name>
-        <appv:ApplicationURLProtocol>
-            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
-            <appv:ShellCommands>
-                <appv:DefaultCommand>open</appv:DefaultCommand>
-                <appv:ShellCommand>
-                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
-                    <appv:Name>open</appv:Name>
-                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
-                    <appv:DdeExec>
-                        <appv:DdeCommand />
-                    </appv:DdeExec>
-                </appv:ShellCommand>
-            </appv:ShellCommands>
-        </appv:ApplicationURLProtocol>
-    </appv:URLProtocol>
-</appv:Extension>
-```
+     ```xml
+     <appv:Extension Category="AppV.URLProtocol">
+         <appv:URLProtocol>
+             <appv:Name>ftp</appv:Name>
+             <appv:ApplicationURLProtocol>
+                 <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+                 <appv:ShellCommands>
+                     <appv:DefaultCommand>open</appv:DefaultCommand>
+                     <appv:ShellCommand>
+                         <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                         <appv:Name>open</appv:Name>
+                         <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                         <appv:DdeExec>
+                             <appv:DdeCommand />
+                         </appv:DdeExec>
+                     </appv:ShellCommand>
+                 </appv:ShellCommands>
+             </appv:ApplicationURLProtocol>
+         </appv:URLProtocol>
+     </appv:Extension>
+     <appv:Extension Category="AppV.URLProtocol">
+         <appv:URLProtocol>
+             <appv:Name>http</appv:Name>
+             <appv:ApplicationURLProtocol>
+                 <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+                 <appv:ShellCommands>
+                     <appv:DefaultCommand>open</appv:DefaultCommand>
+                     <appv:ShellCommand>
+                         <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                         <appv:Name>open</appv:Name>
+                         <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                         <appv:DdeExec>
+                             <appv:DdeCommand />
+                         </appv:DdeExec>
+                     </appv:ShellCommand>
+                 </appv:ShellCommands>
+             </appv:ApplicationURLProtocol>
+         </appv:URLProtocol>
+     </appv:Extension>
+     <appv:Extension Category="AppV.URLProtocol">
+         <appv:URLProtocol>
+             <appv:Name>https</appv:Name>
+             <appv:ApplicationURLProtocol>
+                 <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+                 <appv:ShellCommands>
+                     <appv:DefaultCommand>open</appv:DefaultCommand>
+                     <appv:ShellCommand>
+                         <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                         <appv:Name>open</appv:Name>
+                         <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                         <appv:DdeExec>
+                             <appv:DdeCommand />
+                         </appv:DdeExec>
+                     </appv:ShellCommand>
+                 </appv:ShellCommands>
+             </appv:ApplicationURLProtocol>
+         </appv:URLProtocol>
+     </appv:Extension>
+     ```
 
 ## Related resources list
 For information that can help with troubleshooting App-V for Windows client, see:
@@ -111,4 +111,4 @@ For information that can help with troubleshooting App-V for Windows client, see
 ## Related topics
 - [What's new in App-V for Windows client](appv-about-appv.md)
 
-- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)
\ No newline at end of file
+- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)

From 7ba86b1d8231c7bc468fcc2e508e7a08c89e8a51 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 15:06:56 -0500
Subject: [PATCH 48/73] Removed mobile

---
 .../client-management/mdm/bitlocker-csp.md    | 75 +------------------
 1 file changed, 1 insertion(+), 74 deletions(-)

diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index c0d680c371..96b516b939 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -28,7 +28,7 @@ For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation
 
 The following shows the BitLocker configuration service provider in tree format.
 
-```
+```console
 ./Device/Vendor/MSFT
 BitLocker
 ----RequireStorageCardEncryption
@@ -63,54 +63,7 @@ BitLocker
 <a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**  
 Defines the root node for the BitLocker configuration service provider.
 <!--Policy-->
-<a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**  
-<!--Description-->
-Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
-<!--/Description-->
-<!--SupportedSKUs-->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|No|No|
-|Business|No|No|
-|Enterprise|No|No|
-|Education|No|No|
-|Mobile|Yes|Yes|
-
-<!--/SupportedSKUs-->
-
-Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
-<!--SupportedValues-->
-- 0 (default) – Storage cards do not need to be encrypted.
-- 1 – Require storage cards to be encrypted.  
-<!--/SupportedValues-->
-Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
-
-If you want to disable this policy use the following SyncML:
-
-```xml
-<SyncML>
-    <SyncBody>
-        <Replace>
-            <CmdID>$CmdID$</CmdID>
-            <Item>
-                <Target>
-                    <LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
-                </Target>
-                <Meta>
-                    <Format xmlns="syncml:metinf">int</Format>
-                </Meta>
-                <Data>0</Data>
-                </Item>
-        </Replace>
-    </SyncBody>
-</SyncML>
-```
-
-Data type is integer. Supported operations are Add, Get, Replace, and Delete.
-<!--/Policy-->
-<!--Policy-->
 <a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**  
 <!--Description-->
 Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
@@ -124,7 +77,6 @@ Allows the administrator to require encryption to be turned on by using BitLocke
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|Yes|Yes|
 
 <!--/SupportedSKUs-->
 Data type is integer. Sample value for this node to enable this policy: 1.
@@ -185,7 +137,6 @@ Allows you to set the default encryption method for each of the different drive
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedValues-->
 <!--ADMXMapped-->
@@ -260,7 +211,6 @@ Allows you to associate unique organizational identifiers to a new drive that is
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -321,7 +271,6 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -364,7 +313,6 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -410,7 +358,6 @@ Allows you to configure whether standard users are allowed to change BitLocker P
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -456,7 +403,6 @@ Allows users to enable authentication options that require user input from the p
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -508,7 +454,6 @@ Allows you to configure the encryption type that is used by BitLocker.
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -557,7 +502,6 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -655,7 +599,6 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -722,7 +665,6 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -801,7 +743,6 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -888,7 +829,6 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -984,7 +924,6 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -1043,7 +982,6 @@ Allows you to configure the encryption type on fixed data drives that is used by
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -1094,7 +1032,6 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -1164,7 +1101,6 @@ Allows you to configure the encryption type that is used by BitLocker.
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -1209,7 +1145,6 @@ Allows you to control the use of BitLocker on removable data drives.
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
@@ -1269,7 +1204,6 @@ Allows the admin to disable the warning prompt for other disk encryption on the
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
@@ -1323,7 +1257,6 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
@@ -1368,7 +1301,6 @@ This setting initiates a client-driven recovery password refresh after an OS dri
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 
@@ -1413,7 +1345,6 @@ Each server-side recovery key rotation is represented by a request ID. The serve
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 
@@ -1448,7 +1379,6 @@ This node reports compliance state of device encryption on the system.
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 
@@ -1506,7 +1436,6 @@ Status code can be one of the following:
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
 
 <!--/SupportedSKUs-->
 
@@ -1531,8 +1460,6 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
 |Business|Yes|Yes|
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
-|Mobile|No|No|
-
 
 <!--/SupportedSKUs-->
 

From 91417c313bfa8ae930996dab6e3f871d282a9adc Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 15:30:32 -0500
Subject: [PATCH 49/73] Spacing; October 2017 table is displaying weird

Seems to be ignoring the code ticks
---
 .../change-history-for-mdm-documentation.md   | 45 +++++++++----------
 1 file changed, 20 insertions(+), 25 deletions(-)

diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index ac52182efc..089b3868fd 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -187,13 +187,13 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[TenantLockdown CSP](tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
 |[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
 |[Policy DDF file](policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<p>Start/DisableContextMenus - added in Windows 10, version 1803.<p>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<br/><br/>Start/DisableContextMenus - added in Windows 10, version 1803.<br/><br/>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
 
 ## July 2018
 
 |New or updated article|Description|
 |--- |--- |
-|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:<p>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.|
+|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:<br/><br/>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.|
 |[PassportForWork  CSP](passportforwork-csp.md)|Added new settings in Windows 10, version 1809.|
 |[EnterpriseModernAppManagement  CSP](enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.|
 |[Win32CompatibilityAppraiser  CSP](win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.|
@@ -202,7 +202,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[Defender CSP](defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.|
 |[BitLocker CSP](bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.|
 |[DevDetail CSP](devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.|
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>ApplicationManagement/LaunchAppAfterLogOn<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures <li>Authentication/EnableFastFirstSignIn (Preview mode only)<li>Authentication/EnableWebSignIn (Preview mode only)<li>Authentication/PreferredAadTenantDomainName<li>Defender/CheckForSignaturesBeforeRunningScan<li>Defender/DisableCatchupFullScan <li>Defender/DisableCatchupQuickScan <li>Defender/EnableLowCPUPriority<li>Defender/SignatureUpdateFallbackOrder<li>Defender/SignatureUpdateFileSharesSources<li>DeviceGuard/ConfigureSystemGuardLaunch<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<li>DeviceInstallation/PreventDeviceMetadataFromNetwork<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<li>DmaGuard/DeviceEnumerationPolicy<li>Experience/AllowClipboardHistory<li>Security/RecoveryEnvironmentAuthentication<li>TaskManager/AllowEndTask<li>WindowsDefenderSecurityCenter/DisableClearTpmButton<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<li>WindowsLogon/DontDisplayNetworkSelectionUI<p>Recent changes:<li>DataUsage/SetCost3G - deprecated in Windows 10, version 1809.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>ApplicationManagement/LaunchAppAfterLogOn<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures <li>Authentication/EnableFastFirstSignIn (Preview mode only)<li>Authentication/EnableWebSignIn (Preview mode only)<li>Authentication/PreferredAadTenantDomainName<li>Defender/CheckForSignaturesBeforeRunningScan<li>Defender/DisableCatchupFullScan <li>Defender/DisableCatchupQuickScan <li>Defender/EnableLowCPUPriority<li>Defender/SignatureUpdateFallbackOrder<li>Defender/SignatureUpdateFileSharesSources<li>DeviceGuard/ConfigureSystemGuardLaunch<li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<li>DeviceInstallation/PreventDeviceMetadataFromNetwork<li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<li>DmaGuard/DeviceEnumerationPolicy<li>Experience/AllowClipboardHistory<li>Security/RecoveryEnvironmentAuthentication<li>TaskManager/AllowEndTask<li>WindowsDefenderSecurityCenter/DisableClearTpmButton<li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<li>WindowsLogon/DontDisplayNetworkSelectionUI<br/><br/>Recent changes:<li>DataUsage/SetCost3G - deprecated in Windows 10, version 1809.|
 
 ## June 2018
 
@@ -211,7 +211,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[Wifi CSP](wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.|
 |[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:<li>Added procedure for collecting logs remotely from Windows 10 Holographic.<li>Added procedure for downloading the MDM Diagnostic Information log.|
 |[BitLocker CSP](bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.|
-|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:<li>AccountPoliciesAccountLockoutPolicy<li>AccountLockoutDuration - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.<li>System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.<li>Security/RequireDeviceEncryption is supported in the Home SKU.<li>Start/StartLayout - added a table of SKU support information.<li>Start/ImportEdgeAssets - added a table of SKU support information.<p>Added the following new policies in Windows 10, version 1809:<li>Update/EngagedRestartDeadlineForFeatureUpdates<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<li>Update/SetDisablePauseUXAccess<li>Update/SetDisableUXWUAccess|
+|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:<li>AccountPoliciesAccountLockoutPolicy<li>AccountLockoutDuration - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.<li>System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.<li>Security/RequireDeviceEncryption is supported in the Home SKU.<li>Start/StartLayout - added a table of SKU support information.<li>Start/ImportEdgeAssets - added a table of SKU support information.<br/><br/>Added the following new policies in Windows 10, version 1809:<li>Update/EngagedRestartDeadlineForFeatureUpdates<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<li>Update/SetDisablePauseUXAccess<li>Update/SetDisableUXWUAccess|
 |[WiredNetwork CSP](wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.|
 
 ## May 2018
@@ -240,7 +240,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:<li>[How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)<li>[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)|
 |[AccountManagement CSP](accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.|
 |[RootCATrustedCertificates CSP](rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:<li>UntrustedCertificates|
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>ApplicationDefaults/EnableAppUriHandlers<li>ApplicationManagement/MSIAllowUserControlOverInstall<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges<li>Connectivity/AllowPhonePCLinking<li>Notifications/DisallowCloudNotification<li>Notifications/DisallowTileNotification<li>RestrictedGroups/ConfigureGroupMembership<p>The following existing policies were updated:<li>Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.<p>Added a new section:<li>[[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>ApplicationDefaults/EnableAppUriHandlers<li>ApplicationManagement/MSIAllowUserControlOverInstall<li>ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges<li>Connectivity/AllowPhonePCLinking<li>Notifications/DisallowCloudNotification<li>Notifications/DisallowTileNotification<li>RestrictedGroups/ConfigureGroupMembership<br/><br/>The following existing policies were updated:<li>Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.<li>InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML<li>TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.<br/><br/>Added a new section:<li>[[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
 |[Policy CSP - Bluetooth](policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).|
 |[MultiSIM CSP](multisim-csp.md)|Added SyncML examples and updated the settings descriptions.|
 |[RemoteWipe CSP](remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.|
@@ -251,7 +251,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |--- |--- |
 |[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Display/DisablePerProcessDpiForApps<li>Display/EnablePerProcessDpi<li>Display/EnablePerProcessDpiForApps<li>Experience/AllowWindowsSpotlightOnSettings<li>TextInput/ForceTouchKeyboardDockedState<li>TextInput/TouchKeyboardDictationButtonAvailability<li>TextInput/TouchKeyboardEmojiButtonAvailability<li>TextInput/TouchKeyboardFullModeAvailability<li>TextInput/TouchKeyboardHandwritingModeAvailability<li>TextInput/TouchKeyboardNarrowModeAvailability<li>TextInput/TouchKeyboardSplitModeAvailability<li>TextInput/TouchKeyboardWideModeAvailability|
 |[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.|
-|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Status<li>ShellLauncher<li>StatusConfiguration<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.|
+|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:<li>Status<li>ShellLauncher<li>StatusConfiguration<br/><br/>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.|
 |[MultiSIM CSP](multisim-csp.md)|Added a new CSP in Windows 10, version 1803.|
 |[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:<li>MaintainProcessorArchitectureOnUpdate|
 
@@ -259,7 +259,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 
 |New or updated article|Description|
 |--- |--- |
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Browser/AllowConfigurationUpdateForBooksLibrary<li>Browser/AlwaysEnableBooksLibrary<li>Browser/EnableExtendedBooksTelemetry<li>Browser/UseSharedFolderForBooks<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp<li>DeliveryOptimization/DOGroupIdSource<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth<li>DeliveryOptimization/DORestrictPeerSelectionBy<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth<li>KioskBrowser/BlockedUrlExceptions<li>KioskBrowser/BlockedUrls<li>KioskBrowser/DefaultURL<li>KioskBrowser/EnableHomeButton<li>KioskBrowser/EnableNavigationButtons<li>KioskBrowser/RestartOnIdleTime<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode<li>RestrictedGroups/ConfigureGroupMembership<li>Search/AllowCortanaInAAD<li>Search/DoNotUseWebResults<li>Security/ConfigureWindowsPasswords<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode<li>TaskScheduler/EnableXboxGameSaveTask<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode<li>Update/ConfigureFeatureUpdateUninstallPeriod<li>UserRights/AccessCredentialManagerAsTrustedCaller<li>UserRights/AccessFromNetwork<li>UserRights/ActAsPartOfTheOperatingSystem<li>UserRights/AllowLocalLogOn<li>UserRights/BackupFilesAndDirectories<li>UserRights/ChangeSystemTime<li>UserRights/CreateGlobalObjects<li>UserRights/CreatePageFile<li>UserRights/CreatePermanentSharedObjects<li>UserRights/CreateSymbolicLinks<li>UserRights/CreateToken<li>UserRights/DebugPrograms<li>UserRights/DenyAccessFromNetwork<li>UserRights/DenyLocalLogOn<li>UserRights/DenyRemoteDesktopServicesLogOn<li>UserRights/EnableDelegation<li>UserRights/GenerateSecurityAudits<li>UserRights/ImpersonateClient<li>UserRights/IncreaseSchedulingPriority<li>UserRights/LoadUnloadDeviceDrivers<li>UserRights/LockMemory<li>UserRights/ManageAuditingAndSecurityLog<li>UserRights/ManageVolume<li>UserRights/ModifyFirmwareEnvironment<li>UserRights/ModifyObjectLabel<li>UserRights/ProfileSingleProcess<li>UserRights/RemoteShutdown<li>UserRights/RestoreFilesAndDirectories<li>UserRights/TakeOwnership<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery<li>WindowsDefenderSecurityCenter/HideSecureBoot<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting<p>Added the following policies the were added in Windows 10, version 1709<li>DeviceLock/MinimumPasswordAge<li>Settings/AllowOnlineTips<li>System/DisableEnterpriseAuthProxy<li>Security/RequireDeviceEncryption - updated to show it is supported in desktop.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:<li>Browser/AllowConfigurationUpdateForBooksLibrary<li>Browser/AlwaysEnableBooksLibrary<li>Browser/EnableExtendedBooksTelemetry<li>Browser/UseSharedFolderForBooks<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp<li>DeliveryOptimization/DOGroupIdSource<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth<li>DeliveryOptimization/DORestrictPeerSelectionBy<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth<li>KioskBrowser/BlockedUrlExceptions<li>KioskBrowser/BlockedUrls<li>KioskBrowser/DefaultURL<li>KioskBrowser/EnableHomeButton<li>KioskBrowser/EnableNavigationButtons<li>KioskBrowser/RestartOnIdleTime<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode<li>RestrictedGroups/ConfigureGroupMembership<li>Search/AllowCortanaInAAD<li>Search/DoNotUseWebResults<li>Security/ConfigureWindowsPasswords<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode<li>TaskScheduler/EnableXboxGameSaveTask<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode<li>Update/ConfigureFeatureUpdateUninstallPeriod<li>UserRights/AccessCredentialManagerAsTrustedCaller<li>UserRights/AccessFromNetwork<li>UserRights/ActAsPartOfTheOperatingSystem<li>UserRights/AllowLocalLogOn<li>UserRights/BackupFilesAndDirectories<li>UserRights/ChangeSystemTime<li>UserRights/CreateGlobalObjects<li>UserRights/CreatePageFile<li>UserRights/CreatePermanentSharedObjects<li>UserRights/CreateSymbolicLinks<li>UserRights/CreateToken<li>UserRights/DebugPrograms<li>UserRights/DenyAccessFromNetwork<li>UserRights/DenyLocalLogOn<li>UserRights/DenyRemoteDesktopServicesLogOn<li>UserRights/EnableDelegation<li>UserRights/GenerateSecurityAudits<li>UserRights/ImpersonateClient<li>UserRights/IncreaseSchedulingPriority<li>UserRights/LoadUnloadDeviceDrivers<li>UserRights/LockMemory<li>UserRights/ManageAuditingAndSecurityLog<li>UserRights/ManageVolume<li>UserRights/ModifyFirmwareEnvironment<li>UserRights/ModifyObjectLabel<li>UserRights/ProfileSingleProcess<li>UserRights/RemoteShutdown<li>UserRights/RestoreFilesAndDirectories<li>UserRights/TakeOwnership<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery<li>WindowsDefenderSecurityCenter/HideSecureBoot<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting<br/><br/>Added the following policies the were added in Windows 10, version 1709<li>DeviceLock/MinimumPasswordAge<li>Settings/AllowOnlineTips<li>System/DisableEnterpriseAuthProxy<br/><br/>Security/RequireDeviceEncryption - updated to show it is supported in desktop.|
 |[BitLocker CSP](bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.|
 |[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.|
 |[DMClient CSP](dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:<li>AADSendDeviceToken<li>BlockInStatusPage<li>AllowCollectLogsButton<li>CustomErrorText<li>SkipDeviceStatusPage<li>SkipUserStatusPage|
@@ -277,42 +277,37 @@ This article lists new and updated articles for the Mobile Device Management (MD
 
 |New or updated article|Description|
 |--- |--- |
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following policies for Windows 10, version 1709:<li>Authentication/AllowFidoDeviceSignon<li>Cellular/LetAppsAccessCellularData<li>Cellular/LetAppsAccessCellularData_ForceAllowTheseApps<li>Cellular/LetAppsAccessCellularData_ForceDenyTheseApps<li>Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps<li>Start/HidePeopleBar<li>Storage/EnhancedStorageDevices<li>Update/ManagePreviewBuilds<li>WirelessDisplay/AllowMdnsAdvertisement<li>WirelessDisplay/AllowMdnsDiscovery<p>Added missing policies from previous releases:<li>Connectivity/DisallowNetworkConnectivityActiveTest<li>Search/AllowWindowsIndexer|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following policies for Windows 10, version 1709:<li>Authentication/AllowFidoDeviceSignon<li>Cellular/LetAppsAccessCellularData<li>Cellular/LetAppsAccessCellularData_ForceAllowTheseApps<li>Cellular/LetAppsAccessCellularData_ForceDenyTheseApps<li>Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps<li>Start/HidePeopleBar<li>Storage/EnhancedStorageDevices<li>Update/ManagePreviewBuilds<li>WirelessDisplay/AllowMdnsAdvertisement<li>WirelessDisplay/AllowMdnsDiscovery<br/><br/>Added missing policies from previous releases:<li>Connectivity/DisallowNetworkConnectivityActiveTest<li>Search/AllowWindowsIndexer|
 
 ## October 2017
 
-[Policy DDF file](policy-ddf-file.md): Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
-
-[Policy CSP](policy-configuration-service-provider.md): Updated the following policies:
-
-- Defender/ControlledFolderAccessAllowedApplications - string separator is'|'
-- Defender/ControlledFolderAccessProtectedFolders - string separator is '|'.
-
-[eUICCs CSP](euiccs-csp.md): Added new CSP in Windows 10, version 1709.
-
-[AssignedAccess CSP](assignedaccess-csp.md):Added SyncML examples for the new Configuration node.
-
-[DMClient CSP](dmclient-csp.md): Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
+| New or updated article | Description |
+| --- | --- |
+| [Policy DDF file](policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
+| [Policy CSP](policy-configuration-service-provider.md) | Updated the following policies:<br/><br/>- Defender/ControlledFolderAccessAllowedApplications - string separator is `|`  <br/>- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` |
+| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
+| [AssignedAccess CSP](assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. |
+| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. |
 
 ## September 2017
 
 |New or updated article|Description|
 |--- |--- |
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Authentication/AllowAadPasswordReset<li>Handwriting/PanelDefaultModeDocked<li>Search/AllowCloudSearch<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics<p>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Authentication/AllowAadPasswordReset<li>Handwriting/PanelDefaultModeDocked<li>Search/AllowCloudSearch<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics<br/><br/>Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.|
 |[AssignedAccess CSP](assignedaccess-csp.md)|Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.|
 |Microsoft Store for Business and Microsoft Store|Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.|
-|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.<li>DomainName - fully qualified domain name if the device is domain-joined.<p>For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.|
+|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:<li>UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.<li>ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.<li>DomainName - fully qualified domain name if the device is domain-joined.<br/><br/>For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.|
 |[EnterpriseAPN CSP](enterpriseapn-csp.md)|Added a SyncML example.|
 |[VPNv2 CSP](vpnv2-csp.md)|Added RegisterDNS setting in Windows 10, version 1709.|
 |[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Added new topic to introduce a new Group Policy for automatic MDM enrollment.|
-|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:<li>User sees installation progress of critical policies during MDM enrollment.<li>User knows what policies, profiles, apps MDM has configured<li>IT helpdesk can get detailed MDM diagnostic information using client tools<p>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)|
+|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:<li>User sees installation progress of critical policies during MDM enrollment.<li>User knows what policies, profiles, apps MDM has configured<li>IT helpdesk can get detailed MDM diagnostic information using client tools<br/><br/>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)|
 
 ## August 2017
 
 |New or updated article|Description|
 |--- |--- |
 |[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.|
-|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<p>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
+|[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:<br/><br/>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
 |[CM_CellularEntries CSP](cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
 |[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following:<li> 0 (default) – Off / No protection (decrypts previously protected data).<li>  1 – Silent mode (encrypt and audit only).<li>  2 – Allow override mode (encrypt, prompt and allow overrides, and audit).<li>  3 – Hides overrides (encrypt, prompt but hide overrides, and audit).|
 |[AppLocker CSP](applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allow list examples](applocker-csp.md#allow-list-examples).|
@@ -321,4 +316,4 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[BitLocker CSP](bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
 |[Firewall CSP](firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.<li>Changed some data types from integer to bool.<li>Updated the list of supported operations for some settings.<li>Added default values.|
 |[Policy DDF file](policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<p>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).<p>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|
\ No newline at end of file
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<br/><br/>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<br/><br/>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<br/><br/>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).<br/><br/>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|

From 63498fe97171e5b9adbe3a7916b4972bd32d1d6a Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 15:45:29 -0500
Subject: [PATCH 50/73] Removed mobile

---
 windows/client-management/mdm/policy-csp-update.md | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index c0233afe10..a89fed4218 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1222,7 +1222,6 @@ Enable IT admin to configure feature update uninstall period. Values range 2 - 6
 
 <!--/Scope-->
 <!--Description-->
-Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 Defers Feature Updates for the specified number of days.
 
@@ -1394,8 +1393,6 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
->
 > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
 
 
@@ -1929,8 +1926,6 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-> [!NOTE]
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
 
 Allows IT Admins to exclude Windows Update (WU) drivers during updates.
 
@@ -2049,7 +2044,7 @@ The following list shows the supported values:
 To validate this policy:
 
 1.  Enable the policy and ensure the device is on a cellular network.
-2.  Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: 
+2.  Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: 
     ```TShell
        exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
     ```
@@ -2102,7 +2097,7 @@ The following list shows the supported values:
 To validate this policy:
 
 1.  Enable the policy and ensure the device is on a cellular network.
-2.  Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: 
+2.  Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: 
     ```TShell
        exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
     ```
@@ -2244,8 +2239,6 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
 
 Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
 
@@ -2554,7 +2547,7 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
 > [!NOTE]
-> This policy is *only* recommended for managing mobile devices. If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
 
 
 Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.

From 8e299ab06210608932f41593801f6be10a6c3397 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 15:48:36 -0500
Subject: [PATCH 51/73] spacing

---
 .../provisioning-packages/provisioning-packages.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 6c9e724c17..703606edff 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -126,7 +126,7 @@ WCD supports the following scenarios for IT administrators:
 
 * **Simple provisioning** – Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. 
 
-[Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md)
+  [Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md)
 
 * **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. 
 

From 410af1de0e7df79e5bb5f423630227ce80813b6f Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 15:57:19 -0500
Subject: [PATCH 52/73] spacing

---
 windows/configuration/set-up-shared-or-guest-pc.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index d195063ef0..18cc716b31 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -64,8 +64,8 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
 | Setting | Value |
 |:---|:---|
 | EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) </br></br>Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**.  |
-| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC. <br/>  - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/>  - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>-   **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
-| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. <br/>- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold**  |
+| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. <br/><br/>Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC. <br/><br/>  - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/>  - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>-   **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
+| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/><br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. <br/>- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold**  |
 | AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching.   |
 | AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion.   |
 | AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted.   | 
@@ -376,4 +376,4 @@ Shared PC mode sets local group policies to configure the device. Some of these
 |Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always|
 |Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always|
 |Shutdown: Allow system to be shut down without having to log on|Disabled|Always|
-|User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always|
\ No newline at end of file
+|User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always|

From 3c0fed215175abdd7eb99633c5fe5d16b3147b40 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 16:02:11 -0500
Subject: [PATCH 53/73] spacing

---
 windows/deployment/upgrade/windows-10-edition-upgrades.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 3e26eb22d7..4505749b15 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -145,7 +145,9 @@ You can move directly from Enterprise to any valid destination edition. In this
 ### Supported Windows 10 downgrade paths
 
 ✔ = Supported downgrade path
+
 S = Supported; Not considered a downgrade or an upgrade
+
 [blank] = Not supported or not a downgrade
 
 **Destination Edition: (Starting)**
@@ -168,4 +170,4 @@ Some slightly more complex scenarios are not represented by the table above. For
 
 [Windows 10 upgrade paths](./windows-10-upgrade-paths.md)<br>
 [Windows 10 volume license media](../windows-10-media.md)<br>
-[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
\ No newline at end of file
+[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)

From ead351aae340f981c2efd5bb6b05978d4e0fd24b Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 16:21:05 -0500
Subject: [PATCH 54/73] note; code languages

---
 windows/deployment/windows-10-poc-mdt.md | 132 +++++++++++++----------
 1 file changed, 73 insertions(+), 59 deletions(-)

diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 485e471769..0ced5d9eb8 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -25,7 +25,8 @@ ms.topic: article
 
 -   Windows 10
 
-**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: 
+> [!IMPORTANT]
+> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: 
 - [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
 
 Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
@@ -36,7 +37,7 @@ The PoC environment is a virtual network running on Hyper-V with three virtual m
 - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
 - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
 
->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
+This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
 
 ## In this guide
 
@@ -65,18 +66,19 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
 
 1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
 
-    ```
+    ```powershell
     $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
     Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
     Stop-Process -Name Explorer
     ```
+
 2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
 
 3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
 
 3. If desired, re-enable IE Enhanced Security Configuration:
 
-    ```
+    ```powershell
     Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
     Stop-Process -Name Explorer
     ```
@@ -87,7 +89,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
 
 1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
 
-    ```
+    ```powershell
     Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
     ```
 2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
@@ -122,7 +124,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
     - Progress: wait for files to be copied
     - Confirmation: click **Finish**
 
-    >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+    For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
 
 11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
     - Task sequence ID: **REFW10X64-001**<BR>
@@ -133,7 +135,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
     - Specify Product Key: **Do not specify a product key at this time**
     - Full Name: **Contoso**
     - Organization: **Contoso**
-    - Internet Explorer home page: **http://www.contoso.com**
+    - Internet Explorer home page: `http://www.contoso.com`
     - Admin Password: **Do not specify an Administrator password at this time**
     - Summary: click **Next**
     - Confirmation: click **Finish**
@@ -151,7 +153,8 @@ A reference image serves as the foundation for Windows 10 devices in your organi
 
 17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
     
-    >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
+    > [!NOTE]
+    > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
 
 18. Click **OK** to complete editing the task sequence.
 
@@ -159,7 +162,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
 
 20. Replace the default rules with the following text:
 
-    ```
+    ```text
     [Settings]
     Priority=Default
 
@@ -194,7 +197,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
 
 21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
 
-    ```
+    ```text
     [Settings]
     Priority=Default
 
@@ -214,20 +217,18 @@ A reference image serves as the foundation for Windows 10 devices in your organi
 
 25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
 
-    >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
+    > [!TIP]
+    > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
 
 26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
 
-    <div>
-    <pre>
-
+    ```powershell
     New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
     Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
     Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
     Start-VM REFW10X64-001
     vmconnect localhost REFW10X64-001
-	</pre>
-    </div>
+    ```
     
     The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. 
 
@@ -299,7 +300,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
 
-    ```
+    ```powershell
     copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
     copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
     ``` 
@@ -307,7 +308,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
 
-    ```
+    ```text
     [Settings]
     Priority=Default
     
@@ -343,19 +344,21 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
     SkipFinalSummary=NO
     EventService=http://SRV1:9800
     ```
-    **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
+
+    > [!NOTE]
+    > The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
     
-    >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
+    In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
 
     If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
     
-    ```
+    ```cmd
     ScanStateArgs=/ue:*\* /ui:CONTOSO\*
     ```
 
     For example, to migrate **all** users on the computer, replace this line with the following:
 
-    ```
+    ```cmd
     ScanStateArgs=/all
     ```   
 
@@ -363,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
 
-    ```
+    ```text
     [Settings]
     Priority=Default
     
@@ -374,6 +377,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
     UserPassword=pass@word1
     SkipBDDWelcome=YES
     ```
+
 5. Click **OK** when finished. 
 
 ### Update the deployment share
@@ -398,7 +402,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
 
-    ```
+    ```powershell
     WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
     WDSUTIL /Set-Server /AnswerClients:All
     ```
@@ -413,11 +417,12 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. 
 
-    >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
+    > [!NOTE]
+    > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
     
     Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
 
-    ```
+    ```powershell
     Disable-NetAdapter "Ethernet 2" -Confirm:$false
     ```
 
@@ -426,28 +431,30 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
 
-    ```
+    ```powershell
     New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
     Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
     ```
 
-    >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
+    Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
 
 3. Start the new VM and connect to it:
 
-    ```
+    ```powershell
     Start-VM PC2
     vmconnect localhost PC2
     ```
+
 4. When prompted, hit ENTER to start the network boot process.
 
 5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
 
 6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
 
-    ```
+    ```powershell
     Enable-NetAdapter "Ethernet 2"
     ```
+
 7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
 8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes.  When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
     
@@ -462,34 +469,36 @@ This section will demonstrate how to export user data from an existing client co
 
 1. If the PC1 VM is not already running, then start and connect to it:
     
-    ```
+    ```powershell
     Start-VM PC1
     vmconnect localhost PC1
     ```
 
 2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios.  Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
-    ```
+    ```powershell
     Checkpoint-VM -Name PC1 -SnapshotName BeginState
     ```
 
 3. Sign on to PC1 using the CONTOSO\Administrator account.
 
-    >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
+    Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
 
 4. Open an elevated command prompt on PC1 and type the following:
 
-    ```
+    ```cmd
     cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
     ```
 
-    **Note**: For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
+    > [!NOTE]
+    > For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
 
 5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
 
 6. Choose **Do not back up the existing computer** and click **Next**.
 
-    **Note**: The USMT will still back up the computer.
+    > [!NOTE]
+    > The USMT will still back up the computer.
 
 7. Lite Touch Installation will perform the following actions:
    - Back up user settings and data using USMT.
@@ -503,13 +512,13 @@ This section will demonstrate how to export user data from an existing client co
 
 9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
-    ```
+    ```powershell
     Checkpoint-VM -Name PC1 -SnapshotName RefreshState
     ```
 
 10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
-    ```
+    ```powershell
     Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
     Start-VM PC1
     vmconnect localhost PC1
@@ -529,11 +538,12 @@ At a high level, the computer replace process consists of:<BR>
 2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
 3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
 
-    ```
+    ```powershell
     New-Item -Path C:\MigData -ItemType directory
     New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
     icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
     ```
+
 4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
 5. Name the new folder **Other**, and complete the wizard using default options.
 6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
@@ -548,21 +558,22 @@ At a high level, the computer replace process consists of:<BR>
 
 1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
 
-    ```
+    ```cmd
     whoami
     ```
 2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
 
-    ```
+    ```powershell
     Remove-Item c:\minint -recurse
     Remove-Item c:\_SMSTaskSequence -recurse
     Restart-Computer
     ```
 3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
 
-    ```
+    ```cmd
     cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
     ```
+
 4. Complete the deployment wizard using the following:
     - **Task Sequence**: Backup Only Task Sequence
     - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
@@ -571,7 +582,7 @@ At a high level, the computer replace process consists of:<BR>
 6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
 7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
 
-    ```
+    ```powershell
     PS C:\> dir C:\MigData\PC1\USMT
 
         Directory: C:\MigData\PC1\USMT
@@ -580,49 +591,52 @@ At a high level, the computer replace process consists of:<BR>
     ----                -------------     ------ ----
     -a---          9/6/2016  11:34 AM   14248685 USMT.MIG
     ```
-   ### Deploy PC3 
 
-8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
+### Deploy PC3 
 
-    ```
+1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
+
+    ```powershell
     New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
     Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
     ```
-9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
 
-    ```
+2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+    ```powershell
     Disable-NetAdapter "Ethernet 2" -Confirm:$false
     ```
 
-    >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
+    As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
 
 
-10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
-     ```
+     ```powershell
      Start-VM PC3
      vmconnect localhost PC3
      ```
 
-11. When prompted, press ENTER for network boot.
+4. When prompted, press ENTER for network boot.
 
-12. On PC3, use the following settings for the Windows Deployment Wizard:
+5. On PC3, use the following settings for the Windows Deployment Wizard:
      - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
      - **Move Data and Settings**: Do not move user data and settings
      - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
 
-13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
+6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
 
-     ```
+     ```cmd
      Enable-NetAdapter "Ethernet 2"
      ```
-14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
 
-15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
+7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
 
-16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
+8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
 
-17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
+9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
+
+10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure.
 
 ## Troubleshooting logs, events, and utilities
 

From 96e857843e0a0345c71a82f8b0f9f8a0fefe50be Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Thu, 9 Dec 2021 16:48:08 -0500
Subject: [PATCH 55/73] notes; code tags

---
 windows/deployment/windows-10-poc.md | 331 +++++++++++++++------------
 1 file changed, 186 insertions(+), 145 deletions(-)

diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 880fc20b4b..a7f768ed10 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -85,7 +85,7 @@ Hardware requirements are displayed below:
 |**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.|
 |**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016*|Windows 7 or a later|
 |**Edition**|Enterprise, Professional, or Education|Any|
-|**Architecture**|64-bit|Any <p> *Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*|
+|**Architecture**|64-bit|Any <br/><br/> *Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*|
 |**RAM**|8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.<br>16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
 |**Disk**|200 GB available hard disk space, any format.|Any size, MBR formatted.|
 |**CPU**|SLAT-Capable CPU|Any|
@@ -113,7 +113,8 @@ The lab architecture is summarized in the following diagram:
 
 ## Configure the PoC environment
 
->**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
+> [!TIP]
+> Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
 
 ### Procedures in this section
 
@@ -130,7 +131,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
 
 1. To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
 
-    <pre>
+    ```cmd
     C:\>systeminfo
 
     ...
@@ -138,7 +139,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
                                Virtualization Enabled In Firmware: Yes
                                Second Level Address Translation: Yes
                                Data Execution Prevention Available: Yes
-    </pre>
+    ```
 
     In this example, the computer supports SLAT and Hyper-V.
 
@@ -146,7 +147,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
 
     You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
 
-    <pre>
+    ```cmd
     C:\>coreinfo -v
 
     Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -159,27 +160,32 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
     HYPERVISOR      -       Hypervisor is present
     VMX             *       Supports Intel hardware-assisted virtualization
     EPT             *       Supports Intel extended page tables (SLAT)
-    </pre>
+    ```
 
-    Note: A 64-bit operating system is required to run Hyper-V.
+    > [!NOTE]
+    > A 64-bit operating system is required to run Hyper-V.
 
 2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
 
-    <pre>Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All</pre>
+    ```cmd
+    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
+    ```
 
     This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
 
-    <pre>Install-WindowsFeature -Name Hyper-V -IncludeManagementTools</pre>
+    ```cmd
+    Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+    ```
 
     When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
 
-    >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+    Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
 
     ![hyper-v features.](images/hyper-v-feature.png)
 
     ![hyper-v.](images/svr_mgr2.png)
 
-    <P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under <strong>Role Administration Tools\Hyper-V Management Tools</strong>.
+    If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under <strong>Role Administration Tools\Hyper-V Management Tools</strong>.
 
 ### Download VHD and ISO files
 
@@ -187,7 +193,8 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 
 1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
 
-     **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
+    > [!IMPORTANT]
+    > This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
 
      After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
 
@@ -197,7 +204,10 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
 4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
 
-     >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
+    During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired.
+
+    > [!NOTE]
+    > The evaluation version of Windows 10 does not support in-place upgrade**.
 
 5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
 
@@ -205,7 +215,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 
      The following displays the procedures described in this section, both before and after downloading files:
 
-     <pre>
+    ```cmd
      C:>mkdir VHD
      C:>cd VHD
      C:\VHD&gt;ren 9600*.vhd 2012R2-poc-1.vhd
@@ -216,11 +226,12 @@ When you have completed installation of Hyper-V on the host computer, begin conf
      2012R2-poc-1.vhd
      2012R2-poc-2.vhd
      w10-enterprise.iso
-     </pre>
+    ```
 
 ### Convert PC to VM
 
->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
+> [!IMPORTANT]
+> Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
 
 If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
 
@@ -237,7 +248,8 @@ If you have a PC available to convert to VM (computer 2):
 
 1. Sign in on computer 2 using an account with Administrator privileges.
 
->Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
+    > [!IMPORTANT]
+    > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
 
 2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
 3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
@@ -256,24 +268,24 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
 - To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
 - To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
 
-<pre>
-Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-</pre>
+  ```powershell
+  Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+  ```
 
 If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
 
-<pre>
+```powershell
 PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
 
 SystemName                           Caption                                 Type
 ----------                           -------                                 ----
 USER-PC1                             Disk #0, Partition #0                   GPT: System
 USER-PC1                             Disk #0, Partition #1                   GPT: Basic Data
-</pre>
+```
 
 On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
 
-<pre>
+```powershell
 PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
 
 SystemName                            Caption                               Type
@@ -289,7 +301,7 @@ PS C:> Get-Disk
 Number Friendly Name                  OperationalStatus                     Total Size Partition Style
 ------ -------------                  -----------------                     ---------- ---------------
 0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
-</pre>
+```
 
 <span id="determine-vm-generation"/>
 
@@ -339,7 +351,11 @@ The following tables display the Hyper-V VM generation to choose based on the OS
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. 
+
+    > [!IMPORTANT]
+    > You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+
 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
 
     ![disk2vhd 1.](images/disk2vhd.png)
@@ -348,13 +364,13 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
-    <pre>
+    ```cmd
     C:\vhd>dir /B
     2012R2-poc-1.vhd
     2012R2-poc-2.vhd
     w10-enterprise.iso
     w7.VHDX
-    </pre>
+    ```
 
 #### Prepare a generation 2 VM
 
@@ -364,14 +380,17 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 2. On the computer you wish to convert, open an elevated command prompt and type the following command:
 
-    <pre>mountvol s: /s</pre>
+    ```cmd
+    mountvol s: /s
+    ```
 
     This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
 
 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
 4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
 
-    **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
+    > [!IMPORTANT]
+    > You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
 
 5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
 
@@ -381,22 +400,26 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
-    <pre>
+    ```cmd
     C:\vhd>dir /B
     2012R2-poc-1.vhd
     2012R2-poc-2.vhd
     w10-enterprise.iso
     PC1.VHDX
-    </pre>
+    ```
 
 #### Prepare a generation 1 VM from a GPT disk
 
 1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
 
-    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+    You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
+3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. 
+
+    > [!NOTE]
+    > The system volume is not copied in this scenario, it will be added later.
+
 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
 
     ![disk2vhd 3.](images/disk2vhd4.png)
@@ -405,28 +428,31 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
-    <pre>
+    ```cmd
     C:\vhd>dir /B
     2012R2-poc-1.vhd
     2012R2-poc-2.vhd
     w10-enterprise.iso
     w7.VHD
-    </pre>
+    ```
 
-    >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
+    In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
 
 ### Resize VHD
 
 <HR size="4">
 <strong><I>Enhanced session mode</I></strong>
 
-**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+> [!IMPORTANT]
+> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste <U>files</U> directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
 
 To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
-<pre>Set-VMhost -EnableEnhancedSessionMode $TRUE</pre>
+```powershell
+Set-VMhost -EnableEnhancedSessionMode $TRUE
+```
 
->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
+If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
 
 <HR size="4">
 
@@ -434,58 +460,66 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
-    <pre>
+    ```powershell
     Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
     $x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
     Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-    </pre>
+    ```
 
 2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
 
-    <pre>
+    ```powershell
     Get-Volume -DriveLetter $x
-    Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd</pre>
+    Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd
+    ```
 
 ### Configure Hyper-V
 
 1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
 
-    >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:<BR>
-    &nbsp;&nbsp;&nbsp;A) Remove the existing external virtual switch, then add the poc-external switch<BR>
-    &nbsp;&nbsp;&nbsp;B) Rename the existing external switch to "poc-external"<BR>
-    &nbsp;&nbsp;&nbsp;C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch<BR>
+    If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
+
+    **A**: Remove the existing external virtual switch, then add the poc-external switch
+
+    **B**: Rename the existing external switch to "poc-external"
+
+    **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch<BR>
+
     If you choose B) or C), then do not run the second command below.
 
-    <pre>
+    ```powershell
     New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
     New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-    </pre>
+    ```
 
-    **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
+    > [!NOTE]
+    > The second command above will temporarily interrupt network connectivity on the Hyper-V host.
 
-    >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+    Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
 
 2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
 
-    <pre>
+    ```powershell
     (Get-VMHostNumaNode).MemoryAvailable
-    </pre>
+    ```
 
     This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
 
 3. Determine the available memory for VMs by dividing the available RAM by 4.  For example:
 
-    <pre>
+    ```powershell
     (Get-VMHostNumaNode).MemoryAvailable/4
     2775.5
-    </pre>
+    ```
 
     In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
 
 4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
-    >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
 
-    <pre>
+    > [!IMPORTANT]
+    > Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
+
+    ```powershell
     $maxRAM = 2700MB
     New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
     Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
@@ -494,35 +528,37 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
     Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
     Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-    </pre>
+    ```
 
-    **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
+    > [!NOTE]
+    > The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
 
 5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
 
     To create a generation 1 VM (using c:\vhd\w7.vhdx):
 
-    <pre>
+    ```powershell
     New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
     Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
     Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    </pre>
+    ```
 
     To create a generation 2 VM (using c:\vhd\PC1.vhdx):
 
-    <pre>
+    ```powershell
     New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
     Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
     Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-    </pre>
+    ```
 
     To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
 
-    >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
+    > [!NOTE]
+    > The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
 
     First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
 
-    <pre>
+    ```powershell
     New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
     Mount-VHD -Passthru |
     Get-Disk -Number {$_.DiskNumber} |
@@ -530,11 +566,11 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     New-Partition -UseMaximumSize |
     Format-Volume -Confirm:$false -FileSystem NTFS -force
     Dismount-VHD -Path c:\vhd\d.vhd
-    </pre>
+    ```
 
     Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
 
-    <pre>
+    ```powershell
     New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
     Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
     Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
@@ -542,7 +578,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
     Start-VM PC1
     vmconnect localhost PC1
-    </pre>
+    ```
 
     The VM will automatically boot into Windows Setup. In the PC1 window:
 
@@ -552,13 +588,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
    4. Click **Command Prompt**.
    5. Type the following command to save an image of the OS drive:
 
-      <pre>
+      ```cmd
       dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-      </pre>
+      ```
 
    6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
 
-      <pre>
+      ```cmd
       diskpart
       select disk 0
       clean
@@ -570,121 +606,122 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
       format fs=ntfs quick label=OS
       assign letter=c
       exit
-      </pre>
+      ```
 
    7. Type the following commands to restore the OS image and boot files:
 
-      <pre>
+      ```cmd
       dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
       bcdboot c:\windows
       exit
-      </pre>
+      ```
 
    8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
    9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
    10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
 
-       <pre>
-       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
-       Set-VMDvdDrive -VMName PC1 -Path $null
-       </pre>
+        ```powershell
+        Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+        Set-VMDvdDrive -VMName PC1 -Path $null
+        ```
 
 ### Configure VMs
 
 1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
 
-    <pre>
+    ```powershell
     Start-VM DC1
     vmconnect localhost DC1
-    </pre>
+    ```
 
 2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of <strong>pass@word1</strong>, and click **Finish**.
 3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
 4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
 
-    <pre>
+    ```powershell
     Rename-Computer DC1
     New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
     Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-    </pre>
+    ```
 
-   > The default gateway at 192.168.0.2 will be configured later in this guide.
-   > 
-   > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
+    The default gateway at 192.168.0.2 will be configured later in this guide.
+
+    > [!NOTE]
+    > A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
 
 6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
 
-    <pre>
+    ```powershell
     Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-    </pre>
+    ```
 
 7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
 
-    <pre>
+    ```powershell
     Restart-Computer
-    </pre>
+    ```
 
 8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
 
-    <pre>
+    ```powershell
     $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
     Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-    </pre>
+    ```
 
     Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
 
 9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
 
-    <pre>
+    ```powershell
     Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
     Add-WindowsFeature -Name DHCP -IncludeManagementTools
     netsh dhcp add securitygroups
     Restart-Service DHCPServer
     Add-DhcpServerInDC  dc1.contoso.com  192.168.0.1
     Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
-    </pre>
+    ```
 
 10. Next, add a DHCP scope and set option values:
 
-    <pre>
+    ```powershell
     Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
     Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-    </pre>
+    ```
 
     >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
 
 11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
 
-    <pre>
+    ```powershell
     Get-DnsServerForwarder
-    </pre>
+    ```
 
     The following output should be displayed:
 
-    <pre>
+    ```powershell
     UseRootHint        : True
     Timeout(s)         : 3
     EnableReordering   : True
     IPAddress          : 192.168.0.2
     ReorderedIPAddress : 192.168.0.2
-    </pre>
+    ```
 
     If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
 
-    <pre>
+    ```powershell
     Add-DnsServerForwarder -IPAddress 192.168.0.2
-    </pre>
+    ```
 
     **Configure service and user accounts**
 
     Windows 10 deployment with MDT and Microsoft Endpoint Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
 
-    >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+    To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 
     On DC1, open an elevated Windows PowerShell prompt and type the following commands:
 
-    <pre>
+    ```powershell
     New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
     New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
     New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
@@ -695,7 +732,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
     Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
     Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-    </pre>
+    ```
 
 12. Minimize the DC1 VM window but **do not stop** the VM.
 
@@ -703,10 +740,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
 
-    <pre>
+    ```powershell
     Start-VM PC1
     vmconnect localhost PC1
-    </pre>
+    ```
 
 14. Sign in to PC1 using an account that has local administrator rights.
 
@@ -724,7 +761,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
     To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
 
-    ```
+    ```cmd
     ipconfig
 
     Windows IP Configuration
@@ -759,14 +796,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
 
-    <pre>
+    ```powershell
     (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
     $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
     $user = "contoso\administrator"
     $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
     Add-Computer -DomainName contoso.com -Credential $cred
     Restart-Computer
-    </pre>
+    ```
 
     >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
 
@@ -777,10 +814,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
 
-    <pre>
+    ```powershell
     Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
     Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
-    </pre>
+    ```
 
     >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
 
@@ -788,66 +825,69 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
 
-    <pre>
+    ```powershell
     Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-    </pre>
+    ```
 
     >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
 
 22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
-    >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+
+    > [!IMPORTANT]
+    > The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+
 23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
 24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
 
-    <pre>
+    ```powershell
     Start-VM SRV1
     vmconnect localhost SRV1
-    </pre>
+    ```
 
 25. Accept the default settings, read license terms and accept them, provide an administrator password of <strong>pass@word1</strong>, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
 26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
 27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
 
-    <pre>
+    ```powershell
     Rename-Computer SRV1
     New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
     Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
     Restart-Computer
-    </pre>
+    ```
 
-    >[!IMPORTANT]
-    >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet."  If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
+    > [!IMPORTANT]
+    > Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet."  If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
 
 28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
 
-    <pre>
+    ```powershell
     $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
     $user = "contoso\administrator"
     $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
     Add-Computer -DomainName contoso.com -Credential $cred
     Restart-Computer
-    </pre>
+    ```
 
 29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
 
-    <pre>
+    ```powershell
     Install-WindowsFeature -Name DNS -IncludeManagementTools
     Install-WindowsFeature -Name WDS -IncludeManagementTools
     Install-WindowsFeature -Name Routing -IncludeManagementTools
-    </pre>
+    ```
 
 30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
 
     To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
 
-    <pre>
+    ```powershell
     Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
 
     IPAddress                                                                  InterfaceAlias
     ---------                                                                  --------------
     10.137.130.118                                                             Ethernet 2
     192.168.0.2                                                                Ethernet
-    </pre>
+    ```
 
     In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
 
@@ -857,37 +897,38 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
 
-    <pre>
+    ```powershell
     Install-RemoteAccess -VpnType Vpn
     cmd /c netsh routing ip nat install
     cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
     cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
     cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-    </pre>
+    ```
 
 32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
 
-    <pre>
+    ```powershell
     Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-    </pre>
+    ```
 
 33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
 
-    <pre>
+    ```powershell
     ping www.microsoft.com
-    </pre>
+    ```
 
     If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
 
-    **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
+    > [!NOTE]
+    > This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
 
-    <pre>
+    ```powershell
     Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-    </pre>
+    ```
 
 34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
 
-    <pre>
+    ```powershell
     PS C:\> ping www.microsoft.com
 
     Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
@@ -900,15 +941,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
         Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
     Approximate round trip times in milli-seconds:
         Minimum = 1ms, Maximum = 3ms, Average = 2ms
-    </pre>
+    ```
 
 35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
 36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days.  To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
 
-    <pre>
+    ```powershell
     runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
     Restart-Computer
-    </pre>
+    ```
 
 This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
 
@@ -918,7 +959,7 @@ Use the following procedures to verify that the PoC environment is configured pr
 
 1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
 
-    <pre>
+    ```powershell
     Get-Service NTDS,DNS,DHCP
     DCDiag -a
     Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
@@ -927,7 +968,7 @@ Use the following procedures to verify that the PoC environment is configured pr
     Get-DhcpServerInDC
     Get-DhcpServerv4Statistics
     ipconfig /all
-    </pre>
+    ```
 
     **Get-Service** displays a status of "Running" for all three services.<BR>
     **DCDiag** displays "passed test" for all tests.<BR>
@@ -940,13 +981,13 @@ Use the following procedures to verify that the PoC environment is configured pr
 
 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
 
-    <pre>
+    ```powershell
     Get-Service DNS,RemoteAccess
     Get-DnsServerForwarder
     Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
     ipconfig /all
     netsh int ipv4 show address
-    </pre>
+    ```
 
     **Get-Service** displays a status of "Running" for both services.<BR>
     **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.<BR>
@@ -956,13 +997,13 @@ Use the following procedures to verify that the PoC environment is configured pr
 
 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
 
-    <pre>
+    ```powershell
     whoami
     hostname
     nslookup www.microsoft.com
     ping -n 1 dc1.contoso.com
     tracert www.microsoft.com
-    </pre>
+    ```
 
     **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.<BR>
     **hostname** displays the name of the local computer, for example W7PC-001.<BR>

From 0b7c4c27621026fc2877136415f85f62b9adbca4 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Thu, 9 Dec 2021 15:17:27 -0800
Subject: [PATCH 56/73] Standardize vertical spacing

---
 windows/deployment/windows-10-deployment-scenarios.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index d7f6145692..d283c2d8f3 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -28,9 +28,12 @@ To successfully deploy the Windows 10 operating system in your organization, it
 The following tables summarize various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
 
 - Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
+
    > [!NOTE]
-   >Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
+   > Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
+
 - Dynamic deployment methods enable you to configure applications and settings for specific use cases. 
+
 - Traditional deployment methods use existing tools to deploy operating system images.<br>&nbsp;
 
 ### Modern
@@ -91,8 +94,11 @@ Scenarios that support in-place upgrade with some additional procedures include
 There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
 
 -   Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
+
 -   Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+
 -   Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
+
 -   Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
 
 

From 67259fe63dccd354b364e6d304cc9acb3db8c2b3 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Thu, 9 Dec 2021 15:32:08 -0800
Subject: [PATCH 57/73] Applied correct & valid labels to code blocks

The current list of valid slugs for code blocks is available here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=main#dev-lang
---
 windows/deployment/windows-10-poc-mdt.md | 12 ++++++------
 windows/deployment/windows-10-poc.md     | 22 +++++++++++-----------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 0ced5d9eb8..6cc78efe42 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -352,13 +352,13 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
     If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
     
-    ```cmd
+    ```console
     ScanStateArgs=/ue:*\* /ui:CONTOSO\*
     ```
 
     For example, to migrate **all** users on the computer, replace this line with the following:
 
-    ```cmd
+    ```console
     ScanStateArgs=/all
     ```   
 
@@ -486,7 +486,7 @@ This section will demonstrate how to export user data from an existing client co
 
 4. Open an elevated command prompt on PC1 and type the following:
 
-    ```cmd
+    ```console
     cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
     ```
 
@@ -558,7 +558,7 @@ At a high level, the computer replace process consists of:<BR>
 
 1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
 
-    ```cmd
+    ```console
     whoami
     ```
 2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
@@ -570,7 +570,7 @@ At a high level, the computer replace process consists of:<BR>
     ```
 3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
 
-    ```cmd
+    ```console
     cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
     ```
 
@@ -626,7 +626,7 @@ At a high level, the computer replace process consists of:<BR>
 
 6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
 
-     ```cmd
+     ```powershell
      Enable-NetAdapter "Ethernet 2"
      ```
 
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index a7f768ed10..35e475c426 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -131,7 +131,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
 
 1. To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
 
-    ```cmd
+    ```console
     C:\>systeminfo
 
     ...
@@ -147,7 +147,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
 
     You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
 
-    ```cmd
+    ```console
     C:\>coreinfo -v
 
     Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -167,13 +167,13 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
 
 2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
 
-    ```cmd
+    ```powershell
     Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
     ```
 
     This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
 
-    ```cmd
+    ```powershell
     Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
     ```
 
@@ -215,7 +215,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 
      The following displays the procedures described in this section, both before and after downloading files:
 
-    ```cmd
+    ```console
      C:>mkdir VHD
      C:>cd VHD
      C:\VHD&gt;ren 9600*.vhd 2012R2-poc-1.vhd
@@ -380,7 +380,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 2. On the computer you wish to convert, open an elevated command prompt and type the following command:
 
-    ```cmd
+    ```console
     mountvol s: /s
     ```
 
@@ -400,7 +400,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
-    ```cmd
+    ```console
     C:\vhd>dir /B
     2012R2-poc-1.vhd
     2012R2-poc-2.vhd
@@ -588,13 +588,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
    4. Click **Command Prompt**.
    5. Type the following command to save an image of the OS drive:
 
-      ```cmd
+      ```console
       dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
       ```
 
    6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
 
-      ```cmd
+      ```console
       diskpart
       select disk 0
       clean
@@ -610,7 +610,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
    7. Type the following commands to restore the OS image and boot files:
 
-      ```cmd
+      ```console
       dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
       bcdboot c:\windows
       exit
@@ -761,7 +761,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
     To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
 
-    ```cmd
+    ```console
     ipconfig
 
     Windows IP Configuration

From 551574a31438821e88c85ae904cf9e9aae2e7439 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Thu, 9 Dec 2021 15:45:41 -0800
Subject: [PATCH 58/73] Remove unnecessary BR tags

---
 windows/deployment/windows-10-poc.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 35e475c426..b7dad82263 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -92,8 +92,8 @@ Hardware requirements are displayed below:
 |**Network**|Internet connection|Any|
 
 <B>\*</B><I>The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.</I>
-<BR>
-<BR>The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
+
+The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
 
 </div>
 

From 3a5191f031babe243aa1c3565f2474be781f2ad5 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Thu, 9 Dec 2021 16:00:46 -0800
Subject: [PATCH 59/73] Convert the many paragraphs with angle brackets to
 notes, tips, or regular paragraphs

Also, a few other corrections for readability and proper Markdown.
---
 windows/deployment/windows-10-poc.md | 91 ++++++++++++++++++----------
 1 file changed, 60 insertions(+), 31 deletions(-)

diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index b7dad82263..0bcd6de74e 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -39,6 +39,7 @@ Approximately 3 hours are required to configure the PoC environment. You will ne
 
 Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment.
 
+> [!TIP]
 > Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands.
 > 
 > A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell.
@@ -53,6 +54,8 @@ After completing the instructions in this guide, you will have a PoC environment
 
 Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
 
+<br/>
+
 |Topic|Description|Time|
 |--- |--- |--- |
 |[Hardware and software requirements](#hardware-and-software-requirements)|Prerequisites to complete this guide.|Informational|
@@ -77,7 +80,7 @@ One computer that meets the hardware and software specifications below is requir
 
 Hardware requirements are displayed below:
 
-<div>
+<br/>
 
 ||Computer 1 (required)|Computer 2 (recommended)|
 |--- |--- |--- |
@@ -95,7 +98,7 @@ Hardware requirements are displayed below:
 
 The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
 
-</div>
+
 
 ## Lab setup
 
@@ -107,7 +110,8 @@ The lab architecture is summarized in the following diagram:
     - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
     - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
 
->If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
+> [!NOTE]
+> If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
 
 <I>The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.</I>
 
@@ -340,7 +344,9 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 > [!NOTE]
 >
 >- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+> 
 >- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the <strong>mountvol</strong> command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
+> 
 >- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
 
 
@@ -348,9 +354,11 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
 
-    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+   > [!TIP]
+   > You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+
 3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. 
 
     > [!IMPORTANT]
@@ -360,7 +368,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
     ![disk2vhd 1.](images/disk2vhd.png)
 
-    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+    Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
 5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
@@ -376,7 +384,8 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
 
-    >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+    > [!TIP]
+    > You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
 2. On the computer you wish to convert, open an elevated command prompt and type the following command:
 
@@ -396,7 +405,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
     ![disk2vhd 2.](images/disk2vhd-gen2.png)
 
-    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+    Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
@@ -424,7 +433,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
     ![disk2vhd 3.](images/disk2vhd4.png)
 
-    >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+    Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
 5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
@@ -440,7 +449,6 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 ### Resize VHD
 
-<HR size="4">
 <strong><I>Enhanced session mode</I></strong>
 
 > [!IMPORTANT]
@@ -689,7 +697,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
     ```
 
-    >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
+    The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
 
 11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
 
@@ -747,13 +755,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 14. Sign in to PC1 using an account that has local administrator rights.
 
-    >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
+    PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
 
 15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
 
     ![PoC 1.](images/installing-drivers.png)
 
-    >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
+    If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
 
 16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
 
@@ -792,7 +800,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
             Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
     ```
 
-    >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
+    > [!NOTE]
+	> If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
 
 18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
 
@@ -805,13 +814,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Restart-Computer
     ```
 
-    >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
+    If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
 
     See the following example:
 
     ![ISE 1.](images/ISE.png)
 
 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
+
 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
 
     ```powershell
@@ -819,7 +829,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
     ```
 
-    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+    > [!NOTE]
+	> In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
 
     If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
 
@@ -829,7 +840,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
     ```
 
-    >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
+    The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
 
 22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
 
@@ -837,6 +848,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     > The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
 
 23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
+
 24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
 
     ```powershell
@@ -845,7 +857,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     ```
 
 25. Accept the default settings, read license terms and accept them, provide an administrator password of <strong>pass@word1</strong>, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
+
 26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
+
 27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
 
     ```powershell
@@ -970,13 +984,20 @@ Use the following procedures to verify that the PoC environment is configured pr
     ipconfig /all
     ```
 
-    **Get-Service** displays a status of "Running" for all three services.<BR>
-    **DCDiag** displays "passed test" for all tests.<BR>
-    **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.<BR>
-    **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.<BR>
-    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.<BR>
-    **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.<BR>
-    **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).<BR>
+    **Get-Service** displays a status of "Running" for all three services.
+	
+    **DCDiag** displays "passed test" for all tests.
+	
+    **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
+	
+    **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
+	
+    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
+
+    **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
+	
+    **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
+	
     **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
 
 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -989,10 +1010,14 @@ Use the following procedures to verify that the PoC environment is configured pr
     netsh int ipv4 show address
     ```
 
-    **Get-Service** displays a status of "Running" for both services.<BR>
-    **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.<BR>
-    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.<BR>
-    **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.<BR>
+    **Get-Service** displays a status of "Running" for both services.
+
+    **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+
+    **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
+
+    **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
+
     **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
 
 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
@@ -1005,10 +1030,14 @@ Use the following procedures to verify that the PoC environment is configured pr
     tracert www.microsoft.com
     ```
 
-    **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.<BR>
-    **hostname** displays the name of the local computer, for example W7PC-001.<BR>
-    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.<BR>
-    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.<BR>
+    **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+
+    **hostname** displays the name of the local computer, for example W7PC-001.
+
+    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
+
+    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
+
     **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
 
 

From 0407a31059daa4dda19a5c6cf23f6b990b580fa1 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Thu, 9 Dec 2021 16:18:58 -0800
Subject: [PATCH 60/73] Add image border; add lightbox to large image

---
 windows/deployment/windows-10-poc.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 0bcd6de74e..fe437a325e 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -200,18 +200,20 @@ When you have completed installation of Hyper-V on the host computer, begin conf
     > [!IMPORTANT]
     > This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
 
-     After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
+    After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
 
-     ![VHD](images/download_vhd.png)
+    :::image type="content" alt-text="VHD" source="images/download_vhd.png":::
 
 2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
+
 3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
+
 4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
 
-    During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired.
+   During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired.
 
-    > [!NOTE]
-    > The evaluation version of Windows 10 does not support in-place upgrade**.
+   > [!NOTE]
+   > The evaluation version of Windows 10 does not support in-place upgrade**.
 
 5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO.
 
@@ -818,7 +820,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
     See the following example:
 
-    ![ISE 1.](images/ISE.png)
+    :::image type="content" alt-text="ISE 1." source="images/ISE.png" lightbox="images/ISE.png":::
 
 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
 

From 01232537854d3ca68205abf262b1282694dc6600 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 10 Dec 2021 10:52:53 +0530
Subject: [PATCH 61/73] Update
 windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md

Accepted

Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 .../hello-for-business/hello-manage-in-organization.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index f7d07b7d3c..d6d92affa4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -59,7 +59,7 @@ The following table lists the Group Policy settings that you can configure for W
 |Minimum PIN length|Computer|<p><b>Not configured</b>: PIN length must be greater  than or equal to 4.<p><b>Enabled</b>: PIN length must be greater than or equal to the number you specify.<p><b>Disabled</b>: PIN length must be greater  than or equal to 4.|
 |Expiration|Computer|<p><b>Not configured</b>: PIN does not expire.<p><b>Enabled</b>: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.<p><b>Disabled</b>: PIN does not expire.|
 |History|Computer|<p><b>Not configured</b>: Previous PINs are not stored.<p><b>Enabled</b>: Specify the number of previous PINs that can be associated to a user account that can&#39;t be reused.<p><b>Disabled</b>: Previous PINs are not stored.<div class="alert"><b>Note</b>  Current PIN is included in PIN history.</div>|
-|Require special characters|Computer|<p><b>Not configured</b>: Windows allows, but does not require, special characters in the PIN<p><b>Enabled</b>: Windows requires the user to include at least one special character in their PIN.<p><b>Disabled</b>: Windows does not allow the user to include special characters in their PIN.|
+|Require special characters|Computer|<p><b>Not configured</b>: Windows allows, but does not require, special characters in the PIN.<p><b>Enabled</b>: Windows requires the user to include at least one special character in their PIN.<p><b>Disabled</b>: Windows does not allow the user to include special characters in their PIN.|
 |Require uppercase letters|Computer|<p><b>Not configured</b>: Users cannot include an uppercase letter in their PIN.<p><b>Enabled</b>: Users must include at least one uppercase letter in their PIN.<p><b>Disabled</b>: Users cannot include an uppercase letter in their PIN.|
 
 ### Phone Sign-in

From 2e8be1a309e63ac7d14c6e77e5b740702a182430 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Fri, 10 Dec 2021 11:55:27 +0530
Subject: [PATCH 62/73] Fixed suggestions and Warnings

Task: 5644791: Fixed suggestions and Warnings as per the attachment provided in the task description.
---
 browsers/edge/group-policies/index.yml        |  2 +-
 browsers/edge/index.yml                       |  2 +-
 .../ie11-deploy-guide/img-ie11-docmode-lg.md  |  7 +-
 .../ie11-deploy-guide/manage-ie11-overview.md |  9 +--
 ...tory-microsoft-store-business-education.md |  6 +-
 store-for-business/sfb-change-history.md      |  8 +--
 ...t-removal-policy-external-storage-media.md |  2 +-
 .../troubleshoot-event-id-41-restart.md       |  2 +-
 ...ot-stop-error-on-broadcom-driver-update.md |  2 +-
 ...ery-tool-in-compatibility-administrator.md |  3 +-
 .../deployment/update/windows-as-a-service.md | 70 +++++++++----------
 .../deployment/upgrade/upgrade-error-codes.md | 13 ++--
 .../windows-10-deployment-scenarios.md        |  5 +-
 ...-endpoints-1909-non-enterprise-editions.md |  3 +-
 .../whats-new/windows-10-insider-preview.md   |  3 +-
 15 files changed, 60 insertions(+), 77 deletions(-)

diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index 0b2aef014b..0f970282ed 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -9,7 +9,7 @@ metadata:
   keywords: Microsoft Edge Legacy, Windows 10
   ms.localizationpriority: medium
   ms.prod: edge
-  author: shortpatti
+  author: dougeby
   ms.author: pashort
   ms.topic: landing-page
   ms.devlang: na
diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml
index 04b23cd56e..accbb0e679 100644
--- a/browsers/edge/index.yml
+++ b/browsers/edge/index.yml
@@ -11,7 +11,7 @@ metadata:
   ms.localizationpriority: medium
   ms.topic: landing-page # Required
   ms.collection: collection # Optional; Remove if no collection is used.
-  author: shortpatti #Required; your GitHub user alias, with correct capitalization.
+  author: dougeby #Required; your GitHub user alias, with correct capitalization.
   ms.author: pashort #Required; microsoft alias of author; optional team alias.
   ms.date: 07/07/2020 #Required; mm/dd/yyyy format.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index a285c99103..2738d426b9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -14,9 +14,6 @@ ms.author: dansimp
 [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
 
 
-Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)<br>
-
-<p>
-	<img src="images/docmode-decisions-lg.png" alt="Full-sized flowchart detailing how document modes are chosen in IE11" width="1355" height="1625" style="max-width:none;">
-</p>
+Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
 
+   ![Full-sized flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-lg.png)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 66b29a20c4..58a2d5298b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -36,11 +36,4 @@ Use the topics in this section to learn about how to auto detect your settings,
 |------|------------|
 |[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. |
 |[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. |
-|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. | 
-
- 
-
- 
-
-
-
+|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 962ec31ffd..a4f1f93a78 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -1,6 +1,6 @@
 ---
-title: Whats new in Microsoft Store for Business and Education
-description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
+title: Microsoft Store for Business and Education release history
+description: Know the release history of Microsoft Store for Business and Microsoft Store for Education.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -18,7 +18,7 @@ manager: dansimp
 > [!IMPORTANT]
 > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
 
-Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. 
+Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
 
 Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) 
 
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index f57695f277..08e7950bb0 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -76,6 +76,7 @@ ms.localizationpriority: medium
 | --- | --- |
 | [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
 | [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
+| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education.  |
 
 ## June 2017
 
@@ -84,10 +85,3 @@ ms.localizationpriority: medium
 | [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
 | [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices.  |
 | [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
-
-## July 2017
-
-| New or changed topic | Description |
-| -------------------- | ----------- |
-| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education.  |
-| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
\ No newline at end of file
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index d59710d70b..8b0e587b74 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -3,7 +3,7 @@ title: Windows 10 default media removal policy
 description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
 ms.prod: w10
 author: Teresa-Motiv
-ms.author: v-tea
+ms.author: dougeby
 ms.date: 11/25/2020
 ms.topic: article
 ms.custom: 
diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md
index 277685cfc8..c1d7a706b0 100644
--- a/windows/client-management/troubleshoot-event-id-41-restart.md
+++ b/windows/client-management/troubleshoot-event-id-41-restart.md
@@ -2,7 +2,7 @@
 title: Advanced troubleshooting for Event ID 41 - "The system has rebooted without cleanly shutting down first"
 description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue
 author: Teresa-Motiv
-ms.author: v-tea
+ms.author: dougeby
 ms.date: 12/27/2019
 ms.prod: w10
 ms.topic: article
diff --git a/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md b/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
index fb99d5d919..a22426c30a 100644
--- a/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
+++ b/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
@@ -2,7 +2,7 @@
 title: Stop error occurs when you update the in-box Broadcom network adapter driver
 description: Describes an issue that causes a stop error when you update an in-box Broadcom driver on Windows Server 2019, version 1809.
 author: Teresa-Motiv
-ms.author: v-tea
+ms.author: dougeby
 ms.date: 2/3/2020
 ms.prod: w10
 ms.topic: article
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 6135a8daf8..b225fd6214 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -105,8 +105,7 @@ You can use the **Fix Description** tab of the Query tool to add parameters that
 
     The query runs and the results of the query are displayed in the lower pane.
 
-## Querying by Using the Fix Description Tab
-
+## Querying by Using the Advanced Tab
 
 You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.
 
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 2e41bda86e..2cf662ee15 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -1,5 +1,5 @@
 ---
-title: Windows as a service  
+title: Windows as a service
 ms.prod: w10 
 ms.topic: landing-page
 ms.manager: laurawi
@@ -26,21 +26,20 @@ Find the latest and greatest news on Windows 10 deployment and servicing.
 **Discovering the Windows 10 Update history pages**
 > [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY]
 
-Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the <a href="/windows/release-health/">Windows release health dashboard</a> for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout.
+Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the [Windows release health dashboard](/windows/release-health/) for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout.
 
 The latest news:
-<ul compact style="list-style: none"> 
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807">How to get Extended Security Updates for eligible Windows devices </a> - October 17, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/End-of-service-reminders-for-Windows-10-versions-1703-and-1803/ba-p/903715">End of service reminders for Windows 10, versions 1703 and 1803  </a> - October 9, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860">Using machine learning to improve the Windows 10 update experience  </a> - September 26, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054
-">Publishing pre-release Windows 10 feature updates to WSUS  </a> - September 24, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/New-extended-support-dates-for-MDOP-tools/ba-p/837312">New extended support dates for MDOP tools   </a> - September 4, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/FastTrack-for-Windows-10-deployment-and-other-migration/ba-p/800406">FastTrack for Windows 10 deployment and other migration resources   </a> - August 12, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979">Tactical considerations for creating Windows deployment rings   </a> - July 10, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Upgrading-Windows-10-devices-with-installation-media-different/ba-p/746126">Upgrading Windows 10 devices with installation media different than the original OS install language</a> - July 9, 2019</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968">Moving to the next Windows 10 feature update for commercial customers</a> - July 1, 2019</li>
-</ul>
+
+- [How to get Extended Security Updates for eligible Windows devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807) - October 17, 2019
+- [End of service reminders for Windows 10, versions 1703 and 1803](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/End-of-service-reminders-for-Windows-10-versions-1703-and-1803/ba-p/903715) - October 9, 2019
+- [Using machine learning to improve the Windows 10 update experience](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860) - September 26, 2019
+- [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054) - September 24, 2019
+- [New extended support dates for MDOP tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/New-extended-support-dates-for-MDOP-tools/ba-p/837312) - September 4, 2019
+- [FastTrack for Windows 10 deployment and other migration resources](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/FastTrack-for-Windows-10-deployment-and-other-migration/ba-p/800406) - August 12, 2019
+- [Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) - July 10, 2019
+- [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Upgrading-Windows-10-devices-with-installation-media-different/ba-p/746126) - July 9, 2019
+- [Moving to the next Windows 10 feature update for commercial customers](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968) - July 1, 2019
+
 
 [See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog).
 
@@ -49,20 +48,19 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
 
 <img src="images/champs-2.png" alt="Champs" width="640" height="320">
 
-<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979">**NEW** Tactical considerations for creating Windows deployment rings</a>
+[**NEW** Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979)
 
-<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-Enterprise-vs-Windows-10-Pro-Modern-management/ba-p/720445">**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization</a>
+[**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-Enterprise-vs-Windows-10-Pro-Modern-management/ba-p/720445)
 
-<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/ba-p/659622">Deployment rings: The hidden [strategic] gem of Windows as a service</a>
+[Deployment rings: The hidden [strategic] gem of Windows as a service](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/ba-p/659622)
 
-<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Classifying-Windows-updates-in-common-deployment-tools/ba-p/331175">Classifying Windows updates in common deployment tools</a>
+[Classifying Windows updates in common deployment tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Classifying-Windows-updates-in-common-deployment-tools/ba-p/331175)
 
-<a href="/windows-server/get-started/express-updates">Express updates for Windows Server 2016 re-enabled for November 2018 update
-</a>
+[Express updates for Windows Server 2016 re-enabled for November 2018 update](/windows-server/get-started/express-updates)
 
-<a href="https://support.microsoft.com/help/4472027/">2019 SHA-2 Code Signing Support requirement for Windows and WSUS</a>
+[2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/)
 
-<a href="/windows/deployment/update/feature-update-mission-critical">Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices</a>
+[Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices](/windows/deployment/update/feature-update-mission-critical)
 
 ## Discover
 
@@ -70,14 +68,14 @@ Learn more about Windows as a service and its value to your organization.
 
 <img src="images/discover-land.png" alt="Discover">
 
-<a href="waas-overview.md">Overview of Windows as a service</a>
+[Overview of Windows as a service](waas-overview.md)
 
-<a href="waas-quick-start.md">Quick guide to Windows as a service</a>
+[Quick guide to Windows as a service](waas-quick-start.md)
 
 
-<a href="../deploy-whats-new.md">What's new in Windows 10 deployment</a>
+[What's new in Windows 10 deployment](../deploy-whats-new.md)
 
-<a href="https://channel9.msdn.com/events/Ignite/2015/BRK3303">How Microsoft IT deploys Windows 10</a></font>
+[How Microsoft IT deploys Windows 10](https://channel9.msdn.com/events/Ignite/2015/BRK3303)</font>
 
 ## Plan
 
@@ -85,15 +83,15 @@ Prepare to implement Windows as a service effectively using the right tools, pro
 
 <img src="images/plan-land.png" alt="Plan" />
 
-<a href="https://www.microsoft.com/windowsforbusiness/simplified-updates">Simplified updates</a>
+[Simplified updates](https://www.microsoft.com/windowsforbusiness/simplified-updates)
 
-<a href="https://www.microsoft.com/itpro/windows-10/end-user-readiness">Windows 10 end user readiness</a>
+[Windows 10 end user readiness](https://www.microsoft.com/itpro/windows-10/end-user-readiness)
 
-<a href="https://developer.microsoft.com/windows/ready-for-windows#/">Ready for Windows</a>
+[Ready for Windows](https://developer.microsoft.com/windows/ready-for-windows#/)
 
-<a href="/mem/configmgr/desktop-analytics/overview">Manage Windows upgrades with Upgrade Readiness</a>
+[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview)
 
-<a href="https://www.microsoft.com/itshowcase/windows10deployment">Preparing your organization for a seamless Windows 10 deployment</a>
+[Preparing your organization for a seamless Windows 10 deployment](https://www.microsoft.com/itshowcase/windows10deployment)
 
 ## Deploy
 
@@ -101,15 +99,15 @@ Secure your organization's deployment investment.
 
 <img src="images/deploy-land.png" alt="Deploy" />
 
-<a href="index.md">Update Windows 10 in the enterprise</a>
+[Update Windows 10 in the enterprise](index.md)
 
-<a href="https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade">Deploying as an in-place upgrade</a>
+[Deploying as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade)
 
-<a href="waas-configure-wufb.md">Configure Windows Update for Business</a>
+[Configure Windows Update for Business](waas-configure-wufb.md)
 
-<a href="waas-optimize-windows-10-updates.md#express-update-delivery">Express update delivery</a>
+[Express update delivery](waas-optimize-windows-10-updates.md#express-update-delivery)
 
-<a href="../planning/windows-10-deployment-considerations.md">Windows 10 deployment considerations</a>
+[Windows 10 deployment considerations](../planning/windows-10-deployment-considerations.md)
 
 
 ## Microsoft Ignite 2018
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 8af8acdd00..dfcc3d607e 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -21,10 +21,9 @@ ms.collection: highpri
 -   Windows 10
 
 >[!NOTE]
->This is a 400 level topic (advanced).<br>
+>This is a 400 level topic (advanced).
 >See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
 
-
 If the upgrade process is not successful, Windows Setup will return two codes:
 
 1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error.
@@ -39,7 +38,7 @@ Note: If only a result code is returned, this can be because a tool is being use
 
 ## Result codes
 
-A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <br>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
+A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
 
 The following set of result codes are associated with [Windows Setup](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings:
 
@@ -145,7 +144,7 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4
 ## Related topics
 
 [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
-<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-<br>[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications)
-<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
\ No newline at end of file
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications)
+[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index d283c2d8f3..8dd6d2f734 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -19,6 +19,7 @@ ms.collection: highpri
 # Windows 10 deployment scenarios
 
 **Applies to**
+
 -   Windows 10
 
 To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
@@ -32,9 +33,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
    > [!NOTE]
    > Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
 
-- Dynamic deployment methods enable you to configure applications and settings for specific use cases. 
+- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
 
-- Traditional deployment methods use existing tools to deploy operating system images.<br>&nbsp;
+- Traditional deployment methods use existing tools to deploy operating system images.
 
 ### Modern
 
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index bf8ec55031..3520abedd7 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -148,7 +148,8 @@ The following methodology was used to derive the network endpoints:
 |ris.api.iris.microsoft.com|TLS v1.2|Windows Spotlight
 |settings-win.data.microsoft.com|HTTPS/TLS v1.2|Used for Windows apps to dynamically update their configuration
 |spo-ring.msedge.net|TLSv1.2|Cortana and Live Tiles
-|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting ||tile-service.weather.microsoft.com|HTTP|Used for the Weather app
+|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting 
+|tile-service.weather.microsoft.com|HTTP|Used for the Weather app
 |tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation
 |v10.events.data.microsoft.com/onecollector/1.0/|HTTPS/TLS v1.2|Diagnostic Data
 |v10.events.data.microsoft.com|HTTPS/TLS v1.2|Used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service
diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md
index 6fd107bf08..2e6f2191f7 100644
--- a/windows/whats-new/windows-10-insider-preview.md
+++ b/windows/whats-new/windows-10-insider-preview.md
@@ -14,7 +14,8 @@ ms.topic: article
 
 # Documentation for Windows 10 Insider Preview
 
-> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
+>[!NOTE]
+> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently.
 

From 662c0cca86003bda67323fb1c45078dc6a797e74 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Fri, 10 Dec 2021 16:13:43 +0530
Subject: [PATCH 63/73] Converted tables into markdown

---
 .../mdm/policy-csp-timelanguagesettings.md    | 160 ++++--------------
 1 file changed, 32 insertions(+), 128 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index b176166a68..8c80347095 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -43,38 +43,14 @@ manager: dansimp
 <a href="" id="timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks"></a>**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>
@@ -121,38 +97,14 @@ ADMX Info:
 <a href="" id="timelanguagesettings-configuretimezone"></a>**TimeLanguageSettings/ConfigureTimeZone**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>
@@ -189,38 +141,14 @@ Specifies the time zone to be applied to the device. This is the standard Window
 <a href="" id="timelanguagesettings-machineuilanguageoverwrite"></a>**TimeLanguageSettings/MachineUILanguageOverwrite**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>
@@ -267,38 +195,14 @@ ADMX Info:
 <a href="" id="timelanguagesettings-restrictlanguagepacksandfeaturesinstall"></a>**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall**  
 
 <!--SupportedSKUs-->
-<table>
-<tr>
-    <th>Edition</th>
-    <th>Windows 10</th>
-    <th>Windows 11</th>
-</tr>
-<tr>
-    <td>Home</td>
-    <td>No</td>
-    <td>No</td>
-</tr>
-<tr>
-    <td>Pro</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Business</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Enterprise</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-<tr>
-    <td>Education</td>
-    <td>Yes</td>
-    <td>Yes</td>
-</tr>
-</table>
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 <!--/SupportedSKUs-->
 <hr/>

From e9f9adcb653fb56385895de444b5def1531928b4 Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Fri, 10 Dec 2021 11:25:58 -0700
Subject: [PATCH 64/73] Update
 windows/client-management/mdm/policy-csp-textinput.md

---
 windows/client-management/mdm/policy-csp-textinput.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 704f861562..be2edb8989 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -657,7 +657,7 @@ Default: Enabled
 The following list shows the supported values:
 
 - 1 (Enabled) - The newer UX is downloaded from Microsoft service.
-- 0 (Diabled) - The UX remains unchanged with what the operating system installs.
+- 0 (Disabled) - The UX remains unchanged with what the operating system installs.
 
 <!--/SupportedValues-->
 <!--/Policy-->

From daa4dc268f1d87d5c7434e2e84263e8924d4cd00 Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Fri, 10 Dec 2021 11:55:34 -0700
Subject: [PATCH 65/73] Update
 windows/client-management/mdm/policy-csp-system.md

---
 windows/client-management/mdm/policy-csp-system.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 92131c2cb0..67975bf4f5 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1395,7 +1395,6 @@ The following list shows the supported values:
 
 -   0 – Disabled
 -   1 – Enabled
-- 
 <!--/SupportedValues-->
 <!--/Policy-->
 

From f6e3d1ed26791189d63ac6bf53c35820774b8a44 Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Fri, 10 Dec 2021 11:59:24 -0700
Subject: [PATCH 66/73] Update
 windows/client-management/mdm/policy-csp-system.md

---
 windows/client-management/mdm/policy-csp-system.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 67975bf4f5..c3266bea55 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1344,7 +1344,6 @@ The following list shows the supported values:
 
 -   0 – Disabled
 -   1 – Enabled
-- 
 <!--/SupportedValues-->
 <!--/Policy-->
 

From 7417a4764dbdb84a2625d40308bff6a0ebb5b3fa Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Fri, 10 Dec 2021 12:00:45 -0700
Subject: [PATCH 67/73] Update policy-csp-system.md

---
 windows/client-management/mdm/policy-csp-system.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index c3266bea55..9e31c3a67b 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1344,6 +1344,7 @@ The following list shows the supported values:
 
 -   0 – Disabled
 -   1 – Enabled
+   
 <!--/SupportedValues-->
 <!--/Policy-->
 

From 91183da4a1033ef79055a64ec8170e176a1e1fbf Mon Sep 17 00:00:00 2001
From: Tina Burden <v-tibur@microsoft.com>
Date: Fri, 10 Dec 2021 11:37:02 -0800
Subject: [PATCH 68/73] added full size images

to resolve customer-submitted issue in public repo
---
 .../hello-for-business/hello-how-it-works-provisioning.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index c114cd86e5..bf92834f9b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -39,6 +39,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 ## Azure AD joined provisioning in a Managed environment
 ![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-managed.png)
+[Full size image](images/howitworks/prov-aadj-managed.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -50,6 +51,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 [Return to top](#windows-hello-for-business-provisioning)
 ## Azure AD joined provisioning in a Federated environment
 ![Azure AD joined provisioning in Managed environment.](images/howitworks/prov-aadj-federated.png)
+[Full size image](images/howitworks/prov-aadj-federated.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -60,7 +62,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 [Return to top](#windows-hello-for-business-provisioning)
 ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
 ![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment.](images/howitworks/prov-haadj-keytrust-managed.png)
-
+[Full size image](images/howitworks/prov-haadj-keytrust-managed.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 |:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -78,7 +80,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 [Return to top](#windows-hello-for-business-provisioning)
 ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
 ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png)
-
+[Full size image](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 |:-----:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -96,6 +98,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Key Trust deployment
 ![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov-onprem-keytrust.png)
+[Full size image](images/howitworks/prov-onprem-keytrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -107,6 +110,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Certificate Trust deployment
 ![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov-onprem-certtrust.png)
+[Full size image](images/howitworks/prov-onprem-certtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |

From d63715caa0e4e061bbcef5e03bcec871648f0c78 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Mon, 13 Dec 2021 13:12:15 -0500
Subject: [PATCH 69/73] Line 63: Replaced broken link

---
 windows/deployment/update/windows-as-a-service.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 2cf662ee15..a034dba7a3 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -60,7 +60,7 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
 
 [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/)
 
-[Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices](/windows/deployment/update/feature-update-mission-critical)
+[What is Windows Update for Business?](waas-manage-updates-wufb.md)
 
 ## Discover
 
@@ -113,4 +113,4 @@ Secure your organization's deployment investment.
 ## Microsoft Ignite 2018
 <img src="images/ignite-land.jpg" alt="Ignite" width="640" height="320"/>
 
-Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
\ No newline at end of file
+Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).

From d1055728e17e6834e838210483d3fd073c66ed39 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Mon, 13 Dec 2021 13:19:33 -0500
Subject: [PATCH 70/73] Line 149: Replaced broken link; Added spacing

---
 windows/deployment/upgrade/upgrade-error-codes.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index dfcc3d607e..3675d0d71a 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -143,8 +143,8 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4
 
 ## Related topics
 
-[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
-[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications)
-[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
\ No newline at end of file
+[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)  
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)  
+[Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)  
+[Microsoft Windows Q & A](https://docs.microsoft.com/answers/products/windows)  
+[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)

From 19e717e73dc2525e1241a9abb093d80bb31c4f7b Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger <Mandi.Ohlinger@microsoft.com>
Date: Mon, 13 Dec 2021 13:27:48 -0500
Subject: [PATCH 71/73] Used Docs image extension; Added lightbox

---
 .../internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 2738d426b9..ca1542a952 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -16,4 +16,5 @@ ms.author: dansimp
 
 Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
 
-   ![Full-sized flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-lg.png)
+:::image type="content" source="images/docmode-decisions-lg.png" alt-text="Full-sized flowchart detailing how document modes are chosen in IE11" lightbox="images/docmode-decisions-lg.png":::
+

From decb8842de7fb51898d8d6e30933c985eb8b38a5 Mon Sep 17 00:00:00 2001
From: Diana Hanson <v-dihans@microsoft.com>
Date: Mon, 13 Dec 2021 11:54:45 -0700
Subject: [PATCH 72/73] Update
 windows/deployment/upgrade/upgrade-error-codes.md

---
 windows/deployment/upgrade/upgrade-error-codes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 3675d0d71a..2b08e9adc9 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -146,5 +146,5 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4
 [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)  
 [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)  
 [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)  
-[Microsoft Windows Q & A](https://docs.microsoft.com/answers/products/windows)  
+[Microsoft Windows Q & A](/answers/products/windows)  
 [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)

From 3795d60b9f64c95c9ae03bbbf9d48bea54c573a8 Mon Sep 17 00:00:00 2001
From: MandiOhlinger <mandi.ohlinger@microsoft.com>
Date: Mon, 13 Dec 2021 15:55:07 -0500
Subject: [PATCH 73/73] adding info on settings app

---
 education/windows/windows-11-se-overview.md   |  2 +-
 .../windows/windows-11-se-settings-list.md    | 39 +++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 342ce437b3..32f5f7795d 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -20,7 +20,7 @@ ms.topic: article
 - Windows 11 SE
 - Microsoft Intune for Education
 
-Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled.
+Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately).
 
 For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
 
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 0c7227041a..4de2367a08 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -62,6 +62,45 @@ The following settings can't be changed.
 | Administrative tools  | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
 | Apps  | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md).  |
 
+## What's available in the Settings app
+
+On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown.
+
+- Accessibility
+
+- Accounts
+  - Email & accounts
+
+- Apps
+
+- Bluetooth & devices
+  - Bluetooth
+  - Printers & scanners
+  - Mouse
+  - Touchpad
+  - Typing
+  - Pen
+  - AutoPlay
+
+- Network & internet
+  - WiFi
+  - VPN
+
+- Personalization
+  - Taskbar
+
+- Privacy & security
+
+- System
+  - Display
+  - Notifications
+  - Tablet mode
+  - Multitasking
+  - Projecting to this PC
+
+- Time & Language
+  - Language & region
+
 ## Next steps
 
 [Windows 11 SE for Education overview](windows-11-se-overview.md)