Merge branch 'main' into other-prods-8743531

.openpublishing.redirection.windows-configuration.json

@@ -30,16 +30,6 @@
       "redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization",
       "redirect_document_id": false
     },
-    {
-      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md",
-      "redirect_url": "/windows/resources",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-powerbi.md",
-      "redirect_url": "/windows/resources",
-      "redirect_document_id": false
-    },
     {
       "source_path": "windows/configuration/diagnostic-data-viewer-overview.md",
       "redirect_url": "/windows/privacy/diagnostic-data-viewer-overview",
@@ -280,111 +270,6 @@
       "redirect_url": "/windows/configuration/windows-diagnostic-data",
       "redirect_document_id": false
     },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-feedback.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-o365.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-overview.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/test-scenario-1.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-1",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/test-scenario-2.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-2",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/test-scenario-3.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-3",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/test-scenario-4.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-4",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/test-scenario-5.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-5",
-      "redirect_document_id":false
-    },
-    {
-      "source_path":"windows/configuration/cortana-at-work/test-scenario-6.md",
-      "redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-6",
-      "redirect_document_id":false
-    },
     {
       "source_path": "windows/configuration/windows-diagnostic-data.md",
       "redirect_url": "/windows/privacy/windows-diagnostic-data",
@@ -574,6 +459,276 @@
       "source_path": "windows/configuration/windows-spotlight.md",
       "redirect_url": "/windows/configuration/lock-screen/windows-spotlight",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-crm.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-crm.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-powerbi.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-powerbi.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-powerbi.md",
+      "redirect_url": "/windows/resources",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-feedback.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-feedback.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-feedback.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-o365.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-o365.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-o365.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-overview.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-overview.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-overview.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/manage-cortana-in-enterprise.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-policy-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-policy-settings.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-scenario-1.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-scenario-1.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-scenario-2.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-scenario-2.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-scenario-3.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-scenario-3.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-scenario-4.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-scenario-4.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-scenario-5.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-scenario-5.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-scenario-6.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-scenario-6.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-scenario-7.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-scenario-7.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-testing-scenarios.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-testing-scenarios.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configure/cortana-at-work-voice-commands.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/manage/cortana-at-work-voice-commands.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/test-scenario-1.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-1",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/test-scenario-2.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-2",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/test-scenario-3.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-3",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/test-scenario-4.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-4",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/test-scenario-5.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-5",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/test-scenario-6.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-6",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md",
+      "redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org",
+      "redirect_document_id": false
     }
   ]
 }

education/docfx.json

@@ -42,7 +42,7 @@
       "breadcrumb_path": "/education/breadcrumb/toc.json",
       "uhfHeaderId": "MSDocsHeader-Windows",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "Win.education",
@@ -65,15 +65,16 @@
         "v-stsavell",
         "beccarobins",
         "Stacyrch140",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ]
     },
     "fileMetadata": {
-      "appliesto":{
+      "appliesto": {
         "windows/**/*.md": [
-        "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
-        "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11 SE</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11 SE</a>",
-        "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
         ]
       }
     },
@@ -81,5 +82,5 @@
     "template": "op.html",
     "dest": "education",
     "markdownEngineName": "markdig"
-}
+  }
-}
+}

store-for-business/docfx.json

@@ -54,27 +54,28 @@
           "folder_relative_path_in_docset": "./"
         }
       },
-      "contributors_to_exclude": [ 
+      "contributors_to_exclude": [
-        "rjagiewich", 
+        "rjagiewich",
-        "traya1", 
+        "traya1",
-        "rmca14", 
+        "rmca14",
-        "claydetels19", 
+        "claydetels19",
         "Kellylorenebaker",
         "jborsecnik",
         "tiburd",
         "AngelaMotherofDragons",
         "dstrome",
-        "v-dihans",        
+        "v-dihans",
         "garycentric",
         "v-stsavell",
         "beccarobins",
         "Stacyrch140",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ]
     },
     "fileMetadata": {},
     "template": [],
     "dest": "store-for-business",
     "markdownEngineName": "markdig"
-    }
+  }
-}
+}

windows/application-management/app-v/appv-evaluating-appv.md

@@ -4,11 +4,12 @@ description: Learn how to evaluate App-V for Windows 10/11 in a lab environment
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Evaluating App-V

windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md

@@ -4,11 +4,12 @@ description: How to Install the App-V Databases and Convert the Associated Secur
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 
@@ -79,14 +80,14 @@ Before attempting this procedure, you should read and understand the information
                    "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
                    "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
                    "  And can be written out to a file using standard Windows PowerShell redirection{0}" +
-                   "  Please specify user accounts in the format 'DOMAIN\username'{0}" + 
+                   "  Please specify user accounts in the format 'DOMAIN\username'{0}" +
                    "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" +
-                   "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + 
+                   "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" +
                    "{0}====== Arguments ======{0}" +
-                   "{0}  /?    Show this help message", [Environment]::NewLine) 
+                   "{0}  /?    Show this help message", [Environment]::NewLine)
     {
     else
-    {  
+    { 
         #If an array was passed in, try to split it
         if($myArgs.Length -eq 1)
         {
@@ -95,7 +96,7 @@ Before attempting this procedure, you should read and understand the information
 
         #Parse the arguments for account names
         foreach($accountName in $myArgs)
-        {    
+        {   
             [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject
             if($splitString.Length -ne 2)
             {

windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md

@@ -4,11 +4,12 @@ description: How to Manage Connection Groups on a Stand-alone Computer by Using
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell

windows/application-management/app-v/appv-managing-connection-groups.md

@@ -4,11 +4,12 @@ description: Connection groups can allow administrators to manage packages indep
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Managing Connection Groups
@@ -40,9 +41,9 @@ In some previous versions of App-V, connection groups were referred to as Dynami
 
 -   [Operations for App-V](appv-operations.md)
 
- 
+
-
+
- 
+
 
 
 

windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md

@@ -4,18 +4,19 @@ description: Learn how to migrate to Microsoft Application Virtualization (App-V
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Migrating to App-V from previous versions
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first. 
+To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first.
 
 ## <a href="" id="bkmk-pkgconvimprove"></a>Improvements to the App-V Package Converter
 
@@ -51,7 +52,7 @@ To understand the new process, review the following example `ConvertFrom-AppvLeg
 **And you run this command:**
 
 ``` syntax
-ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\ 
+ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\
 -DestinationPath \\NewPkgStore\ContosoApp\
 -OSDsToIncludeInPackage X.osd,Y.osd
 ```
@@ -88,7 +89,7 @@ Use the package converter utility to upgrade virtual application packages create
 **Important**  
 After you convert an existing package you should test the package prior to deploying the package to ensure the conversion process was successful.
 
- 
+
 
 **What to know before you convert existing packages**
 

windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md

@@ -4,11 +4,12 @@ description: Learn how to modify an existing virtual application package and add
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to Modify an Existing Virtual Application Package

windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md

@@ -4,11 +4,12 @@ description: Learn how to modify the Application Virtualization (App-V) client c
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to Modify Client Configuration by Using Windows PowerShell
@@ -28,8 +29,8 @@ Use the following procedure to configure the App-V client configuration.
     `Set-AppVClientConfiguration –Name1 MyConfig –Name2 "xyz"`
 
 
- 
+
- 
+
 <br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
 ## Related articles

windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md

@@ -4,11 +4,12 @@ description: Learn how to create a new management server console in your environ
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to move the App-V server to another computer

windows/application-management/app-v/appv-performance-guidance.md

@@ -4,11 +4,12 @@ description: Learn how to configure App-V for optimal performance, optimize virt
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Performance Guidance for Application Virtualization
@@ -16,7 +17,7 @@ ms.subservice: itpro-apps
 **Applies to**:
 
 - Windows 7 SP1
-- Windows 10 
+- Windows 10
 - Windows 11
 - Server 2012 R2
 - Server 2016
@@ -103,7 +104,7 @@ The following information displays the required steps to prepare the base image
 
 #### Prepare the Base Image
 
-- **Performance**: 
+- **Performance**:
 
   - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
   - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
@@ -120,7 +121,7 @@ The following information displays the required steps to prepare the base image
       - `AppData\Local\Microsoft\AppV\Client\VFS`
       - `AppData\Roaming\Microsoft\AppV\Client\VFS`
 
-- **Storage**: 
+- **Storage**:
 
   - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
   - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
@@ -144,7 +145,7 @@ For critical App-V Client configurations and for a little more context and how-t
 - **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting isn't configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*.
 
   For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
-  
+
   If you don't plan to pre-configure every available user package in the base image, use this setting.
 
   - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`.
@@ -181,7 +182,7 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
 -   If a user has an application installed on one device but not another with .lnk files enabled.
 
 > [!Important]
-> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk. 
+> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
 Using the Microsoft Registry Editor (regedit.exe), navigate to `HKEY\_LOCAL\_MACHINE\Software\Microsoft\UEV\Agent\Configuration\ExcludedFileTypes` and remove `.lnk` from the excluded file types.
 
@@ -200,10 +201,10 @@ To enable an optimized sign-in experience, for example the App-V approach for th
 -   Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
 
   > [!Note]
-  > 
+  >
   > App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
-  > 
+  >
-  > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver doesn't handle UPD selected folders.     
+  > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver doesn't handle UPD selected folders.
 
 -   Capturing changes to the locations, which constitute the user integrations, prior to session sign out.
 
@@ -246,50 +247,50 @@ Registry – HKEY\_CURRENT\_USER
 This following process is a step-by-step walk-through of the App-V and UPM operations, and the users' expectations.
 
 - **Performance**: After implementing this approach in the VDI/RDSH environment, on first login,
-  - (Operation) A user-publishing/refresh is initiated. 
+  - (Operation) A user-publishing/refresh is initiated.
 
     (Expectation) If it's the first time that a user has published virtual applications (for example, non-persistent), this operation will take the usual duration of a publishing/refresh.
 
 - (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
 
     (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-out process. This result will incur the same/similar overhead as persisting the user state.
- 
+
   **On subsequent logins**:
 
   - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
 
     (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (that is, package entitlements change), some may go away.
 
-  - (Operation) Publishing/refresh will process unpublish and publish operations for changes in user package entitlements. 
+  - (Operation) Publishing/refresh will process unpublish and publish operations for changes in user package entitlements.
- 
+
     (Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications
 
-    The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.  
+    The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
-  
+
   - (Operation) UPM solution will capture user integrations again at sign off.
- 
+
      (Expectation) Same as previous.
 
-  **Outcome**: 
+  **Outcome**:
 
   - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of sign in.
   - The publishing/refresh will process changes to the users-entitled virtual applications, which impacts the experience.
 
 - **Storage**: After implementing this approach in the VDI/RDSH environment, on first login
 
-  - (Operation) A user-publishing/refresh is initiated. 
+  - (Operation) A user-publishing/refresh is initiated.
 
     (Expectation):
 
     - If this instance is the first time a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh.
     - First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
- 
+
   - (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
 
-    (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-off process. This result will incur the same/similar overhead as persisting the user state. 
+    (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-off process. This result will incur the same/similar overhead as persisting the user state.
- 
+
   **On subsequent logins**:
- 
+
   - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
   - (Operation) Add/refresh must pre-configure all user targeted applications.
 
@@ -300,7 +301,7 @@ This following process is a step-by-step walk-through of the App-V and UPM opera
    - (Operation) Publishing/refresh will process unpublish and publish operations for changes to user package entitlements.
 
   **Outcome**: Because the add/refresh must reconfigure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
- 
+
 ### <a href="" id="bkmk-plc"></a>Impact to Package Life Cycle
 
 Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (unpublished) virtual application packages, it's recommended you update the base image to reflect these changes. To understand why review the following section:
@@ -380,7 +381,7 @@ Removing FB1 doesn't require the original application installer. After completin
     "C:\\UpgradedPackages"
 
     > [!Note]
-    > This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.  
+    > This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
 
 |Step|Considerations|Benefits|Tradeoffs|
 |--- |--- |--- |--- |
@@ -398,7 +399,7 @@ When publishing a virtual application package, the App-V Client will detect if a
 |Step|Considerations|Benefits|Tradeoffs|
 |--- |--- |--- |--- |
 |Selectively Employ Dynamic Configuration files|The App-V client must parse and process these Dynamic Configuration files. <br> <br>Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.<br> <br>Numerous virtual application packages may already have User- or computer–specific dynamic configurations files.|Publishing times will improve if these files are used selectively or not at all.|Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.|
- 
+
 
 ### Disabling a Dynamic Configuration by using Windows PowerShell
 

windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md

@@ -4,11 +4,12 @@ description: How to Register and Unregister a Publishing Server by Using the Man
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to Register and Unregister a Publishing Server by Using the Management Console

windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md

@@ -4,11 +4,12 @@ description: A list of known issues and workarounds for App-V running on Windows
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Release Notes for App-V for Windows 10 version 1703 and later

windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md

@@ -4,11 +4,12 @@ description: A list of known issues and workarounds for App-V running on Windows
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Release Notes for App-V for Windows 10, version 1607
@@ -17,7 +18,7 @@ ms.subservice: itpro-apps
 -   Windows 10, version 1607
 
 The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607.
- 
+
 ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client
 There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the prerequisite check fails and causes the MSI to fail.
 
@@ -28,20 +29,20 @@ There are MSI packages generated by an App-V sequencer from previous versions of
 2. Ensure that you've installed the **MSI Tools** included in the Windows 10 SDK, available as follows:
 
     - For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/windows/downloads).
-    
+
     - For the standalone Windows 10 SDK without other tools, see [Standalone Windows SDK](https://developer.microsoft.com/windows/downloads/windows-sdk).
 
 3. Copy msidb.exe from the default path of the Windows SDK installation (**C:\Program Files (x86)\Windows Kits\10**) to a different directory. For example: **C:\MyMsiTools\bin**
 
 4. From an elevated Windows PowerShell prompt, navigate to the following folder:
- 
-    <Windows Kits 10 installation folder>**\Microsoft Application Virtualization\Sequencer\\** 
 
-    By default, this path is:<br>**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer** 
+    &lt;Windows Kits 10 installation folder&gt;**\Microsoft Application Virtualization\Sequencer\\**
+
+    By default, this path is:<br>**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer**
 
 5. Run the following command:
 
-    `Update-AppvPackageMsi -MsiPackage "<path to App-V Package .msi file>" -MsSdkPath "<path>"` 
+    `Update-AppvPackageMsi -MsiPackage "<path to App-V Package .msi file>" -MsSdkPath "<path>"`
 
      where the path is to the new directory (**C:\MyMsiTools\ for this example**).
 

windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md

@@ -4,11 +4,12 @@ description: Running a Locally Installed Application Inside a Virtual Environmen
 author: aczechowski
 ms.service: windows-client
 ms.date: 03/08/2018
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
@@ -81,10 +82,10 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
     The application in the previous example would produce a registry export file (.reg file) like the following example:
 
     ```registry
-    Windows Registry Editor Version 5.00 
+    Windows Registry Editor Version 5.00
-    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual] 
+    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual]
-    @="" 
+    @=""
-    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe] 
+    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe]
     @="aaaaaaaa-bbbb-cccc-dddd-eeeeeeee_11111111-2222-3333-4444-555555555
     ```
 

windows/application-management/app-v/appv-sequence-a-package-with-powershell.md

@@ -4,11 +4,12 @@ description: Learn how to sequence a new Microsoft Application Virtualization (A
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to Sequence a Package by using Windows PowerShell
@@ -20,7 +21,7 @@ Use the following procedure to create a new App-V package using Windows PowerShe
 > [!NOTE]
 > Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md).
 
- 
+
 **To create a new virtual application by using Windows PowerShell**
 
 1.  Install the App-V sequencer. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
@@ -60,10 +61,10 @@ The following list displays additional optional parameters that can be used with
 
 -   FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened.
 
-Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. 
+Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file.
 
 > [!IMPORTANT]
-> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. 
+> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
 
 ## Related articles
 

windows/application-management/app-v/appv-technical-reference.md

@@ -4,11 +4,12 @@ description: Learn strategy and context for many performance optimization practi
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Technical Reference for App-V

windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md

@@ -4,11 +4,12 @@ description: How to Transfer Access and Configurations to Another Version of a P
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console

windows/application-management/app-v/appv-troubleshooting.md

@@ -4,11 +4,12 @@ description: Learn how to find information about troubleshooting Application Vir
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Troubleshooting App-V

windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md

@@ -4,18 +4,19 @@ description: Learn about upgrading to Application Virtualization (App-V) for Win
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Upgrading to App-V for Windows client from an existing installation
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client. 
+If you’re already using App-V and you’re planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client.
 
 1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-1011). Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings.
 
@@ -31,11 +32,11 @@ These steps are explained in more detail below.
 
 ## Upgrade user devices to Windows 10/11
 
-Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices. 
+Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices.
 
 ## Verify that App-V applications and settings were migrated correctly
 
-After upgrading a user device, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade. 
+After upgrading a user device, it’s important to verify that App-V applications and settings were migrated correctly during the upgrade.
 
 To verify that the user’s App-V application packages were migrated correctly, type `Get-AppvClientPackage` in Windows PowerShell.
 
@@ -43,13 +44,13 @@ To verify that the user’s App-V settings were migrated correctly, type `Get-Ap
 
 ## Enable the in-box App-V client
 
-With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell. 
+With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell.
 
 **To enable the App-V client with Group Policy**
 
 1. Open the device’s **Group Policy Editor**.
 
-2. Navigate to **Computer Configuration > Administrative Templates > System > App-V**. 
+2. Navigate to **Computer Configuration > Administrative Templates > System > App-V**.
 
 3. Run **Enables App-V Client** and then select **Enabled** on the screen that appears.
 
@@ -71,27 +72,27 @@ Once you’ve enabled the in-box App-V client, you need to configure it to point
 
 **To modify client settings to point to an existing App-V publishing server with Windows PowerShell**
 
-Type the following cmdlet in a Windows PowerShell window: 
+Type the following cmdlet in a Windows PowerShell window:
 
-`Add-AppvPublishingServer -Name AppVServer -URL https:// appvserver:2222` 
+`Add-AppvPublishingServer -Name AppVServer -URL https:// appvserver:2222`
 
-**To modify client settings to point to an existing App-V publishing server with Group Policy** 
+**To modify client settings to point to an existing App-V publishing server with Group Policy**
 
 1. Open the device’s **Local Group Policy Editor**.
 
-2. Navigate to **Computer Configuration > Administrative Templates > System > App-V > Publishing**.  
+2. Navigate to **Computer Configuration > Administrative Templates > System > App-V > Publishing**.
 
 3. Enter your existing App-V publishing server’s details in **Options** and then click or press **Apply**.
 
 ## Verify that the in-box App-V client can receive and launch .appv packages
 
-1. Add and publish a package using the following Windows PowerShell cmdlets: 
+1. Add and publish a package using the following Windows PowerShell cmdlets:
 
-    `Add-AppvClientPackage \\path\to\appv\package.appv | Publish-AppvClientPackage` 
+    `Add-AppvClientPackage \\path\to\appv\package.appv | Publish-AppvClientPackage`
 
-2. Launch the published package. 
+2. Launch the published package.
 
-3. Unpublish an existing package use the following cmdlet: 
+3. Unpublish an existing package use the following cmdlet:
 
     `Unpublish-AppvClientPackage "ContosoApplication"`
 

windows/application-management/app-v/appv-using-the-client-management-console.md

@@ -4,11 +4,12 @@ description: Learn how to use the Application Virtualization (App-V) client mana
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Using the App-V Client Management Console
@@ -25,7 +26,7 @@ The App-V client has associated settings that can be configured to determine how
 
 - [How to Modify Client Configuration by Using Windows PowerShell](appv-modify-client-configuration-with-powershell.md)
 
-- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) 
+- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
 
 ## <a href="" id="the-app-v-5-1-client-management-console-"></a>The App-V client management console
 

windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md

@@ -4,11 +4,12 @@ description: How to View and Configure Applications and Default Virtual Applicat
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console

windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md

@@ -4,11 +4,12 @@ description: Use this procedure to view App-V Server publishing metadata, which
 author: aczechowski
 ms.service: windows-client
 ms.date: 04/19/2017
-ms.reviewer: 
+ms.reviewer:
 manager: aaroncz
 ms.author: aaroncz
 ms.collection: must-keep
 ms.subservice: itpro-apps
+ms.topic: article
 ---
 
 # Viewing App-V Server Publishing Metadata

windows/application-management/docfx.json

@@ -43,7 +43,7 @@
       "ms.service": "windows-client",
       "ms.subservice": "itpro-apps",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.win-app-management",
@@ -62,9 +62,12 @@
         "beccarobins",
         "Stacyrch140",
         "v-stsavell",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ],
-      "searchScope": ["Windows 10"]
+      "searchScope": [
+        "Windows 10"
+      ]
     },
     "fileMetadata": {
       "feedback_system": {
@@ -75,4 +78,4 @@
     "dest": "win-app-management",
     "markdownEngineName": "markdig"
   }
-}
+}

windows/client-management/docfx.json

@@ -49,7 +49,7 @@
       "author": "vinaypamnani-msft",
       "manager": "aaroncz",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.win-client-management",
@@ -69,7 +69,8 @@
         "american-dipper",
         "angelamotherofdragons",
         "v-stsavell",
-        "stacyrch140"
+        "stacyrch140",
+        "shdyas"
       ],
       "searchScope": [
         "Windows 10"

windows/client-management/mdm/dmclient-csp.md

@@ -14,6 +14,9 @@ ms.date: 01/18/2024
 <!-- DMClient-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
+
+> [!NOTE]
+> The DMClient CSP nodes are intended to be configured by the MDM server to manage device configuration and security features. Custom URI settings for this CSP are not supported for IT admin management scenarios due to the complexity of the settings.
 <!-- DMClient-Editable-End -->
 
 <!-- DMClient-Tree-Begin -->

windows/client-management/mdm/policy-csp-mixedreality.md

@@ -1,7 +1,7 @@
 ---
 title: MixedReality Policy CSP
 description: Learn more about the MixedReality Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 02/20/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -272,6 +272,59 @@ This policy controls if the HoloLens displays will be automatically adjusted for
 
 <!-- AutomaticDisplayAdjustment-End -->
 
+<!-- AutoUnlock-Begin -->
+## AutoUnlock
+
+<!-- AutoUnlock-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- AutoUnlock-Applicability-End -->
+
+<!-- AutoUnlock-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/MixedReality/AutoUnlock
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoUnlock
+```
+<!-- AutoUnlock-OmaUri-End -->
+
+<!-- AutoUnlock-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy controls whether a signed-in user will be prompted for credentials when returning to the device after the device has entered suspended state. This policy is available both for the device as well as the user scope. When enabled for the device scope, auto unlock will be enabled for all users on the device. When enabled for the user scope, only the specific user will have auto unlock enabled.
+<!-- AutoUnlock-Description-End -->
+
+<!-- AutoUnlock-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AutoUnlock-Editable-End -->
+
+<!-- AutoUnlock-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AutoUnlock-DFProperties-End -->
+
+<!-- AutoUnlock-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | User will be prompted for credentials. |
+| 1 | User won't be prompted for credentials. |
+<!-- AutoUnlock-AllowedValues-End -->
+
+<!-- AutoUnlock-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AutoUnlock-Examples-End -->
+
+<!-- AutoUnlock-End -->
+
 <!-- BrightnessButtonDisabled-Begin -->
 ## BrightnessButtonDisabled
 

windows/configuration/docfx.json

@@ -47,7 +47,7 @@
       "author": "paolomatarazzo",
       "manager": "aaroncz",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.win-configuration",
@@ -66,31 +66,34 @@
         "beccarobins",
         "Stacyrch140",
         "v-stsavell",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ],
-      "searchScope": ["Windows 10"]
+      "searchScope": [
+        "Windows 10"
+      ]
     },
     "fileMetadata": {
       "feedback_system": {
         "ue-v/**/*.*": "None"
       },
-      "author":{
+      "author": {
         "wcd//**/*.md": "aczechowski",
         "wcd//**/*.yml": "aczechowski",
         "ue-v//**/*.md": "aczechowski",
         "ue-v//**/*.yml": "aczechowski"
       },
-      "ms.author":{
+      "ms.author": {
         "wcd//**/*.md": "aaroncz",
         "wcd//**/*.yml": "aaroncz",
         "ue-v//**/*.md": "aaroncz",
         "ue-v//**/*.yml": "aaroncz"
       },
-      "ms.reviewer":{
+      "ms.reviewer": {
         "kiosk//**/*.md": "sybruckm",
         "start//**/*.md": "ericpapa"
       },
-      "ms.collection":{
+      "ms.collection": {
         "wcd//**/*.md": "must-keep",
         "ue-v//**/*.md": [
           "must-keep",
@@ -112,5 +115,4 @@
     "dest": "win-configuration",
     "markdownEngineName": "markdig"
   }
-}
+}
-

windows/deployment/TOC.yml

@@ -4,7 +4,7 @@
     - name: Get started
       items:
         - name: Windows client deployment scenarios
-          href: windows-10-deployment-scenarios.md
+          href: windows-deployment-scenarios.md
         - name: Quick guide to Windows as a service
           href: update/waas-quick-start.md
         - name: Windows as a service overview
@@ -175,9 +175,9 @@
     - name: Activate
       items:
       - name: Windows subscription activation
-        href: windows-10-subscription-activation.md
+        href: windows-subscription-activation.md
       - name: Windows Enterprise E3 in CSP
-        href: windows-10-enterprise-e3-overview.md
+        href: windows-enterprise-e3-overview.md
       - name: Configure VDA for subscription activation
         href: vda-subscription-activation.md
       - name: Deploy Windows Enterprise licenses

windows/deployment/deploy-enterprise-licenses.md

@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows Enterprise licenses
-description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP.
+description: Steps to deploy Windows Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP.
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
@@ -11,17 +11,18 @@ ms.topic: how-to
 ms.collection:
   - highpri
   - tier2
-appliesto: 
+ms.date: 02/13/2024
-  - ✅ <b>Windows 10</b>
+zone_pivot_groups: windows-versions-11-10
-  - ✅ <b>Windows 11</b>
+appliesto:
-ms.date: 11/14/2023
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Deploy Windows Enterprise licenses
 
-This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Microsoft Entra ID.
+This article describes how to deploy Windows Enterprise E3 or E5 licenses with [subscription activation](windows-subscription-activation.md) or [Enterprise E3 in CSP](windows-enterprise-e3-overview.md) and Microsoft Entra ID.
 
-These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:
+These activation features require a supported and licensed version of Windows Pro:
 
 - Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA).
 - Enterprise E3 in CSP.
@@ -30,9 +31,9 @@ These activation features require a supported and licensed version of Windows 10
 
 ## Enable subscription activation with an existing EA
 
-If you're an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant:
+EA customers with an existing Microsoft 365 tenant can use the following steps to enable Windows subscription licenses on the existing tenant:
 
-1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license:
+1. Work with the reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on the current Windows Enterprise SA license:
 
     | SKU | Description |
     |---------|---------|
@@ -41,13 +42,14 @@ If you're an EA customer with an existing Microsoft 365 tenant, use the followin
     | **VRM-00001** | `Win OLS Activation User GCC Sub Per User` <!-- 6783128 --> |
 
     > [!NOTE]
-    > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 -->
+    >
+    > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. <!-- 6783128 -->
 
-1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant.
+1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses is provisioned on the tenant.
 
-1. You can now assign subscription licenses to users.
+1. Subscription licenses can now be assigned to users.
 
-If you need to update contact information and resend the activation email, use the following process:
+To update contact information and resend the activation email, use the following process:
 
 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
@@ -55,257 +57,477 @@ If you need to update contact information and resend the activation email, use t
 
 1. Select **Online Services Agreement List**.
 
-1. Enter your agreement number, and then select **Search**.
+1. Enter the agreement number, and then select **Search**.
 
 1. Select the **Service Name**.
 
 1. In the **Subscription Contact** section, select the name listed under **Last Name**.
 
-1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email.
+1. Update the contact information, then select **Update Contact Details**. This action triggers a new email.
 
 ## Preparing for deployment: reviewing requirements
 
-- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro
+- Devices must be running a supported version of Windows Pro.
 - Microsoft Entra joined, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
 
 For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article.
 
-<a name='active-directory-synchronization-with-azure-ad'></a>
-
 ### Active Directory synchronization with Microsoft Entra ID
 
-If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5.
+If there's an on-premises Active Directory Domain Services (AD DS) domain, identities in the on-premises AD DS domain need to be synchronized with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5.
-
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Microsoft Entra ID. Microsoft Entra Connect is responsible for synchronization of identities between the on-premises AD DS domain and Microsoft Entra ID. Microsoft Entra Connect is a service that you can install on-premises or in a virtual machine in Azure.
-
-:::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD.":::
-
-Figure 1: On-premises AD DS integrated with Microsoft Entra ID
 
 For more information about integrating on-premises AD DS domains with Microsoft Entra ID, see the following resources:
 
+- [Configure Microsoft Entra hybrid join](/entra/identity/devices/how-to-hybrid-join)
 - [What is hybrid identity with Microsoft Entra ID?](/azure/active-directory/hybrid/whatis-hybrid-identity)
 - [Microsoft Entra Connect and Microsoft Entra Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap)
 
 ## Assigning licenses to users
 
-After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service:
+After the Windows subscription is ordered, an email is sent with guidance on how to use Windows as an online service. The following methods are available to assign licenses:
 
-:::image type="content" source="images/al01.png" alt-text="An example email from Microsoft to complete your profile after purchasing Online Services through Microsoft Volume Licensing.":::
+- When the required Microsoft Entra subscription is available, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
 
-The following methods are available to assign licenses:
+- Licenses can be manually assigned by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/).
-
+- Licenses can be assigned by uploading a spreadsheet.
-- When you have the required Microsoft Entra subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+- Licenses can be assigned via [PowerShell](/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell).
-
-- You can sign in to the Microsoft 365 admin center and manually assign licenses:
-
-    :::image type="content" source="images/al02.png" alt-text="A screenshot of the admin center, showing assignment of the Windows 10 Enterprise E3 product license to a specific user.":::
-
-- You can assign licenses by uploading a spreadsheet.
-
-- [How to use PowerShell to automatically assign licenses to your Microsoft 365 users](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx).
-
-> [!TIP]
-> Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: [Assign EMS licenses based on local Active Directory group membership](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/).
 
 ## Explore the upgrade experience
 
-Now that you've established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition.
+Now that a subscription is established and licenses are assigned to users, devices running supported versions of Windows Pro can be upgraded to Enterprise edition.
 
-> [!NOTE]
+> [!TIP]
-> The following experiences are specific to Windows 10. The general concepts also apply to Windows 11.
+>
-
+> This upgrade experience walkthrough assumes Autopilot isn't being used. For the Autopilot experience when joining Microsoft Entra ID, see [User-driven Microsoft Entra join: Deploy the device](/autopilot/tutorial/user-driven/azure-ad-join-deploy-device).
-<a name='step-1-join-windows-pro-devices-to-azure-ad'></a>
 
 ### Step 1: Join Windows Pro devices to Microsoft Entra ID
 
-You can join a Windows Pro device to Microsoft Entra ID during setup, the first time the device starts. You can also join a device that's already set up.
+The first time the device starts, a Windows Pro device can join Microsoft Entra ID during setup. Existing devices can also join Microsoft Entra ID.
 
-<a name='join-a-device-to-azure-ad-the-first-time-the-device-is-started'></a>
+#### Join a device to Microsoft Entra ID during OOBE when the device is started for the first time
 
-#### Join a device to Microsoft Entra ID the first time the device is started
+::: zone pivot="windows-11"
 
-1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**.
+1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE).
 
-    :::image type="content" source="images/enterprise-e3-who-owns.png" alt-text="A screenshot of the 'Who owns this PC?' page in Windows 10 setup.":::
+1. In the **Is this the right country or region?** screen, select the desired country/region and then select the **Yes** button.
 
-    Figure 2: The "Who owns this PC?" page in initial Windows 10 setup.
+1. In the **Is this the right keyboard layout or input method?** screen, select the desired keyboard/input methods and then select the **Yes** button.
 
-1. On the **Choose how you'll connect** page, select **Join Microsoft Entra ID**, and then select **Next**.
+1. In the **Want to add a second keyboard layout?** screen, if desired add additional keyboard/input methods by selecting **Add layout**. Otherwise select the **Skip** button.
 
-    :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup.":::
+1. If no network connection is detected, the **Let's connect you to a network** screen appears. Connect to a wireless or wired network that has Internet access, and then select the **Next** button.
 
-    Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup.
+1. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates.
 
-1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
+1. In Windows 11 Pro editions, the **Let's name your device** screen appears. Give the device a name and then select the **Next** button. After the device is given a name, the device might reboot.
 
-    :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup.":::
+1. In Windows 11 Pro editions, the **How would you like to set up this device?** screen appears. Select **Set up for work or school** and then select the **Next** button.
 
-    Figure 4: The "Let's get you signed in" page in initial Windows 10 setup.
+1. In the **Let's set things up for your work or school** screen:
 
-Now the device is Microsoft Entra joined to the organization's subscription.
+    1. In the **someone@example.com** text box under **Sign in**, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
 
-<a name='join-a-device-to-azure-ad-when-the-device-is-already-set-up-with-windows-10-pro'></a>
+    1. In the **Password** text box under **Enter password**, enter the password for the Microsoft Entra user account, and then select the **Sign in** button.
 
-#### Join a device to Microsoft Entra ID when the device is already set up with Windows 10 Pro
+1. The device proceeds with the rest of the Windows setup including configuration of organization specific settings.
+
+1. In the **Choose privacy settings for your device** screen, configure privacy settings as desired, using the **Next** button to go between settings. Once complete, select the **Accept** button.
+
+1. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the **Windows Hello** screen might appear.
+
+::: zone-end
+
+::: zone pivot="windows-10"
+
+1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE).
+
+1. In the **Let's start with region. Is this right?** screen, select the desired country/region and then select the **Yes** button.
+
+1. In the **Is this the right keyboard layout?** screen, select the desired keyboard/input methods and then select the **Yes** button.
+
+1. In the **Want to add a second keyboard layout?** screen, if desired add additional keyboard/input methods by selecting the **Add layout** button. Otherwise select the **Skip** button.
+
+1. If no network connection is detected, the **Let's connect you to a network** screen appears. Connect to a wireless or wired network that has Internet access, and then select the **Next** button.
+
+1. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates.
+
+1. In Windows 10 Pro editions, the **How would you like to set up?** screen appears. Select **Set up for an organization** and then select the **Next** button.
+
+1. In the **Sign in with Microsoft** screen, in the **someone@example.com** text box, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
+
+1. In the **Enter your password** screen, in the **Password** text box, enter the password for the Microsoft Entra user account, and then select the **Next** button.
+
+1. The device proceeds with the rest of the Windows setup including configuration of organization specific settings.
+
+1. In the **Choose privacy settings for your device** screen, configure privacy settings as desired. Once complete, select the **Accept** button.
+
+1. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the **Windows Hello** screen might appear.
+
+::: zone-end
+
+Once Windows Setup finishes, the user is automatically signed in and the device is Microsoft Entra joined to the organization's subscription.
+
+#### Join a device to Microsoft Entra ID when the device is already set up with Windows
 
 > [!IMPORTANT]
-> Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
+>
+> Make sure that the user signing in isn't the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account.
 
-1. Go to **Settings**, select **Accounts**, and select **Access work or school**.
+Open the **Accounts** > **Access work or school** pane in the **Settings** app by selecting the following link:
 
-    :::image type="content" source="images/enterprise-e3-connect-to-work-or-school.png" alt-text="A screenshot of the 'Connect to work or school' settings page.":::
+> [!div class="nextstepaction"]
+> [Access work or school](ms-settings:workplace)
 
-    Figure 5: "Connect to work or school" configuration in Settings.
+or
 
-1. In **Set up a work or school account**, select **Join this device to Microsoft Entra ID**.
+1. Right-click on the **Start** menu and select **Run**.
 
-    :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard.":::
+1. In the **Run** window, next to **Open:**, enter:
 
-    Figure 6: Set up a work or school account.
+   ```console
+   ms-settings:workplace
+   ```
 
-1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**.
+   and then select **OK**.
 
-    :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window.":::
+or
 
-    Figure 7: The "Let's get you signed in" window.
+::: zone pivot="windows-11"
 
-Now the device is Microsoft Entra joined to the organization's subscription.
+1. Right-click on the **Start** menu and select **Settings**.
+
+1. In the **Settings** app, select **Accounts** in the left hand pane.
+
+1. In the **Accounts** pane, select **Access work or school**.
+
+Once the **Accounts > Access work or school** pane is open:
+
+1. In the **Accounts > Access work or school** pane, next to **Add a work or school account**, select the **Connect** button.
+
+1. In the **Microsoft account** window that opens:
+
+    1. In the **Set up a work or school account** page, under **Alternate actions:**, select **Join this device to Microsoft Entra ID**.
+
+    1. In the **Email or phone** text box of the **Sign in** page, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
+
+    1. In the **Password** text box of the **Enter password** page, enter the password for the Microsoft Entra user account, and then select the **Sign in** button.
+
+    1. When the **Make sure this is your organization** window opens, confirm the information is correct and then select the **Join** button.
+
+    1. The device joins the organization's Microsoft Entra ID subscription. Once complete, the **You're all set!** page is displayed. Select the **Done** button to complete the process.
+
+::: zone-end
+
+::: zone pivot="windows-10"
+
+1. Right-click on the **Start** menu and select **Settings**.
+
+1. In the **Settings** app, select **Accounts**.
+
+1. In the left hand pane, select **Access work or school**.
+
+Once the **Access work or school** pane is open:
+
+1. In the **Access work or school** pane, select the **+** button next to **Connect**.
+
+1. In the **Microsoft account** window that opens:
+
+    1. In the **Set up a work or school account** page, under **Alternate actions:**, select **Join this device to Microsoft Entra ID**.
+
+    1. In the **Email or phone** text box of the **Sign in** page, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com.
+
+    1. In the **Password** text box of the **Enter password** page, enter the password for the Microsoft Entra user account, and then select the **Sign in** button.
+
+    1. When the **Make sure this is your organization** window opens, confirm the information is correct and then select the **Join** button.
+
+    1. The device joins the organization's Microsoft Entra subscription. Once complete, the **You're all set!** page is displayed. Select the **Done** button to complete the process.
+
+::: zone-end
+
+The device is now Microsoft Entra joined to the organization's subscription.
 
 ### Step 2: Pro edition activation
 
-If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key.
+Windows Pro has to be activated on the device. However, if the device is running a currently supported version of Windows, most modern devices automatically activates Windows Pro edition using the firmware-embedded activation key.
-
-<a name='step-3-sign-in-using-azure-ad-account'></a>
 
 ### Step 3: Sign in using Microsoft Entra account
 
-Once the device is joined to Microsoft Entra ID, users will sign in with their Microsoft Entra account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+Once the device is joined to Microsoft Entra ID and Windows Setup/OOBE completes, the user signs in with their Microsoft Entra account. Once the user signs in with their Microsoft Entra account, the Windows Enterprise E3 or E5 license associated with the user enables Windows Enterprise edition capabilities on the device.
-
-:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as a Microsoft Entra user.":::
-
-Figure 8: Sign in to Windows 10 with a Microsoft Entra account.
 
 ### Step 4: Verify that Enterprise edition is enabled
 
-To verify the Windows Enterprise E3 or E5 subscription, go to **Settings**, select **Update & Security**, and select **Activation**.
+To verify the Windows Enterprise E3 or E5 subscription:
 
-:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of verifying Windows 10 Enterprise activation in Settings.":::
+Open the **Activation** pane in the **Settings** app by selecting the following link:
 
-Figure 9: Verify Windows 10 Enterprise subscription in Settings.
+> [!div class="nextstepaction"]
+> [Activation](ms-settings:activation)
 
-If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+or
 
-> [!NOTE]
+1. Right-click on the **Start** menu and select **Run**.
-> If you use the `slmgr /dli` or `slmgr /dlv` commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output:
+
->
+1. In the **Run** window, next to **Open:**, enter:
-> ```console
+
-> Name: Windows(R), Professional edition
+   ```console
-> Description: Windows(R) Operating System, RETAIL channel
+   ms-settings:activation
-> Partial Product Key: 3V66T
+   ```
-> ```
+
+   and then select **OK**.
+
+or
+
+::: zone pivot="windows-11"
+
+1. Right-click on the **Start** menu and select **Settings**.
+
+1. In the **Settings** app, select **System** in the left hand pane.
+
+1. In the **System** pane, **Activation**.
+
+Once the **System > Activation** pane is open:
+
+1. In the **System > Activation** pane, expand **Activation state** and **Subscription** to see full details of the activation state and status:
+
+    1. Under **Activation state**, verify that Windows is activated. It should display the message:
+
+      `Windows is activated with a digital license`
+
+    1. Under **Subscription**, verify that the Windows 11 Enterprise subscription is active. It should display the message:
+
+      `Windows 11 Enterprise subscription is active`
+
+      > [!NOTE]
+      >
+      > If the Windows Enterprise subscription hasn't yet been applied, the **Subscription** pane isn't displayed.
+
+::: zone-end
+
+::: zone pivot="windows-10"
+
+1. Right-click on the **Start** menu and select **Settings**.
+
+1. In the **Settings** app, select **Update & Security**.
+
+1. In the left hand pane, select **Activation**.
+
+Once the **Activation** pane is open:
+
+1. In the **Activation** pane:
+
+    1. Next to **Subscription**, verify that the Windows 10 Enterprise subscription is active. It should display the message:
+
+      `Windows Enterprise 10 subscription is active`
+
+      > [!NOTE]
+      >
+      > If the Windows Enterprise subscription hasn't yet been applied, the **Subscription** field isn't displayed.
+
+    1. Next to **Activation**, verify that Windows is activated. It should display the message:
+
+      `Windows is activated with a digital license`
+
+::: zone-end
+
+A device is healthy when both the subscription and activation are active. If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** pane displays the appropriate error message or status. This information can be used to help diagnose the licensing and activation process.
+
+#### Verify that Enterprise edition is enabled with slmgr
+
+**Slmgr** can also be used to verify the activation information:
+
+1. Open a command prompt.
+
+1. To get basic licensing information, run the following command at the command prompt:
+
+  ```cmd
+  slmgr /dli
+  ```
+
+  A window with output similar to the following opens:
+
+  ```console
+  Name: Windows(R), Professional edition
+  Description: Windows(R) Operating System, RETAIL channel
+  Partial Product Key: 3V66T
+  License Status: Licensed
+  ```
+
+  To instead get detailed licensing information, run the following command:
+
+  ```cmd
+  slmgr /dlv
+  ```
+
+For more information on **Slmgr**, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
 
 ## Troubleshoot the user experience
 
-In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues:
+In some instances, users might experience problems with activation of the Windows Enterprise E3 or E5 subscription. The most common problems that users might experience are the following issues:
 
-- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
+- The Windows Enterprise E3 or E5 subscription has lapsed, was removed, or isn't applied.
-- An earlier version of Windows 10 Pro isn't activated. For example, Windows 10, versions 1703 or 1709.
+- Windows Pro was never activated.
 
-### Troubleshoot common problems in the Activation pane
+When there are problems with Windows Enterprise E3 or E5 subscription activation, the following are errors can occur in the [Activation](ms-settings:activation) pane:
 
-Use the following figures to help you troubleshoot when users experience common problems:
+- **Windows Pro isn't activated**
 
-#### Device in healthy state
+  When Windows Pro isn't activated on a device, the following message is displayed for **Activation** in the [Activation](ms-settings:activation) pane:
 
-The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
+  `Windows is not activated`
 
-:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's healthy and successfully activated.":::
+  Additionally, the following message might be displayed:
 
-#### Device that's not activated with active subscription
+  `We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034.`
 
-Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
+  Examples where this problem can occur include:
 
-:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active.":::
+  - The device doesn't have a firmware-embedded activation key.
+  - The starting edition of Windows wasn't Windows Pro. For example, the starting edition of Windows was Windows Home.
 
-Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings.
+  In these cases, a Windows Pro key might need to be manually entered.
 
-It displays the following error: "We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034."
+- **Windows Enterprise subscription isn't active**
 
-#### Device that's activated without an Enterprise subscription
+  When a device with a Windows Enterprise subscription has lapsed or has been removed, the following message is displayed for **Subscription** in the [Activation](ms-settings:activation) pane:
 
-Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
+  `Windows Enterprise subscription isn't valid.`
 
-:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active.":::
+  ::: zone pivot="windows-11"
 
-Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings.
+  > [!NOTE]
+  >
+  > If the Windows Enterprise subscription has never been applied, the **Subscription** pane isn't displayed.
 
-It displays the following error: "Windows 10 Enterprise subscription isn't valid."
+  ::: zone-end
 
-#### Device that's not activated and without an Enterprise subscription
+  ::: zone pivot="windows-10"
 
-Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed.
+  > [!NOTE]
+  >
+  > If the Windows Enterprise subscription has never been applied, the **Subscription** field isn't displayed.
 
-:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active.":::
+  ::: zone-end
-
-Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings.
-
-It displays both of the previously mentioned error messages.
 
 ### Review requirements on devices
 
-Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature.
+When there are Windows Enterprise E3 or E5 license activation issues on a device, verify that it meets all of the requirements:
 
-Devices must also be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
+- Devices must be running a currently supported version of Windows Pro. Versions of Windows Pro that are out support don't support this feature.
 
-Use the following procedures to review whether a particular device meets these requirements.
+- Devices must be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible.
 
-#### Firmware-embedded activation key
+- For automatic activation of Windows Pro, the device must have a firmware-embedded activation key.
 
-To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:
+Use the following guides to verify each one of these requirements:
 
-```powershell
+- **Determine if the version of Windows is currently supported**.
-(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
-```
 
-If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
+  To determine if the version of Windows is currently supported:
 
-<a name='determine-if-a-device-is-azure-ad-joined'></a>
+  1. Open a command prompt
 
-#### Determine if a device is Microsoft Entra joined
+  1. In the command prompt window, enter:
 
-1. Open a command prompt and enter `dsregcmd /status`.
+      ```cmd
+      winver.exe
+      ```
 
-1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Microsoft Entra ID.
+  1. The **About Windows** window opens and displays both the OS version and the build information of Windows.
 
-#### Determine the version of Windows
+  1. Compare the information from the **About Windows** window against the Windows support lifecycle:
 
-1. Open a command prompt and enter `winver`.
+      - [Windows 11 release information](/windows/release-health/windows11-release-information).
+      - [Windows 10 release information](/windows/release-health/release-information).
 
-1. The **About Windows** window displays the OS version and build information.
+- **Determine if a device is Microsoft Entra joined**.
 
-1. Compare this information again the Windows support lifecycle:
+  To determine if a device is Microsoft Entra joined:
 
-    - [Windows 10 release information](/windows/release-health/release-information)
+  1. Open a command prompt.
-    - [Windows 11 release information](/windows/release-health/windows11-release-information)
 
-> [!NOTE]
+  1. In the command prompt window, enter:
-> If a device is running a version of Windows 10 Pro prior to version 1703, it won't upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
 
-### Delay in the activation of Enterprise license of Windows 10
+      ```cmd
+      dsregcmd.exe /status
+      ```
 
-This delay is by design. Windows 10 and Windows 11 include a built-in cache that's used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
+  1. Review the output. Under the first section called **Device State**, verify that the value of **AzureAdJoined** is **YES**. If the value is **YES**,  the device is joined to Microsoft Entra ID.
+
+      ```console
+      +----------------------------------------------------------------------+
+      | Device State                                                         |
+      +----------------------------------------------------------------------+
+
+               AzureAdJoined : YES
+            EnterpriseJoined : NO
+                DomainJoined : NO
+             Virtual Desktop : NOT SET
+                 Device Name : Demo-PC
+      ```
+
+- **Determine if devices has a firmware-embedded activation key**.
+
+  To determine if the device has a firmware-embedded activation key:
+
+  1. Open an elevated Windows PowerShell command prompt.
+
+  1. In the elevated Windows PowerShell command prompt, enter:
+
+      ```powershell
+      (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
+      ```
+
+  1. If the device has a firmware-embedded activation key, the key is displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most modern OEM-provided devices designed to run currently supported versions of Windows have a firmware-embedded key.
+
+- **Make sure the Microsoft Entra user has been assigned a license**.
+
+  For more information, see [Assigning licenses to users](#assigning-licenses-to-users).
 
 ## Known issues
 
-If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue:
+- If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. Make sure that Windows Update isn't blocked on the device:
 
-- Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`.
+  - Using `gpedit.msc` or group policy editor in the domain, make sure that the following group policy setting is set to **Disabled** or **Not Configured**:
 
-- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Don't connect to any Windows Update Internet locations.
+    ::: zone pivot="windows-11"
+
+    **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Do not connect to any Windows Update Internet locations**
+
+    ::: zone-end
+
+    ::: zone pivot="windows-10"
+
+    **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**
+
+    ::: zone-end
+
+    If this policy is set to **Enabled**, it must be changed to **Disabled** or **Not Configured**.
+
+  - In the following registry key:
+
+    `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`
+
+    check if the value `DoNotConnectToWindowsUpdateInternetLocations` exists. If the value does exist, verify that it has a REG_DWORD value of  `0`. If the value is instead set to `1`, it must be changed to `0`. The value can be changed by running the following command from an elevated command prompt:
+
+    ```cmd
+    reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /t REG_DWORD /d 1 /f
+    ```
+
+    > [!NOTE]
+    >
+    > Make sure to first check the group policy of **Do not connect to any Windows Update Internet locations**. If the policy is **Enabled**, then this registry key will eventually be reset back to `1` even after it's manually set to `0` via `reg.exe`. Setting the policy of **Do not connect to any Windows Update Internet locations** to **Disabled** or **Not Configured** will make sure the registry value remains as `0`.
+
+- Delay in the activation of Enterprise license of Windows.
+
+  There might be a delay in the activation of the Enterprise license in Windows. This delay is by design. Windows uses a built-in cache when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
 
 ## Virtual Desktop Access (VDA)
 
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster.
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant host.
 
 Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
+
+## Related articles
+
+- [MDM enrollment of Windows devices](/windows/client-management/mdm-enrollment-of-windows-devices).

windows/deployment/deploy-m365.md

@@ -1,75 +1,55 @@
 ---
-title: Deploy Windows 10 with Microsoft 365
+title: Deploy Windows with Microsoft 365
 manager: aaroncz
 ms.author: frankroj
-description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
+description: Learn about deploying Windows with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
 ms.service: windows-client
 ms.localizationpriority: medium
 author: frankroj
 ms.topic: article
-ms.date: 11/23/2022
+ms.date: 02/13/2024
 ms.subservice: itpro-deploy
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Deploy Windows 10 with Microsoft 365
+# Deploy Windows with Microsoft 365
-
-*Applies to:*
-
-- Windows 10
 
 This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
 
-[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview.
+[Microsoft 365](https://www.microsoft.com/microsoft-365) is an offering from Microsoft that combines [Windows](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/security/business) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview.
 
-For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
+For Windows deployment, Microsoft 365 includes a deployment advisor that walks through the entire process of deploying Windows. The wizard supports multiple Windows deployment methods, including:
 
-- Windows Autopilot
+- Windows Autopilot.
-- In-place upgrade
+- In-place upgrade.
-- Deploying Windows 10 upgrade with Intune
+- Deploying Windows upgrade with Intune.
-- Deploying Windows 10 upgrade with Microsoft Configuration Manager
+- Deploying Windows upgrade with Microsoft Configuration Manager.
-- Deploying a computer refresh with Microsoft Configuration Manager
+- Deploying a computer refresh with Microsoft Configuration Manager.
 
 ## Free trial account
 
-### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center
+If an existing Microsoft services subscription account exists, and there's access to the Microsoft 365 Admin Center:
 
-From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
+1. Sign into the [Microsoft 365 Admin Center](https://admin.microsoft.com/).
-In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles.
+1. Go to **Billing** and then **Purchase services**.
-There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
+1. In the Enterprise Suites section of the service offerings, find the Microsoft 365 E3 and Microsoft 365 E5 tiles.
+1. Select one of the available **Start Free Trial** options.
 
-### If you do not already have a Microsoft services subscription
+If there isn't an existing Microsoft services subscription, Microsoft 365 deployment advisor and other resources can be tried for free! Just follow these steps:
 
-You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
+1. [Obtain a free Microsoft 365 trial](https://www.microsoft.com/microsoft-365/try).
+1. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide).
 
 > [!NOTE]
-> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
+>
-
+> When setup guide runs for the first time, the **Prepare your environment** guide appears. This guide makes sure the basics are covered like domain verification and a method for adding users. At the end of the **Prepare your environment** guide, there's a **Ready to continue** button that goes back to the original guide that was selected.
-1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365).
-2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide).
-3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview).
-
-Examples of these two deployment advisors are shown below.
-
-- [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365)
-  - [Free trial account](#free-trial-account)
-    - [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center)
-    - [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription)
-  - [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
-  - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
-  - [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster)
-  - [Related articles](#related-articles)
-
-## Microsoft 365 deployment advisor example
-
-![Microsoft 365 deployment advisor.](images/m365da.png)
-
-## Windows Analytics deployment advisor example
 
 ## Microsoft 365 Enterprise poster
 
-[![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter)
+Select [Microsoft 365 Enterprise poster](https://aka.ms/m365eposter) to see the latest version of the Microsoft 365 Enterprise poster.
 
 ## Related articles
 
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<br>
+- [Windows deployment scenarios](windows-deployment-scenarios.md).
-[Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home)

windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md

@@ -154,5 +154,5 @@ On **PC0004**:
 
 ## Related articles
 
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
+- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md).
-[Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog)
+- [Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog).

windows/deployment/do/delivery-optimization-proxy.md

@@ -10,7 +10,7 @@ manager: aaroncz
 ms.reviewer: mstewart
 ms.collection: tier3
 ms.localizationpriority: medium
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
@@ -21,11 +21,11 @@ ms.date: 06/02/2023
 
 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
 
-Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.  
+Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.
 
 For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings.
 
-Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required.
+Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the "NetworkService" context if proxy authentication is required.
 
 > [!NOTE]
 > We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used).

windows/deployment/do/delivery-optimization-test.md

@@ -10,9 +10,9 @@ ms.reviewer: mstewart
 manager: aaroncz
 ms.collection: tier3
 ms.localizationpriority: medium
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
 ms.date: 11/08/2022
 ---
@@ -21,42 +21,48 @@ ms.date: 11/08/2022
 
 ## Overview
 
-Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to Win10+ and provides default configuration to get the most out of the typical customer environment. It's used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization, 1) HTTP downloader, 2) Peer-to-peer (P2P) cloud technology, and 3) Microsoft Connected Cache. One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments.
+Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to currently supported versions of Windows and provides default configuration to get the most out of the typical customer environment. Delivery Optimization is used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization:
+
+1. HTTP downloader.
+1. Peer-to-peer (P2P) cloud technology.
+1. Microsoft Connected Cache.
+
+One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments.
 
 ## Monitoring The Results
 
-Since Delivery Optimization is on by default, you'll be able to monitor the value either through the Windows Settings for ‘Delivery Optimization’, using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report.](../update/wufb-reports-workbook.md) experience in Azure.
+Since Delivery Optimization is on by default, you're able to monitor the value either through the Windows Settings for 'Delivery Optimization' using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report](../update/wufb-reports-workbook.md) experience in Azure.
 
-In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, ‘Scenario 1: Basic Setup’ should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests.
+In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, 'Scenario 1: Basic Setup' should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests.
 
 ## Expectations and Goals
 
-The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal will be to show peer to peer is working as expected, using the following criteria:
+The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal is to show peer to peer is working as expected, using the following criteria:
 
-* Peers can find each other (for example on the same LAN / subnet / Group – matching your 'Download Mode' policy).
+* Peers can find each other (for example on the same LAN / subnet / Group - matching your 'Download Mode' policy).
 * Files are downloading in the expected 'Download Mode' policy setting (validates connectivity to DO cloud, HTTP, and local configs).
 * At least some downloads happening via P2P (validates connectivity between peers).
 
 Several elements that influence overall peering, using Delivery Optimization. The most common, impactful environment factors should be considered.
 
-* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device may not be serving a particular file.
+* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device might not be serving a particular file.
 * **File size** **and** **internet connection** **reliability matter.** There's a Delivery Optimization setting to determine the minimum file size to use P2P. In addition, an internet connection must be open and reliable enough to let the Delivery Optimization client make cloud service API calls and download metadata files before starting a file download.
 * **Delivery Optimization Policies can play a role.** In general, it's important to familiarize yourself with the Delivery Optimization settings and defaults [Delivery Optimization reference - Windows Deployment | Microsoft Docs.](waas-delivery-optimization-reference.md).
 
 ### Delivery Optimization is a Hybrid P2P Platform
 
-* Delivery Optimization’s hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimization’s ability to find bandwidth savings as more peers become available.
+* Delivery Optimization's hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimization's ability to find bandwidth savings as more peers become available.
 
-* At the point a download is initiated, the DO client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP.
+* At the point a download is initiated, the Delivery Optimization client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP.
 
-* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers, which shows Delivery Optimization continuously evaluating the optimal location from which to download the content.
+* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers. These scenarios show Delivery Optimization continuously evaluating the optimal location from which to download the content.
 
 ## Test Scenarios
 
 ### Scenario 1: Basic Setup
 
 **Goal:**
-Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment
+Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment.
 
 **Expected Results:**
 Machine 1 will download zero bytes from peers and Machine 2 will download 50-99% from peers.
@@ -72,9 +78,9 @@ Machine 1 will download zero bytes from peers and Machine 2 will download 50-99%
 |Disk size | 127 GB |
 |Network | Connected to same network, one that is representative of the corporate network. |
 |Pause Windows Updates | This controls the test environment so no other content is made available during the test, and potentially altering the outcome of the test. If there are problems and no peering happens, use 'Get-DeliveryOptimizationStatus' on the first machine to return a real-time list of the connected peers. |
-|Ensure all Store apps are up to date | This will help prevent any new, unexpected updates to download during testing. |
+|Ensure all Store apps are up to date | This helps prevent any new, unexpected updates to download during testing. |
 |Delivery Optimization 'Download Mode' Policy | 2 (Group)(set on each machine) |
-|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, ‘[[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)’. |
+|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, '[[guid]::NewGuid().](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)'. |
 |**Required on Windows 11 devices only** set Delivery Optimization 'Restrict Peer Selection' policy | 0-NAT (set on each machine). The default behavior in Windows 11 is set to '2-Local Peer Discovery'. For testing purposes, this needs to be scoped to the NAT. |
 
 #### Test Instructions
@@ -126,7 +132,7 @@ Machine 1 will download zero bytes from peers and Machine 2 will find peers and
 |Disk size | 127 GB |
 |Network | Connected to same network, one that is representative of the corporate network. |
 |Delivery Optimization 'Download Mode' Policy| 2 (Group)(set on each machine) |
-|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)'. |
+|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)'. |
 |Delivery Optimization 'Delay background download from http' Policy | 60 (set on each machine) |
 |Delivery Optimization 'Delay foreground download from http Policy |60 (set on each machine) |
 
@@ -134,13 +140,13 @@ Machine 1 will download zero bytes from peers and Machine 2 will find peers and
 
 The following set of instructions will be used for each machine:
 
-1. Clear the DO cache: ‘Delete-DeliveryOptimizationCache’.
+1. Clear the DO cache: 'Delete-DeliveryOptimizationCache'.
 2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB).
 3. Open PowerShell console as Administrator. Run 'Get-DeliveryOptimizationStatus'.
 
 **On machine #1:**
 
-* Run ‘Test Instructions’
+* Run 'Test Instructions'
 
 **Output: Windows 10 (21H2)**
 
@@ -149,14 +155,14 @@ The following set of instructions will be used for each machine:
 **Observations**
 
 * The first download in the group of devices shows all bytes coming from HTTP, 'BytesFromHttp'.
-* Download is in the ‘Foreground’ because the Store app is doing the download and in the foreground on the device because it is initiated by the user in the Store app.
+* Download is in the 'Foreground' because the Store app is doing the download and in the foreground on the device because it's initiated by the user in the Store app.
 * No peers are found.
 
 *Wait 5 minutes*.
 
 **On machine #2:**
 
-* Run ‘Test Instructions’
+* Run 'Test Instructions'
 
 **Output** Windows 10 (21H2)
 
@@ -171,7 +177,7 @@ The following set of instructions will be used for each machine:
 
 **On machine #3:**
 
-* Run ‘Test Instructions’
+* Run 'Test Instructions'
 
 **Output:** Windows 10 (21H2)
 
@@ -185,8 +191,8 @@ The following set of instructions will be used for each machine:
 
 ## Peer sourcing observations for all machines in the test group
 
-The distributed nature of the Delivery Optimization technology is obvious when you rerun the ‘Get-DeliveryOptimizationStatus’ cmdlet on each of the test machines. For each, there's a new value populated for the ‘BytesToLanPeers’ field. This demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other.
+The distributed nature of the Delivery Optimization technology is obvious when you rerun the 'Get-DeliveryOptimizationStatus' cmdlet on each of the test machines. For each, there's a new value populated for the 'BytesToLanPeers' field. This test demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other.
-  
+
 **Output:** Machine 1
 
 'BytesToPeers' sourced from Machine 1 are '5704426044'. This represents the total number of bytes downloaded by the two peers in the group.
@@ -207,8 +213,8 @@ The distributed nature of the Delivery Optimization technology is obvious when y
 
 ## Conclusion
 
-Using Delivery Optimization can help make a big impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device.
+Using Delivery Optimization can help make a significant impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device.
 
 The testing scenarios found in this document help to show a controlled test environment, helping to prevent updates from interrupting the peering results. The other, a more real-world case, demonstrates how content available across peers will be used as the source of the content.
 
-If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment.
+If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment.

windows/deployment/do/waas-delivery-optimization-faq.yml

@@ -15,19 +15,66 @@ metadata:
   appliesto: 
     - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
     - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+    - ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
     - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>	
-  ms.date: 07/31/2023
+  ms.date: 02/16/2024
-title: Delivery Optimization Frequently Asked Questions
+title: Frequently Asked Questions about Delivery Optimization
 summary: |
-  Frequently Asked Questions for Delivery Optimization
+  This article answers frequently asked questions about Delivery Optimization.
-  
 
-sections:
+  **General questions**:
-  - name: Ignored
+
+  - [What Delivery Optimization settings are available?](#what-delivery-optimization-settings-are-available) 
+  - [Does Delivery Optimization work with WSUS?](#does-delivery-optimization-work-with-wsus)
+  - [How are downloads initiated by Delivery Optimization?](#how-are-downloads-initiated-by-delivery-optimization)
+  - [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected)
+  - [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization)
+
+  **Network related configuration questions**:
+ 
+  - [Which ports does Delivery Optimization use?](#which-ports-does-delivery-optimization-use)
+  - [What are the requirements if I use a proxy?](#what-are-the-requirements-if-i-use-a-proxy)
+  - [What hostnames should I allow through my firewall to support Delivery Optimization?](#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)
+  - [My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?How do I configure it to download content with Delivery Optimization?](#my-firewall-requires-ip-addresses-and-can-t-process-fqdns--how-do-i-configure-it-to-download-content-with-delivery-optimization)
+  - [What is the recommended configuration for Delivery Optimization used with cloud proxies?](#what-is-the-recommended-configuration-for-delivery-optimization-used-with-cloud-proxies)
+ 
+   **Peer-to-Peer related questions**: 
+
+  - [How does Delivery Optimization determine which content is available for peering?](#how-does-delivery-optimization-determine-which-content-is-available-for-peering)
+  - [Does Delivery Optimization use multicast?](#does-delivery-optimization-use-multicast)
+  - [How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?](#how-does-delivery-optimization-deal-with-congestion-on-the-router-from-peer-to-peer-activity-on-the-lan)
+  - [How does Delivery Optimization handle VPNs?](#how-does-delivery-optimization-handle-vpns)
+  - [How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?](#how-does-delivery-optimization-handle-networks-where-a-public-ip-address-is-used-in-place-of-a-private-ip-address)
+
+  **Device resources questions**: 
+  - [Delivery Optimization is using device resources and I can't tell why?](#delivery-optimization-is-using-device-resources-and-i-can-t-tell-why)
+  
+sections: 
+  - name: General questions
     questions:
+      - question: What Delivery Optimization settings are available?
+        answer: |
+          There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with controls on bandwidth, time of day, etc. 
       - question: Does Delivery Optimization work with WSUS?
-        answer: Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
+        answer: |
-          
+         Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
+      - question: How are downloads initiated by Delivery Optimization?
+        answer: |
+          Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
+      - question: Delivery Optimization is downloading Windows content on my devices directly from an IP address, is it expected? 
+        answer: | 
+          When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your internet service provider, the download will be pulled directly from the IP address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available. 
+      - question: How do I turn off Delivery Optimization?
+        answer: |
+          Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. 
+          If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
+          Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
+
+          > [!NOTE]
+          > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
+  
+  - name: Network related configuration questions
+    questions:
       - question: Which ports does Delivery Optimization use?
         answer: | 
           Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
@@ -35,10 +82,9 @@ sections:
           Delivery Optimization uses Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
 
           Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
-
       - question: What are the requirements if I use a proxy?
-        answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
+        answer: |
-
+          For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
       - question: What hostnames should I allow through my firewall to support Delivery Optimization?
         answer: | 
           **For communication between clients and the Delivery Optimization cloud service**:
@@ -58,29 +104,37 @@ sections:
           - `win1910.ipv6.microsoft.com`
 
           For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
-
       - question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
         answer: | 
           Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks. 
-          The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible. 
+          The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.  
-        
+      - question: What is the recommended configuration for Delivery Optimization used with cloud proxies?
-      - question: Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected? 
+        answer: |
-        answer: | 
+          The recommended configuration for Delivery Optimization peer-to-peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
-          When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your Internet Service Provider, the download will be pulled directly from the IP Address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available. 
+          At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct internet access and bypass the cloud proxy service: 
 
-      - question: Does Delivery Optimization use multicast?
+            - `*.prod.do.dsp.mp.microsoft.com`
-        answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
+
+          If allowing direct internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
           
+  - name: Peer-to-Peer related questions
+    questions:
+      - question: How does Delivery Optimization determine which content is available for peering?
+        answer: |
+          Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
+      - question: Does Delivery Optimization use multicast?
+        answer: |
+         No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.    
       - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
-        answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
+        answer: |
-
+         Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
       - question: How does Delivery Optimization handle VPNs?
         answer: |
           Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
 
-          If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
+          If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable peer caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
 
-          If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
+          If you have defined a boundary group in Microsoft Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
 
           With split tunneling, make sure to allow direct access to these endpoints:
 
@@ -101,7 +155,6 @@ sections:
           - `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
 
           For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
-          
       - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
         answer: |
           Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
@@ -109,36 +162,8 @@ sections:
           > [!NOTE]
           > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
 
-      - question: How are downloads initiated by Delivery Optimization?
+  - name: Device resources questions
-        answer: |
+    questions:
-          Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
-            
-      - question: How does Delivery Optimization determine which content is available for peering?
-        answer: |
-          Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
-      
-      - question: What is the recommended configuration for Delivery Optimization used with cloud proxies (for example, Zscaler)?
-        answer: |
-          The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
-          At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: 
-
-            - `*.prod.do.dsp.mp.microsoft.com`
-
-          If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
-          
-      - question: How do I turn off Delivery Optimization?
-        answer: |
-          Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. 
-          If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
-          Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
-
-          > [!NOTE]
-          > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser.  If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
-      
       - question: Delivery Optimization is using device resources and I can't tell why?
         answer: |
           Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
-
-      - question: What Delivery Optimization settings are available?
-        answer: |
-          There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc. 

windows/deployment/do/waas-delivery-optimization-reference.md

@@ -10,11 +10,11 @@ manager: aaroncz
 ms.reviewer: mstewart
 ms.collection: tier3
 ms.localizationpriority: medium
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
-ms.date: 07/31/2023
+ms.date: 02/14/2024
 ---
 
 # Delivery Optimization reference
@@ -59,8 +59,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. |
 | [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
 | [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
-| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
 | [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
+| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
 | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809  | No value is set as default. |
 | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | No value is set as default. |
 | [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
@@ -144,7 +144,7 @@ MDM Setting: **DOGroupID**
 By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
 
 >[!NOTE]
->To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
+>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)
 >
 >This configuration is optional and not required for most implementations of Delivery Optimization.
 
@@ -161,9 +161,9 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
 - 4 = DNS Suffix
 - 5 = Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
+When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
 
-### Minimum RAM (inclusive) allowed to use Peer Caching  
+### Minimum RAM (inclusive) allowed to use Peer Caching
 
 MDM Setting: **DOMinRAMAllowedToPeer**
 
@@ -207,7 +207,7 @@ This setting specifies the minimum content file size in MB enabled to use Peer C
 MDM Setting: **DOMaxDownloadBandwidth**
 
 Deprecated in Windows 10, version 2004.
-This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimize the maximum bandwidth used.
+This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimizes the maximum bandwidth used.
 
 
 ### Maximum Foreground Download Bandwidth
@@ -313,7 +313,7 @@ This setting determines whether a device will be allowed to participate in Peer
 
 MDM Setting: **DOVpnKeywords**
 
-This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: “VPN”, “Secure”, and “Virtual Private Network” (ex: “MSFTVPN” matches the “VPN” keyword). As the number of VPNs grow it’s difficult to support an ever-changing list of VPN names. To address this, we’ve introduced this new setting to set unique VPN names to meet the needs of individual environments.
+This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: "VPN", "Secure", and "Virtual Private Network" (ex: "MSFTVPN" matches the "VPN" keyword). As the number of VPNs grow it's difficult to support an ever-changing list of VPN names. To address this, we've introduced this new setting to set unique VPN names to meet the needs of individual environments.
 
 ### Disallow cache server downloads on VPN
 
@@ -335,7 +335,7 @@ The device can download from peers while on battery regardless of this policy.
 
 MDM Setting: **DOCacheHost**
 
-Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the next one. When the last server fails, it will fallback to the CDN.
+Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, fallback to the CDN occurs immediately after the first failure in downloading from a cache server, unless the [DelayCacheServerFallbackBackground](#delay-background-download-cache-server-fallback-in-secs) or [DelayCacheServerFallbackForeground](#delay-foreground-download-cache-server-fallback-in-secs) policies are set. When these delay policies are set, the fallback occurs only after the configured delay time and the client continues to attempt connecting to the cache servers in round robin order before the delay time expires.
 
 >[!IMPORTANT]
 > Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty.

windows/deployment/do/waas-delivery-optimization-setup.md

@@ -8,11 +8,11 @@ author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
 manager: aaroncz
-ms.collection: 
+ms.collection:
   - tier3
   - essentials-get-started
 ms.localizationpriority: medium
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
@@ -119,9 +119,9 @@ This section summarizes common problems and some solutions to try.
 
 If you don't see any bytes coming from peers the cause might be one of the following issues:
 
-- Clients aren’t able to reach the Delivery Optimization cloud services.
+- Clients aren't able to reach the Delivery Optimization cloud services.
-- The cloud service doesn’t see other peers on the network.
+- The cloud service doesn't see other peers on the network.
-- Clients aren’t able to connect to peers that are offered back from the cloud service.
+- Clients aren't able to connect to peers that are offered back from the cloud service.
 - None of the computers on the network are getting updates from peers.
 
 ### Clients aren't able to reach the Delivery Optimization cloud services
@@ -136,10 +136,10 @@ Try these steps:
 
 Try these steps:
 
-1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads.
+1. Download the same app on two different devices on the same network, waiting 10 - 15 minutes between downloads.
 2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices.
 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be nonzero.
-4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**.
+4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for "what is my IP"). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**.
 
 > [!NOTE]
 > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer.

windows/deployment/docfx.json

@@ -38,10 +38,11 @@
       "ms.collection": [
         "tier2"
       ],
+      "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
       "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
       "uhfHeaderId": "MSDocsHeader-Windows",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.win-development",
@@ -50,23 +51,26 @@
       },
       "titleSuffix": "Windows Deployment",
       "contributors_to_exclude": [
-        "rjagiewich", 
+        "rjagiewich",
-        "traya1", 
+        "traya1",
-        "rmca14", 
+        "rmca14",
-        "claydetels19", 
+        "claydetels19",
         "jborsecnik",
         "tiburd",
         "garycentric",
         "beccarobins",
         "Stacyrch140",
         "v-stsavell",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ],
-      "searchScope": ["Windows 10"]
+      "searchScope": [
+        "Windows 10"
+      ]
     },
     "fileMetadata": {},
     "template": [],
     "dest": "win-development",
     "markdownEngineName": "markdig"
   }
-}
+}

windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md

@@ -1,6 +1,6 @@
 ---
 title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista
-description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10.
+description: Find released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10.
 manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
@@ -14,12 +14,12 @@ ms.subservice: itpro-deploy
 
 **Applies to**
 
--   Windows 10
+- Windows 10
--   Windows 8.1
+- Windows 8.1
--   Windows 8
+- Windows 8
--   Windows 7
+- Windows 7
--   Windows Server 2012
+- Windows Server 2012
--   Windows Server 2008 R2
+- Windows Server 2008 R2
 
 You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
 
@@ -28,131 +28,128 @@ You can fix some compatibility issues that are due to the changes made between W
 
 If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account.
 
-
-
 ## Compatibility Fixes
 
-
+The following table lists the known released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
-The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
 
 |Fix|Fix Description|
 |--- |--- |
-|8And16BitAggregateBlts|Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.|
+|8And16BitAggregateBlts|8/16-bit mitigation can cause performance issues in applications. This layer aggregates all the blt operations and improves performance.|
-|8And16BitDXMaxWinMode|Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.|
+|8And16BitDXMaxWinMode|The 8/16-bit mitigation runs applications that use DX8/9 in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.|
 |8And16BitGDIRedraw|This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.|
 |AccelGdipFlush|This fix increases the speed of GdipFlush, which has perf issues in DWM.|
 |AoaMp4Converter|This fix resolves a display issue for the AoA Mp4 Converter.|
-|BIOSRead|This problem is indicated when an application cannot access the **Device\PhysicalMemory** object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.<p>The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information..|
+|BIOSRead|This problem is indicated when an application can't access the **Device\PhysicalMemory** object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.<p>The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information.|
 |BlockRunasInteractiveUser|This problem occurs when **InstallShield** creates installers and uninstallers that fail to complete and that generate error messages or warnings.<p>The fix blocks **InstallShield** from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the BlockRunAsInteractiveUser Fix](/previous-versions/windows/it-pro/windows-7/dd638336(v=ws.10)).</div>|
-|ChangeFolderPathToXPStyle|This fix is required when an application cannot return shell folder paths when it uses the **SHGetFolder** API.<p>The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.|
+|ChangeFolderPathToXPStyle|This fix is required when an application can't return shell folder paths when it uses the **SHGetFolder** API.<p>The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.|
 |ClearLastErrorStatusonIntializeCriticalSection|This fix is indicated when an application fails to start.<p>The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.|
 |CopyHKCUSettingsFromOtherUsers|This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.<p>The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.<p>You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the CopyHKCUSettingsFromOtherUsers Fix](/previous-versions/windows/it-pro/windows-7/dd638375(v=ws.10)).</div>|
-|CorrectCreateBrushIndirectHatch|The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.<p>The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.|
+|CorrectCreateBrushIndirectHatch|This problem occurs when an access violation error message displays and the application fails when you select or crop an image.<p>The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.|
-|CorrectFilePaths|The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.<p>The fixmodifies the file path names to point to a new location on the hard disk.<div class="alert">**Note:** For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](/previous-versions/windows/it-pro/windows-7/cc766201(v=ws.10)). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.</div>|
+|CorrectFilePaths|This problem occurs when: <ul><li>An application tries to write files to the hard disk and is denied access.</li><li>An application receives a file not found or path not found error message.</li></ul><p>The fix modifies the file path names to point to a new location on the hard disk.<div class="alert">**Note:** For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](/previous-versions/windows/it-pro/windows-7/cc766201(v=ws.10)). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you're applying it to a setup installation file.</div>|
-|CorrectFilePathsUninstall|This problem occurs when an uninstalled application leaves behind files, directories, and links.<p>The fix corrects the file paths that are used by the uninstallation process of an application.<div class="alert">**Note:** For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](/previous-versions/windows/it-pro/windows-7/dd638414(v=ws.10)). We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.</div>|
+|CorrectFilePathsUninstall|This problem occurs when an uninstalled application leaves behind files, directories, and links.<p>The fix corrects the file paths that are used by the uninstallation process of an application.<div class="alert">**Note:** For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](/previous-versions/windows/it-pro/windows-7/dd638414(v=ws.10)). We recommend that you use this fix together with the CorrectFilePaths fix if you're applying it to a setup installation file.</div>|
-|CorrectShellExecuteHWND|This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.<p>The fixintercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.<div class="alert">**Note:** For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](/previous-versions/windows/it-pro/windows-7/cc722028(v=ws.10)).</div>|
+|CorrectShellExecuteHWND|This problem occurs when you start an executable (.exe) and:<ul><li>A taskbar item blinks instead of an elevation prompt being opened, or when the application doesn't provide a valid HWND value when it calls the ShellExecute(Ex) function.<p>The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.<div class="alert">**Note:** For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](/previous-versions/windows/it-pro/windows-7/cc722028(v=ws.10)).</div>|
-|CustomNCRender|This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.|
+|CustomNCRender|This fix instructs DWM to not render the non-client area forcing the application to do its own NC rendering. This issue often gives windows an XP look.|
 |DelayApplyFlag|This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.<p>You can control this fix further by typing the following command at the command prompt:<p>`DLL_Name;Flag_Type;Hexidecimal_Value`<br>Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64 bits long.<div class="alert">**Note:** The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().</div>|
-|DeprecatedServiceShim|The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.<p>The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.<p>You can control this fix further by typing the following command at the command prompt:<p>`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2`<br>Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.<div class="alert">**Note:** If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.</div><div class="alert">**Note:** You can separate multiple entries with a forward slash (/).</div>|
+|DeprecatedServiceShim|The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.<p>The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.<p>You can control this fix further by typing the following command at the command prompt:<p>`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2` where:<ul><li>Deprecated_Service is the name of the deprecated service</li><li>App_Service is the name of the specific application service that is to be modified</li></ul>For example, NtLmSsp\WMI.<div class="alert">**Note:** If you don't provide an App_Service name, the deprecated service is removed from all newly created services.</div><div class="alert">**Note:** You can separate multiple entries with a forward slash (/).</div>|
-|DirectXVersionLie|This problem occurs when an application fails because it does not find the correct version number for DirectX®.<p>The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.</div><p>You can control this fix further by typing the following command at the command prompt:<br>`MAJORVERSION.MINORVERSION.LETTER`<p>For example, 9.0.c.|
+|DirectXVersionLie|This problem occurs when an application fails because it doesn't find the correct version number for DirectX®.<p>The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.</div><p>You can control this fix further by typing the following command at the command prompt:<br>`MAJORVERSION.MINORVERSION.LETTER`<p>For example, 9.0.c.|
-|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .|
+|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8 .|
-|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and do not mix direct draw.|
+|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and don't mix direct draw.|
 |Disable8And16BitModes|This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.|
-|DisableDWM|The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the DisableDWM Fix](/previous-versions/windows/it-pro/windows-7/cc722418(v=ws.10)).</div>|
+|DisableDWM|The problem occurs when some objects aren't drawn or object artifacts remain on the screen in an application.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the DisableDWM Fix](/previous-versions/windows/it-pro/windows-7/cc722418(v=ws.10)).</div>|
-|DisableFadeAnimations|The problem is indicated when an application fades animation, buttons, or other controls do not function properly.<p>The fix disables the fade animations functionality for unsupported applications.|
+|DisableFadeAnimations|The problem is indicated when an application fades animation, buttons, or other controls don't function properly.<p>The fix disables the fade animations functionality for unsupported applications.|
-|DisableThemeMenus|The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.|
+|DisableThemeMenus|The problem occurs when an application behaves unpredictably when it tries to detect and use the correct Windows settings.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.|
-|DisableWindowsDefender|The fix disables Windows Defender for security applications that do not work with Windows Defender.|
+|DisableWindowsDefender|The fix disables Windows Defender for security applications that don't work with Windows Defender.|
-|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.|
+|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8.|
 |DXGICompat|The fix allows application-specific compatibility instructions to be passed to the DirectX engine.|
 |DXMaximizedWindowedMode|Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.|
-|ElevateCreateProcess|The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.<p>The fixhandles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](/previous-versions/windows/it-pro/windows-7/cc722422(v=ws.10)).</div>|
+|ElevateCreateProcess|The problem is indicated when: <ul><li>installations</li><li>de-installations</li><li>updates</li></ul> fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.<p>The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code is returned unchanged.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](/previous-versions/windows/it-pro/windows-7/cc722422(v=ws.10)).</div>|
 |EmulateOldPathIsUNC|The problem occurs when an application fails because of an incorrect UNC path.<p>The fix exchanges the PathIsUNC function to return a value of True for UNC paths in Windows.|
-|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.<p>The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](/previous-versions/windows/it-pro/windows-7/ff720129(v=ws.10)).</div>|
+|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run. An error message is generated that there isn't enough free disk space to install or use the application. The error message occurs even though there's enough free disk space to meet the application requirements.<p>The fix determines the amount of free space. If the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB. However, if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](/previous-versions/windows/it-pro/windows-7/ff720129(v=ws.10)).</div>|
 |EmulateSorting|The problem occurs when an application experiences search functionality issues.<p>The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.<div class="alert">**Note:** For more detailed information about this e application fix, see [Using the EmulateSorting Fix](/previous-versions/windows/it-pro/windows-7/cc749209(v=ws.10)).</div>|
 |EmulateSortingWindows61|The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.|
-|EnableRestarts|The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.<p>The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EnableRestarts Fix](/previous-versions/windows/it-pro/windows-7/ff720128(v=ws.10)).</div>|
+|EnableRestarts|The problem is indicated when an application and computer appear to hang because processes can't end to allow the computer to complete its restart processes.<p>The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EnableRestarts Fix](/previous-versions/windows/it-pro/windows-7/ff720128(v=ws.10)).</div>|
-|ExtraAddRefDesktopFolder|The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.<p>The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.|
+|ExtraAddRefDesktopFolder|The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.<p>The fix invokes the AddRef() method on the Desktop folder, which the SHGetDesktopFolder function returns, to counteract the problem.|
 |FailObsoleteShellAPIs|The problem occurs when an application fails because it generated deprecated API calls.<p>The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.<div class="alert">**Note:** You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.</div>|
-|FailRemoveDirectory|The problem occurs when an application uninstallation process does not remove all of the application files and folders.<p>This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line.  Only a single path is supported.  The path can contain environment variables, but must be an exact path – no partial paths are supported.<p>The fixcan resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.|
+|FailRemoveDirectory|The problem occurs when an application uninstall process doesn't remove all of the application files and folders.<p>This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path - no partial paths are supported.<p>The fix resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.|
-|FakeLunaTheme|The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.<p>The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).<div class="alert">**Note:** For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](/previous-versions/windows/it-pro/windows-7/cc766315(v=ws.10)).</div>|
+|FakeLunaTheme|The problem occurs when a theme application doesn't properly display: the colors are washed out or the user interface isn't detailed.<p>The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).<div class="alert">**Note:** For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](/previous-versions/windows/it-pro/windows-7/cc766315(v=ws.10)).</div>|
-|FlushFile|This problem is indicated when a file is updated and changes do not immediately appear on the hard disk. Applications cannot see the file changes.<p>The fixenables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.|
+|FlushFile|This problem is indicated when a file is updated and changes don't immediately appear on the hard disk. Applications can't see the file changes.<p>The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.|
 |FontMigration|The fix replaces an application-requested font with a better font selection, to avoid text truncation.|
 |ForceAdminAccess|The problem occurs when an application fails to function during an explicit administrator check.<p>The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ForceAdminAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766024(v=ws.10)).</div>|
 |ForceInvalidateOnClose|The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.|
-|ForceLoadMirrorDrvMitigation|The fix loads the Windows 8-mirror driver mitigation for applications where the mitigation is not automatically applied.|
+|ForceLoadMirrorDrvMitigation|The fix loads the Windows 8-mirror driver mitigation for applications where the mitigation isn't automatically applied.|
 |FreestyleBMX|The fix resolves an application race condition that is related to window message order.|
-|GetDriveTypeWHook|The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.<p>The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.|
+|GetDriveTypeWHook|The application presents unusual behavior during installation; for example, the setup program states that it can't install to a user-specified location.<p>The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.|
-|GlobalMemoryStatusLie|The problem is indicated by a Computer memory full error message that displays when you start an application.<p>The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.|
+|GlobalMemoryStatusLie|The problem occurs when a Computer memory full error message that displays when you start an application.<p>The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.|
-|HandleBadPtr|The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.<p>The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.|
+|HandleBadPtr|The problem occurs when an access violation error message that displays because an API is performing pointer validation before it uses a parameter.<p>The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.|
-|HandleMarkedContentNotIndexed|The problem is indicated by an application that fails when it changes an attribute on a file or directory.<p>The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.|
+|HandleMarkedContentNotIndexed|The problem occurs when an application that fails when it changes an attribute on a file or directory.<p>The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory. The fix then resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.|
 |HeapClearAllocation|The problem is indicated when the allocation process shuts down unexpectedly.<p>The fix uses zeros to clear out the heap allocation for an application.|
 |IgnoreAltTab|The problem occurs when an application fails to function when special key combinations are used.<p>The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreAltTab Fix](/previous-versions/windows/it-pro/windows-7/cc722093(v=ws.10)).</div>|
-|IgnoreChromeSandbox|The fix allows Google Chrome to run on systems that have ntdll loaded above 4 GB.|
+|IgnoreChromeSandbox|The fix allows Google Chrome to run on systems where ntdll is loaded above 4 GB.|
-|IgnoreDirectoryJunction|The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.<p>The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.<div class="alert">**Note:** Symbolic links appear to start in Windows Vista.</div>|
+|IgnoreDirectoryJunction|The problem occurs when a read or access violation error message that displays when an application tries to find or open files.<p>The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.<div class="alert">**Note:** Symbolic links appear to start in Windows Vista.</div>|
-|IgnoreException|The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.<p>The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.<p>You can control this fix further by typing the following command at the command prompt:<p>`Exception1;Exception2`<br>Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.<p>**Important:** You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreException Fix](/previous-versions/windows/it-pro/windows-7/cc766154(v=ws.10)).</div>|
+|IgnoreException|The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.<p>The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.<p>You can control this fix further by typing the following command at the command prompt:<p>`Exception1;Exception2`<br>Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.<p>**Important:** You should use this compatibility fix only if you're certain that it's acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreException Fix](/previous-versions/windows/it-pro/windows-7/cc766154(v=ws.10)).</div>|
-|IgnoreFloatingPointRoundingControl|This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.<p>Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.|
+|IgnoreFloatingPointRoundingControl|This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.<p>Before the C runtime library supported floating point SSE2, it ignored the rounding control request and used the round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.|
 |IgnoreFontQuality|The problem occurs when application text appears to be distorted.<p>The fix enables color-keyed fonts to properly work with anti-aliasing.|
-|IgnoreMessageBox|The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.<p>The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](/previous-versions/windows/it-pro/windows-7/cc749044(v=ws.10)).</div>|
+|IgnoreMessageBox|The problem occurs when a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.<p>The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](/previous-versions/windows/it-pro/windows-7/cc749044(v=ws.10)).</div>|
-|IgnoreMSOXMLMF|The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.<p>The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.|
+|IgnoreMSOXMLMF|The problem occurs when an error message that states that the operating system can't locate the MSVCR80D.DLL file.<p>The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix ignores the registered MSOXMLMF and fails the CoGetClassObject for its CLSID.|
 |IgnoreSetROP2|The fix ignores read-modify-write operations on the desktop to avoid performance issues.|
-|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET is not included with Windows 8.|
+|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET isn't included with Windows 8.|
 |LoadLibraryRedirect|The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.|
 |LocalMappedObject|The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.<p>The fix intercepts the function call to create the object and replaces the word Global with Local.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the LocalMappedObject Fix](/previous-versions/windows/it-pro/windows-7/cc749287(v=ws.10)).</div>|
-|MakeShortcutRunas|The problem is indicated when an application fails to uninstall because of access-related errors.<p>The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix](/previous-versions/windows/it-pro/windows-7/dd638338(v=ws.10))</div>|
+|MakeShortcutRunas|The problem is indicated when an application fails to uninstall because of access-related errors.<p>The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installationenabling the uninstallation to occur later.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix](/previous-versions/windows/it-pro/windows-7/dd638338(v=ws.10))</div>|
 |ManageLinks|The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.|
 |MirrorDriverWithComposition|The fix allows mirror drivers to work properly with acceptable performance with desktop composition.|
 |MoveToCopyFileShim|The problem occurs when an application experiences security access issues during setup.<p>The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.|
-|OpenDirectoryAcl|The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.<p>The fix reduces the security privilege levels on a specified set of files and folders.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](/previous-versions/windows/it-pro/windows-7/dd638417(v=ws.10)).</div>|
+|OpenDirectoryAcl|The problem occurs when an error message that states that you don't have the appropriate permissions to access the application.<p>The fix reduces the security privilege levels on a specified set of files and folders.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](/previous-versions/windows/it-pro/windows-7/dd638417(v=ws.10)).</div>|
 |PopCapGamesForceResPerf|The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.|
 |PreInstallDriver|The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.|
 |PreInstallSmarteSECURE|The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.|
-|ProcessPerfData|The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.<p>The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.<div class="alert">**Note:** This issue seems to occur most frequently with .NET applications.|
+|ProcessPerfData|The problem occurs because the application tried to read the process performance data registry value to determine if another instance of the application is running. This problem results in an Unhandled Exception error message.<p>The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it's the only instance running.<div class="alert">**Note:** This issue seems to occur most frequently with .NET applications.|
 |PromoteDAM|The fix registers an application for power state change notifications.</div>|
 |PropagateProcessHistory|The problem occurs when an application incorrectly fails to apply an application fix.<p>The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.|
-|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.<p>The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.|
+|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.<p>The fix addresses the issues that occur when applications use non-standard Administrator checks. This issue can result in false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but the SID is set as deny-only.|
-|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.|
+|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume. The fix instead redirects the calls to a temporary file in the user's temporary directory.|
-|RedirectHKCUKeys|The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.<p>The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.|
+|RedirectHKCUKeys|The problem occurs when an application can't be accessed because of User Account Control (UAC) restrictions.<p>The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.|
-|RedirectMP3Codec|This problem occurs when you cannot play MP3 files.<p>The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.|
+|RedirectMP3Codec|This problem occurs when you can't play MP3 files.<p>The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.|
-|RedirectShortcut|The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.<p>The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.<p>Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.<br>Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.<p>This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.<p>You cannot apply this fix to an .exe file that includes a manifest and provides a run level.|
+|RedirectShortcut|The problem occurs when an application's shortcut can't be accessed, or the application uninstallation process doesn't remove application shortcuts.<p>The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.<p>Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.<br>Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.<p>This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user can't access the shortcuts.<p>You can't apply this fix to an .exe file that includes a manifest and provides a run level.|
-|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.<p>The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RelaunchElevated Fix](/previous-versions/windows/it-pro/windows-7/dd638373(v=ws.10)).</div>|
+|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they're started from a host application.<p>The fix enables a child .exe file to run with elevated privileges when it's difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RelaunchElevated Fix](/previous-versions/windows/it-pro/windows-7/dd638373(v=ws.10)).</div>|
-|RetryOpenSCManagerWithReadAccess|The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.<p>The fix retries the call and requests a more restricted set of rights that include the following:<li>SC_MANAGER_CONNECT<li>SC_MANAGER_ENUMERATE_SERVICE<li>SC_MANAGER_QUERY_LOCK_STATUS<li>STANDARD_READ_RIGHTS<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc721915(v=ws.10)).</div>|
+|RetryOpenSCManagerWithReadAccess|The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.<p>The fix retries the call and requests a more restricted set of rights that include the following items:<li>SC_MANAGER_CONNECT<li>SC_MANAGER_ENUMERATE_SERVICE<li>SC_MANAGER_QUERY_LOCK_STATUS<li>STANDARD_READ_RIGHTS<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc721915(v=ws.10)).</div>|
-|RetryOpenServiceWithReadAccess|The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.<p>The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766423(v=ws.10)).</div>|
+|RetryOpenServiceWithReadAccess|The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.<p>The fix retries the OpenService() API call and verifies that the user has Administrator rights, isn't a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this fix to work<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766423(v=ws.10)).</div>|
 |RunAsAdmin|The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.<p>The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsAdmin Fix](/previous-versions/windows/it-pro/windows-7/dd638315(v=ws.10)).</div>|
-|RunAsHighest|The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.<p>The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsHighest Fix](/previous-versions/windows/it-pro/windows-7/dd638322(v=ws.10)).</div>|
+|RunAsHighest|The problem occurs when administrators can't view the read/write version of an application that presents a read-only view to standard users.<p>The fix enables the application to run by using the highest available permissions. This fix is the equivalent of specifying highestAvailable in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsHighest Fix](/previous-versions/windows/it-pro/windows-7/dd638322(v=ws.10)).</div>|
-|RunAsInvoker|The problem occurs when an application is not detected as requiring elevation.<p>The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsInvoker Fix](/previous-versions/windows/it-pro/windows-7/dd638389(v=ws.10)).</div>|
+|RunAsInvoker|The problem occurs when an application isn't detected as requiring elevation.<p>The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This fix is the equivalent of specifying asInvoker in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsInvoker Fix](/previous-versions/windows/it-pro/windows-7/dd638389(v=ws.10)).</div>|
 |SecuROM7|The fix repairs applications by using SecuROM7 for copy protection.|
-|SessionShim|The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.<p>At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.<p>**Important:** Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SessionShim Fix](/previous-versions/windows/it-pro/windows-7/cc722085(v=ws.10)).</div>|
+|SessionShim|The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.<p>At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.<p>**Important:** Users can't sign in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SessionShim Fix](/previous-versions/windows/it-pro/windows-7/cc722085(v=ws.10)).</div>|
 |SetProtocolHandler|The fix registers an application as a protocol handler.<p>You can control this fix further by typing the following command at the command prompt:`Client;Protocol;App`<br>Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.<div class="alert">**Note:** Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().</div>|
-|SetupCommitFileQueueIgnoreWow|The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.<p>The fixdisables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.|
+|SetupCommitFileQueueIgnoreWow|The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.<p>The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.|
 |SharePointDesigner2007|The fix resolves an application bug that severely slows the application when it runs in DWM.|
-|ShimViaEAT|The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.<p>The fixapplies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.<div class="alert">**Note:** For more information about this application fix, see [Using the ShimViaEAT Fix](/previous-versions/windows/it-pro/windows-7/cc766286(v=ws.10)).</div>|
+|ShimViaEAT|The problem occurs when an application fails, even after applying a compatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.<p>The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.<div class="alert">**Note:** For more information about this application fix, see [Using the ShimViaEAT Fix](/previous-versions/windows/it-pro/windows-7/cc766286(v=ws.10)).</div>|
-|ShowWindowIE|The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.<p>The fixintercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.|
+|ShowWindowIE|The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.<p>The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.|
-|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.|
+|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation preventing bugcheck.|
 |Sonique2|The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.|
-|SpecificInstaller|The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.<p>The fixflags the application as being an installer file (for example, setup.exe), and then prompts for elevation.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638397(v=ws.10)).</div>|
+|SpecificInstaller|The problem occurs when the GenericInstaller function fails to pick up an application installation file.<p>The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638397(v=ws.10)).</div>|
-|SpecificNonInstaller|The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.<p>The fixflags the application to exclude it from detection by the GenericInstaller function.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638326(v=ws.10)).</div>|
+|SpecificNonInstaller|The problem occurs when an application that isn't an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.<p>The fix flags the application to exclude it from detection by the GenericInstaller function.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638326(v=ws.10)).</div>|
 |SystemMetricsLie|The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.|
 |TextArt|The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.|
-|TrimDisplayDeviceNames|The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.|
+|TrimDisplayDeviceNames|The fix trims the names returned by the EnumDisplayDevices API of the display devices.|
 |UIPICompatLogging|The fix enables the logging of Windows messages from Internet Explorer and other processes.|
-|UIPIEnableCustomMsgs|The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.<p>The fixenables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`MessageString1 MessageString2`<br>Where MessageString1 and MessageString2 reflect the message strings that can pass.<div class="alert">**Note:** Multiple message strings must be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](/previous-versions/windows/it-pro/windows-7/dd638320(v=ws.10)).</div>|
+|UIPIEnableCustomMsgs|The problem occurs when an application doesn't properly communicate with other processes because customized Windows messages aren't delivered.<p>The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`MessageString1 MessageString2`<br>Where MessageString1 and MessageString2 reflect the message strings that can pass.<div class="alert">**Note:** You must separate multiple message strings by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](/previous-versions/windows/it-pro/windows-7/dd638320(v=ws.10)).</div>|
-|UIPIEnableStandardMsgs|The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.<p>The fixenables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`1055 1056 1069`<p>Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.<div class="alert">**Note:** Multiple messages can be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](/previous-versions/windows/it-pro/windows-7/dd638361(v=ws.10)).</div>|
+|UIPIEnableStandardMsgs|The problem occurs when an application doesn't communicate properly with other processes because standard Windows messages aren't delivered.<p>The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`1055 1056 1069`<p>Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.<div class="alert">**Note:** You can separate multiple messages with spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](/previous-versions/windows/it-pro/windows-7/dd638361(v=ws.10)).</div>|
 |VirtualizeDeleteFileLayer|The fix virtualizes DeleteFile operations for applications that try to delete protected files.|
-|VirtualizeDesktopPainting|This fix improves the performance of a number of operations on the Desktop DC while using DWM.|
+|VirtualizeDesktopPainting|This fix improves the performance of several operations on the Desktop DC while using DWM.|
-|VirtualRegistry|The problem is indicated when a Component failed to be located error message displays when an application is started.<p>The fixenables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.<p>For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).|
+|VirtualRegistry|The problem is indicated when a Component failed to be located error message displays when an application is started.<p>The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.<p>For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).|
-|VirtualizeDeleteFile|The problem occurs when several error messages display and the application cannot delete files.<p>The fixmakes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](/previous-versions/windows/it-pro/windows-7/dd638360(v=ws.10)).</div>|
+|VirtualizeDeleteFile|The problem occurs when several error messages display and the application can't delete files.<p>The fix makes the application's DeleteFile function call a virtual call to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](/previous-versions/windows/it-pro/windows-7/dd638360(v=ws.10)).</div>|
-|VirtualizeHKCRLite|The problem occurs when an application fails to register COM components at runtime.<p>The fixredirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.<p>HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.<p>You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.<br>For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).|
+|VirtualizeHKCRLite|The problem occurs when an application fails to register COM components at runtime.<p>The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This fix operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.<p>HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application isn't elevated and is ignored if the application is elevated.<p>You typically use this compatibility fix with the VirtualizeRegisterTypeLib fix.<br>For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).|
-|VirtualizeRegisterTypeLib|The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](/previous-versions/windows/it-pro/windows-7/dd638385(v=ws.10)).</div>|
+|VirtualizeRegisterTypeLib|The fix when used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This fix functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](/previous-versions/windows/it-pro/windows-7/dd638385(v=ws.10)).</div>|
-|WaveOutIgnoreBadFormat|This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.<p>The fixenables the application to ignore the format error and continue to function properly.|
+|WaveOutIgnoreBadFormat|When this problem occurs when an Unable to initialize sound device from your audio driver error occurs; the application then closes.<p>The fix enables the application to ignore the format error and continue to function properly.|
-|WerDisableReportException|The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.|
+|WerDisableReportException|The fix turns off the silent reporting of exceptions, including those exceptions reported by Object Linking and Embedding-Database (OLE DB), to the Windows Error Reporting tool. The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.|
 |Win7RTM/Win8RTM|The layer provides the application with Windows 7/Windows 8 compatibility mode.|
-|WinxxRTMVersionLie|The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.<p>All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.|
+|WinxxRTMVersionLie|The problem occurs when an application fails because it doesn't find the correct version number for the required Windows operating system.<p>All version lie compatibility fixes address the issue whereby an application fails to function because it's checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.|
-|Wing32SystoSys32|The problem is indicated by an error message that states that the WinG library was not properly installed.<p>The fixdetects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.<p>**Important:** The application must have Administrator privileges for this fix to work.|
+|Wing32SystoSys32|The problem occurs when an error message that states that the WinG library wasn't properly installed.<p>The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.<p>**Important:** The application must have Administrator privileges for this fix to work.|
 |WinSrv08R2RTM||
-|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.<p>The fixforces the application to follow these steps:<li>Open the Compatibility Administrator, and then select None for Operating System Mode.<li>On the Compatibility Fixes page, click WinXPSP2VersionLie, and then click Parameters.<li>The Options for &lt;fix_name&gt; dialog box appears.<li>Type vbrun60.dll into the Module Name box, click Include, and then click Add.<li>Save the custom database.<div class="alert">**Note:** For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](/previous-versions/windows/it-pro/windows-7/cc749518(v=ws.10)).</div>|
+|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.<p>The fix forces the application to follow these steps:<li>Open the Compatibility Administrator, and then select None for Operating System Mode.<li>On the Compatibility Fixes page, select WinXPSP2VersionLie, and then select Parameters.<li>The Options for /<fix_name/>; dialog box appears.<li>Type vbrun60.dll into the Module Name box, select Include, and then select Add.<li>Save the custom database.<div class="alert">**Note:** For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](/previous-versions/windows/it-pro/windows-7/cc749518(v=ws.10)).</div>|
-|WRPDllRegister|The application fails when it tries to register a COM component that is released together with Windows Vista and later.<p>The fixskips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.<p>You can control this fix further by typing the following command at the command prompt:<p>`Component1.dll;Component2.dll`<br>Where Component1.dll and Component2.dll reflect the components to be skipped.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the WRPDllRegister Fix](/previous-versions/windows/it-pro/windows-7/dd638345(v=ws.10)).</div>|
+|WRPDllRegister|The application fails when it tries to register a COM component that is released together with Windows Vista and later.<p>The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.<p>You can control this fix further by typing the following command at the command prompt:<p>`Component1.dll;Component2.dll`<br>Where Component1.dll and Component2.dll reflect the components to be skipped.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the WRPDllRegister Fix](/previous-versions/windows/it-pro/windows-7/dd638345(v=ws.10)).</div>|
-|WRPMitigation|The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.<p>The fixemulates the successful authentication and modification of file and registry APIs, so that the application can continue.<div class="alert">**Note:** For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](/previous-versions/windows/it-pro/windows-7/dd638325(v=ws.10)).</div>|
+|WRPMitigation|The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.<p>The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.<div class="alert">**Note:** For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](/previous-versions/windows/it-pro/windows-7/dd638325(v=ws.10)).</div>|
-|WRPRegDeleteKey|The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.<p>The fixverifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.|
+|WRPRegDeleteKey|The problem occurs when an access denied error message that displays when the application tries to delete a registry key.<p>The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.|
 |XPAfxIsValidAddress|The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.|
 
 ## Compatibility Modes
@@ -161,5 +158,5 @@ The following table lists the known compatibility modes.
 
 |Compatibility Mode Name|Description|Included Compatibility Fixes|
 |--- |--- |--- |
-|WinSrv03|Emulates the Windows Server 2003 operating system.|<li>Win2k3RTMVersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>GlobalMemoryStatus2GB<li>RedirectMP3Codec<li>EnableLegacyExceptionHandlinginOLE<li>NoGhost<li>HardwareAudioMixer|
+|WinSrv03|Emulates the Windows Server 2003 operating system.|<li>Win2k3RTMVersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>GlobalMemoryStatus2 GB<li>RedirectMP3Codec<li>EnableLegacyExceptionHandlinginOLE<li>NoGhost<li>HardwareAudioMixer|
 |WinSrv03Sp1|Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.|<li>Win2K3SP1VersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>EnableLegacyExceptionHandlinginOLE<li>RedirectMP3Codec<li>HardwareAudioMixer|

windows/deployment/planning/windows-10-enterprise-faq-itpro.yml

@@ -9,7 +9,7 @@ metadata:
   ms.localizationpriority: medium
   ms.sitesec: library
   ms.date: 10/28/2022
-  ms.reviewer: 
+  ms.reviewer:
   author: frankroj
   ms.author: frankroj
   manager: aaroncz
@@ -26,17 +26,17 @@ sections:
           Where can I download Windows 10 Enterprise?
         answer: |
           If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you don't have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
-          
+
       - question: |
           What are the system requirements?
         answer: |
-          For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752).
+          For details, see [Windows 10 Enterprise system requirements](https://www.microsoft.com/windows/Windows-10-specifications#areaheading-uid09f4).
-          
+
       - question: |
           What are the hardware requirements for Windows 10?
         answer: |
           Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. For more information, see [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications).
-          
+
       - question: |
           Can I evaluate Windows 10 Enterprise?
         answer: |
@@ -55,17 +55,17 @@ sections:
               - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
               - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984)
               - [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
-          
+
       - question: |
           Where can I find out if an application or device is compatible with Windows 10?
         answer: |
           Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices.
-          
+
       - question: |
           Is there an easy way to assess if my organization's devices are ready to upgrade to Windows 10?
         answer: |
           [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without other infrastructure requirements. This service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
-          
+
   - name: Administration and deployment
     questions:
       - question: |
@@ -78,36 +78,36 @@ sections:
           - [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment.
 
           - The [Windows ADK](/windows-hardware/get-started/adk-install) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
-          
+
       - question: |
           Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
         answer: |
           Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
-          
+
       - question: |
           Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
         answer: |
           If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you're entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-          
+
           For devices that are licensed under a volume license agreement for Windows that doesn't include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
-          
+
   - name: Managing updates
     questions:
       - question: |
           What is Windows as a service?
         answer: |
           The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](../update/waas-overview.md).
-          
+
       - question: |
           How is servicing different with Windows as a service?
         answer: |
           Traditional Windows servicing has included several release types: major revisions (for example, Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
-          
+
       - question: |
           What are the servicing channels?
         answer: |
-          To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
+          To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](/windows/release-health/release-information). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
-          
+
       - question: |
           What tools can I use to manage Windows as a service updates?
         answer: |
@@ -116,25 +116,25 @@ sections:
           - Windows Update for Business
           - Windows Server Update Services
           - Microsoft Configuration Manager
-          
+
           For more information, see [Servicing Tools](../update/waas-overview.md#servicing-tools).
-          
+
   - name: User experience
     questions:
       - question: |
           Where can I find information about new features and changes in Windows 10 Enterprise?
         answer: |
           For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
-          
+
           Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
-          
+
           To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-          
+
       - question: |
           How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
         answer: |
           Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1.
-          
+
       - question: |
           How does Windows 10 help people work with applications and data across various devices?
         answer: |
@@ -143,13 +143,13 @@ sections:
           - Universal apps now open in windows instead of full screen.
           - [Multitasking is improved with adjustable Snap](https://blogs.windows.com/windows-insider/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
           - Tablet Mode to simplify using Windows with a finger or pen by using touch input.
-          
+
   - name: Help and support
     questions:
       - question: |
           Where can I ask a question about Windows 10?
         answer: |
           Use the following resources for additional information about Windows 10.
-          - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
+          - [Microsoft Q&A](/answers/)
-          - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
+          - [Microsoft Support Community](https://answers.microsoft.com/)
-          - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
+

windows/deployment/update/waas-configure-wufb.md

@@ -10,7 +10,7 @@ ms.topic: conceptual
 ms.subservice: itpro-updates
 ms.collection:
   - tier1
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
@@ -21,12 +21,12 @@ ms.date: 02/14/2024
 
 # Configure Windows Update for Business
 
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 > [!NOTE]
 > Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/).
- 
+
-You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).  
+You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
 
 > [!IMPORTANT]
 > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
@@ -34,17 +34,17 @@ You can use Group Policy or your mobile device management (MDM) service to confi
 
 ## Start by grouping devices
 
-By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed.  With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.  
+By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed.  With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
 
 >[!TIP]
->In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). 
+>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft's design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
 
 <span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
 
 
 ## Configure devices for the appropriate service channel
 
-With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels). 
+With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels).
 
 **Release branch policies**
 
@@ -65,7 +65,7 @@ Starting with Windows 10, version 1703, users can configure the branch readiness
 
 ## Configure when devices receive feature updates
 
-After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
+After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
 
 For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` won't install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
 
@@ -87,7 +87,7 @@ For example, a device on the General Availability Channel with `DeferFeatureUpda
 
 You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
 
-Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. 
+Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
 
 In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
 
@@ -104,7 +104,7 @@ In cases where the pause policy is first applied after the configured start date
 | MDM for Windows 10, version 1607 or later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime |
 | MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
 
-You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. 
+You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
 
 The local group policy editor (GPEdit.msc) won't reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
 
@@ -125,7 +125,7 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha
 
 ## Configure when devices receive quality updates
 
-Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.  
+Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
 
 You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. For a list of other Microsoft products that might be updated, see [Update other Microsoft products](update-other-microsoft-products.md).
 
@@ -145,7 +145,7 @@ You can set your system to receive updates for other Microsoft products—known
 
 You can also pause a system from receiving quality updates for a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality updates. Following this scan, you can then pause quality updates for the device again.
 
-Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. 
+Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
 
 In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
 
@@ -210,10 +210,10 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
 | MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
 
 ## Enable optional updates
-<!--7991583--> 
+<!--7991583-->
 In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
 
-To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. 
+To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
 
 :::image type="content" source="media/7991583-update-seeker-enabled.png" alt-text="Screenshot of the Get the latest updates as soon as they're available option in the Windows updates page of Settings." lightbox="media/7991583-update-seeker-enabled.png":::
 
@@ -230,7 +230,7 @@ The following options are available for the policy:
 
 - **Users can select which optional updates to receive**:
    - Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
-     - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.  
+     - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.
      - CFRs are offered to the device, but not necessarily in the early phases of the rollout.
    - Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
      - The device will receive CFRs in early phases of the rollout.
@@ -249,7 +249,7 @@ The following options are available for the policy:
 ## Enable features that are behind temporary enterprise feature control
 <!--6544872-->
 
-New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. 
+New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
 
 The features that are behind temporary enterprise feature control will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them. For a list of features that are turned off by default, see [Windows 11 features behind temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control).
 
@@ -274,7 +274,7 @@ The following are quick-reference tables of the supported policy values for Wind
 | BranchReadinessLevel	| REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br></br> Other value or absent: Receive all applicable updates |
 | DeferFeatureUpdates | REG_DWORD | 1: Defer feature updates</br>Other value or absent: Don't defer feature updates |
 | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
-| DeferQualityUpdates | REG_DWORD | 1: Defer quality updates</br>Other value or absent: Don't defer quality updates | 
+| DeferQualityUpdates | REG_DWORD | 1: Defer quality updates</br>Other value or absent: Don't defer quality updates |
 | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
 | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: Exclude Windows Update drivers</br>Other value or absent: Offer Windows Update drivers |
 | PauseFeatureUpdatesStartTime | REG_DWORD |1: Pause feature updates</br>Other value or absent: Don't pause feature updates |
@@ -310,4 +310,3 @@ When a device running a newer version sees an update available on Windows Update
 | PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
 | PauseQualityUpdates | PauseQualityUpdatesStartTime |
 
- 

windows/deployment/update/waas-servicing-strategy-windows-10-updates.md

@@ -8,30 +8,30 @@ author: mestew
 ms.author: mstewart
 manager: aaroncz
 ms.localizationpriority: medium
-appliesto: 
+appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ms.date: 12/31/2017
 ---
 
 # Prepare a servicing strategy for Windows client updates
 
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 Here's an example of what this process might look like:
 
 - **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they're available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate prerelease builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
-- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
+- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
 - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you're looking for feedback rather than people to just "try it out" and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
-- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
+- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/troubleshoot/windows-server/group-policy/manage-group-policy-adm-file) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
 - **Choose a servicing tool.** Decide which product you'll use to manage the Windows updates in your environment. If you're currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you'll use, consider how you'll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
-- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). 
+- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview).
 
 
 Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
 
 1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier "Configure test devices" step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
-2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it. 
+2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
-3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. 
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
 
 

windows/deployment/upgrade/windows-10-upgrade-paths.md

@@ -1,5 +1,5 @@
 ---
-title: Windows 10 upgrade paths (Windows 10)
+title: Windows 10 upgrade paths
 description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
 ms.service: windows-client
 ms.localizationpriority: medium
@@ -11,7 +11,7 @@ ms.collection:
   - highpri
   - tier2
 ms.subservice: itpro-deploy
-ms.date: 10/02/2023
+ms.date: 02/13/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
@@ -32,7 +32,7 @@ appliesto:
 
 This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. Paths include upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported.
 
-If you're also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
+If you're also migrating to a different edition of Windows, see [Windows edition upgrade](windows-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
 
 - **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information.
 
@@ -99,8 +99,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 
 ## Related articles
 
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md).
-
+- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md).
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+- [Windows 10 edition upgrade](windows-edition-upgrades.md).
-
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)

windows/deployment/upgrade/windows-upgrade-paths.md

@@ -1,5 +1,5 @@
 ---
-title: Windows upgrade paths 
+title: Windows upgrade paths
 description: Upgrade to current versions of Windows from a previous version of Windows
 ms.service: windows-client
 ms.localizationpriority: medium
@@ -11,7 +11,7 @@ ms.collection:
   - highpri
   - tier2
 ms.subservice: itpro-deploy
-ms.date: 10/02/2023
+ms.date: 02/13/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@@ -30,13 +30,13 @@ This article provides a summary of available upgrade paths to currently supporte
 - **Windows version upgrade**: You can directly upgrade any General Availability Channel version of Windows to a newer, supported General Availability Channel version of Windows, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information.
 
 - **Upgrade from Windows LTSC to Windows General Availability Channel**: Upgrade from Windows LTSC to Windows General Availability Channel is available when upgrading to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise 22H2. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if apps need to be kept. If the switch isn't used, the option **Keep personal files and apps** option is grayed out. The command line to perform the upgrade is:
-  
+
   ```cmd
   setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
   ```
 
   where **xxxxx-xxxxx-xxxxx-xxxxx-xxxxx** is the Windows General Availability Channel product key. For example, if using a KMS, the command line for Windows Enterprise would be:
-  
+
   ```cmd
   setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43
   ```
@@ -66,6 +66,6 @@ This article provides a summary of available upgrade paths to currently supporte
 
 ## Related articles
 
-- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md).
-- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md).
-- [Windows edition upgrade](windows-edition-upgrades.md)
+- [Windows edition upgrade](windows-edition-upgrades.md).

windows/deployment/usmt/usmt-best-practices.md

@@ -46,7 +46,7 @@ This article discusses general and security-related best practices when using Us
 
 - **Chkdsk.exe.**
 
-  Microsoft recommends running **Chkdsk.exe** before running the **ScanState** and **LoadState** tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)).
+  Microsoft recommends running **Chkdsk.exe** before running the **ScanState** and **LoadState** tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/windows-server/administration/windows-commands/chkdsk).
 
 - **Migrate in groups.**
 
@@ -112,7 +112,7 @@ As the authorized administrator, it's the responsibility to protect the privacy
   The migration performance can be affected when the **\<context\>** element is used with the **\<component\>** element. For example, when encapsulating logical units of file- or path-based **\<include\>** and **\<exclude\>** rules.
 
   In the **User** context, a rule is processed one time for each user on the system.
-  
+
   In the **System** context, a rule is processed one time for the system.
 
   In the **UserAndSystem** context, a rule is processed one time for each user on the system and one time for the system.

windows/deployment/volume-activation/monitor-activation-client.md

@@ -34,7 +34,7 @@ You can monitor the success of the activation process for a computer running Win
 
 - Using the Volume Licensing Service Center website to track use of MAK keys.
 
-- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options](/previous-versions//ff793433(v=technet.10)).
+- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
 
 - Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it's available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
 

windows/deployment/volume-activation/plan-for-volume-activation-client.md

@@ -62,7 +62,8 @@ Volume licensing offers customized programs that are tailored to the size and pu
 - Purchase a fully packaged retail product
 
 The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
-Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
+
+Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and Visual Studio Online. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
 
 > [!NOTE]
 > Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.

windows/deployment/volume-activation/volume-activation-windows-10.md

@@ -37,7 +37,7 @@ ms.subservice: itpro-fundamentals
 
 This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
 
-*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [MSDN Subscriptions](https://visualstudio.microsoft.com/msdn-platforms/).
+*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [Visual Studio Online](https://visualstudio.microsoft.com/msdn-platforms/).
 
 Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
 
@@ -47,7 +47,7 @@ Because most organizations won't immediately switch all computers to Windows 10,
 
 Volume activation -and the need for activation itself- isn't new, and this guide doesn't review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
 
-If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)).
+If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide](/previous-versions/tn-archive/dd878528(v=technet.10)).
 
 To successfully plan and implement a volume activation strategy, you must:
 

windows/deployment/windows-10-deployment-scenarios.md

@@ -1,196 +0,0 @@
----
-title: Windows 10 deployment scenarios (Windows 10)
-description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios.
-manager: aaroncz
-ms.author: frankroj
-author: frankroj
-ms.service: windows-client
-ms.localizationpriority: medium
-ms.topic: article
-ms.date: 11/23/2022
-ms.subservice: itpro-deploy
----
-
-# Windows 10 deployment scenarios
-
-*Applies to:*
-
-- Windows 10
-
-To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each.
-
-## Deployment categories
-
-The following tables summarize various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
-
-- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
-
-   > [!NOTE]
-   > Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
-
-- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
-
-- Traditional deployment methods use existing tools to deploy operating system images.
-
-### Modern
-
-|Scenario|Description|More information|
-|--- |--- |--- |
-|[Windows Autopilot](#windows-autopilot)|Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured|[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot)|
-|[In-place upgrade](#in-place-upgrade)|Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.|[Perform an in-place upgrade to Windows 10 with MDT](/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit)<br>[Perform an in-place upgrade to Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager)|
-
-### Dynamic
-
-|Scenario|Description|More information|
-|--- |--- |--- |
-|[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)|
-|[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
-|[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
-
-### Traditional
-
-|Scenario|Description|More information|
-|--- |--- |--- |
-|[Bare metal](#new-computer)|Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)<br>[Deploy Windows 10 using PXE and Configuration Manager](/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager)|
-|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)<br>[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
-|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)<br>[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
-
-> [!IMPORTANT]
-> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
-> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
-
-## Modern deployment methods
-
-Modern deployment methods embrace both traditional on-premises and cloud services to deliver a simple, streamlined, and cost effective deployment experience.
-
-### Windows Autopilot
-
-Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
-
-For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
-
-### In-place upgrade
-
-For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 uses the Windows installation program (Setup.exe) is to perform an in-place upgrade. An in-place upgrade:
-
-- Automatically preserves all data, settings, applications, and drivers from the existing operating system version
-- Requires the least IT effort, because there's no need for any complex deployment infrastructure
-
-Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
-
-The in-place upgrade process is designed to be reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by using the automatically created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications don't need to be reinstalled as part of the process.
-
-Existing applications are preserved through the process. So, the upgrade process uses the standard Windows installation media image (Install.wim). Custom images aren't needed and can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
-
-Scenarios that support in-place upgrade with some other procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
-
-- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
-
-- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
-  - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
-  - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
-
-There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
-
-- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
-
-- Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
-
-- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
-
-- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken.
-
-## Dynamic provisioning
-
-For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image. A custom image was used because a custom image was often faster and easier than using the preinstalled version. However, reimaging with a custom image is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it's now possible to avoid using custom images.
-
-The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
-
-### Windows 10 Subscription Activation
-
-Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
-
-<a name='azure-active-directory-azure-ad-join-with-automatic-mobile-device-management-mdm-enrollment'></a>
-
-### Microsoft Entra join with automatic mobile device management (MDM) enrollment
-
-In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
-
-### Provisioning package configuration
-
-When you use the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
-
-These scenarios can be used to enable "choose your own device" (CYOD) programs. With these programs, organization users can pick their own PC and aren't restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
-
-While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
-
-## Traditional deployment
-
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
-
-With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them.
-
-The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
-
-- **New computer**: A bare-metal deployment of a new machine.
-- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
-- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
-
-### New computer
-
-Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
-
-The deployment process for the new machine scenario is as follows:
-
-1. Start the setup from boot media (CD, USB, ISO, or PXE).
-
-2. Wipe the hard disk clean and create new volume(s).
-
-3. Install the operating system image.
-
-4. Install other applications (as part of the task sequence).
-
-After you follow these steps, the computer is ready for use.
-
-### Computer refresh
-
-A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
-
-The deployment process for the wipe-and-load scenario is as follows:
-
-1. Start the setup on a running operating system.
-
-2. Save the user state locally.
-
-3. Wipe the hard disk clean (except for the folder containing the backup).
-
-4. Install the operating system image.
-
-5. Install other applications.
-
-6. Restore the user state.
-
-After you follow these steps, the machine is ready for use.
-
-### Computer replace
-
-A computer replace is similar to the refresh scenario. However, since we're replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
-
-The deployment process for the replace scenario is as follows:
-
-1. Save the user state (data and settings) on the server through a backup job on the running operating system.
-
-2. Deploy the new computer as a bare-metal deployment.
-
-    > [!NOTE]
-    > In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
-
-## Related articles
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with Microsoft Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
-- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
-- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference)
-- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
-- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi)

windows/deployment/windows-10-enterprise-e3-overview.md

@@ -1,188 +0,0 @@
----
-title: Windows 10/11 Enterprise E3 in CSP
-description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
-ms.service: windows-client
-ms.localizationpriority: medium
-ms.date: 11/23/2022
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.topic: article
-ms.subservice: itpro-deploy
----
-
-# Windows 10/11 Enterprise E3 in CSP
-
-*Applies to:*
-
-- Windows 10
-- Windows 11
-
-Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
-
-Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
-
-- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
-- Microsoft Entra available for identity management
-
-You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Microsoft Entra credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
-
-Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
-
-When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
-
-- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
-- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
-- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
-- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
-- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
-- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
-
-How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
-
-- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
-- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
-
-  - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
-  - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
-  - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
-  - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
-
-    In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
-
-In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11.
-
-## Compare Windows 10 Pro and Enterprise editions
-
-Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
-
-### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
-
-|Feature|Description|
-|--- |--- |
-|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
-|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
-|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
-|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
-|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
-|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
-
-## Deployment of Windows 10/11 Enterprise E3 licenses
-
-See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
-
-## Deploy Windows 10/11 Enterprise features
-
-Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)?
-
-The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features.
-
-### Credential Guard
-
-> [!NOTE]
-> Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present).
-
-You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
-
-- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
-
-- **Manual**. You can manually turn on Credential Guard by taking one of the following actions:
-
-  - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
-
-  - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
-    You can automate these manual steps by using a management tool such as Microsoft Configuration Manager.
-
-For more information about implementing Credential Guard, see the following resources:
-
-- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
-- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
-- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
-
-### Device Guard
-
-Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
-
-1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate.
-
-2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
-
-3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
-
-4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
-
-5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
-
-6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
-
-7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
-
-For more information about implementing Device Guard, see:
-
-- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
-- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-
-### AppLocker management
-
-You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that you have AD DS and that the Windows 10/11 Enterprise devices are joined to your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
-
-For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
-
-### App-V
-
-App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows:
-
-- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
-
-- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
-
-- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
-
-For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
-
-- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
-- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
-- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
-
-### UE-V
-
-UE-V requires server and client-side components that you'll need to download, activate, and install. These components include:
-
-- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
-
-- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.
-
-- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
-
-- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates aren't required for Windows applications.
-
-- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
-
-For more information about deploying UE-V, see the following resources:
-
-- [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows)
-- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
-- [Prepare a UE-V Deployment](/windows/configuration/ue-v/uev-prepare-for-deployment)
-
-### Managed User Experience
-
-The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
-
-#### Table 2. Managed User Experience features
-
-| Feature          | Description     |
-|------------------|-----------------|
-| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.<br>For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
-| Unbranded boot             | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
-| Custom logon               | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
-| Shell launcher             | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
-| Keyboard filter            | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
-| Unified write filter       | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
-
-## Related articles
-
-[Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)<br>
-[Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)<br>
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)<br>
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)<br>

windows/deployment/windows-10-poc-sc-config-mgr.md

@@ -157,7 +157,7 @@ The procedures in this guide are summarized in the following table. An estimate
 
     You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
 
-    If the WMI service isn't started, attempt to start it or reboot the computer.  If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
+    If the WMI service isn't started, attempt to start it or reboot the computer.  If WMI is running but errors are present, see [winmgmt](/windows/win32/wmisdk/winmgmt) for troubleshooting information.
 
 5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt:
 
@@ -230,15 +230,9 @@ The procedures in this guide are summarized in the following table. An estimate
 ## Download MDOP and install DaRT
 
 > [!IMPORTANT]
-> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+> This step requires a Visual Studio subscription or volume license agreement. For more information, see [MDOP information experience](/microsoft-desktop-optimization-pack/).
-<!--
 
-THE LINK REFERENCED IN THE BELOW URL IS DEAD SO COMMENTING OUT
+1. Download the Microsoft Desktop Optimization Pack 2015 to the Hyper-V host from Visual Studio Online or from the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331) site. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
-
-> If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
--->
-
-1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
 
 2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
 
@@ -780,7 +774,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
     [Settings]
     Priority=Default
     Properties=OSDMigrateConfigFiles,OSDMigrateMode
-    
+
     [Default]
     DoCapture=NO
     ComputerBackupLocation=NONE
@@ -1092,7 +1086,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
     - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
     - Select **Next** twice and then select **Close** in both windows.
 
-3. Select **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Don't proceed until this name is displayed.  
+3. Select **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Don't proceed until this name is displayed.
 
 ### Create a new deployment
 

windows/deployment/windows-10-poc.md

@@ -118,8 +118,6 @@ The two Windows Server VMs can be combined into a single VM to conserve RAM and
 
 ### Verify support and install Hyper-V
 
-Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
 1. To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
 
     ```cmd
@@ -1046,4 +1044,4 @@ Use the following procedures to verify that the PoC environment is configured pr
 
 ## Next steps
 
-[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+- [Windows 10 deployment scenarios](windows-deployment-scenarios.md).

windows/deployment/windows-10-subscription-activation.md

@@ -1,260 +0,0 @@
----
-title: Windows subscription activation
-description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions.
-ms.service: windows-client
-ms.subservice: itpro-fundamentals
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection:
-  - highpri
-  - tier2
-ms.topic: conceptual
-ms.date: 11/14/2023
-appliesto: 
-  - ✅ <b>Windows 10</b>
-  - ✅ <b>Windows 11</b>
----
-
-# Windows subscription activation
-
-The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition.
-
-If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business).
-
-The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and then rebooting client devices.
-
-This article covers the following information:
-
-- [Subscription activation](#subscription-activation-for-enterprise): An introduction to subscription activation for Windows Enterprise.
-- [Subscription activation for Education](#subscription-activation-for-education): Information about subscription activation for Windows Education.
-- [Inherited activation](#inherited-activation): Allow virtual machines to inherit activation state from their Windows client host.
-- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment.
-- [Requirements](#requirements): Prerequisites to use the Windows subscription activation model.
-- [Benefits](#benefits): Advantages of subscription-based licensing.
-- [How it works](#how-it-works): A summary of the subscription-based licensing option.
-- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows subscription activation for VMs in the cloud.
-
-For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
-
-> [!NOTE]
->
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
->
-> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
-> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
->
-> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
->
-> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
-
-## Subscription activation for Enterprise
-
-Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots.
-
-- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
-- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
-
-Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
-
-> [!NOTE]
-> Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11.
-
-## Subscription activation for Education
-
-Subscription activation for Education works the same as the Enterprise edition, but in order to use subscription activation for Education, you must have a device running Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section.
-
-## Inherited activation
-
-Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
-
-To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V.
-
-## The evolution of deployment
-
-> [!TIP]
-> The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus).
-
-The following list illustrates how deploying Windows client has evolved with each release:
-
-- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
-
-- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade. This process was considered a "repair upgrade", because the OS version was the same before and after. This upgrade was a lot easier than wipe-and-load, but it was still time-consuming.
-
-- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This process required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
-
-- **Windows 10, version 1607** made a large leap forward. You could just change the product key and the edition instantly changed from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can inject a key using slmgr.vbs, which injects the key into WMI. It became trivial to do this process using a command line.
-
-- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-
-- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Microsoft Entra ID for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Microsoft Entra ID, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
-
-- **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled.
-
-- **Windows 10, version 1903** updated Windows 10 subscription activation to enable step-up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription.
-
-- **Windows 11, version 21H2** updated subscription activation to work on both Windows 10 and Windows 11 devices.
-
-    > [!IMPORTANT]
-    > Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated.
-
-## Requirements
-
-### Windows Enterprise requirements
-
-> [!NOTE]
-> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
-
-> [!IMPORTANT]
-> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
-
-For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
-
-- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
-- Microsoft Entra available for identity management.
-- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
-
-For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
-
-### Windows Education requirements
-
-- A supported version of Windows Pro Education installed on the devices to be upgraded.
-- A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
-- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
-- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
-
-> [!IMPORTANT]
-> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
-
-## Benefits
-
-With Windows Enterprise or Education editions, your organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features.
-
-To compare Windows 10 editions and review pricing, see the following sites:
-
-- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
-- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
-
-You can benefit by moving to Windows as an online service in the following ways:
-
-- Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. You have a systematic way to assign licenses to end users and groups in your organization.
-
-- User sign-in triggers a silent edition upgrade, with no reboot required.
-
-- Support for mobile worker and "bring your own device" (BYOD) activation. This support transitions away from on-premises KMS and MAK keys.
-
-- Compliance support via seat assignment.
-
-- Licenses can be updated to different users dynamically, which allows you to optimize your licensing investment against changing needs.
-
-## How it works
-
-> [!NOTE]
-> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
-
-The device is Microsoft Entra joined from **Settings** > **Accounts** > **Access work or school**.
-
-You assign Windows 10 Enterprise to a user:
-
-![A screenshot of assigning a Windows 10 Enterprise license in the Microsoft 365 admin center.](images/ent.png)
-
-When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
-
-> [!NOTE]
-> Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel.
-
-The following figure summarizes how the subscription activation model works:
-
-![Diagram of subscription activation.](images/after.png)
-
-> [!NOTE]
->
-> - A Windows 10 Pro Education device will only step-up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
->
-> - A Windows 10 Pro device will only step-up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
-
-### Scenarios
-
-#### Scenario #1
-
-You're using a supported version of Windows 10. You purchased Windows 10 Enterprise E3 or E5 subscriptions, or you've had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise.
-
-All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition.
-
-#### Scenario #2
-
-You're using Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Microsoft Entra synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Microsoft Entra ID. You then assign that license to all of your Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
-
-#### Earlier versions of Windows
-
-If devices are running Windows 7, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise edition. This path is supported, and completes the move in one step. This method also works for devices with Windows 8.1 Pro.
-
-### Licenses
-
-The following policies apply to acquisition and renewal of licenses on devices:
-
-- Devices that have been upgraded will attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license.
-
-- If a device is disconnected from the internet, until its current subscription expires Windows will revert to Pro or Pro Education. As soon as the device is connected to the internet again, the license will automatically renew.
-
-- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, on the computer to which a user hasn't logged for the longest time, Windows will revert to Pro or Pro Education.
-
-- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
-
-Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
-
-When you have the required Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
-
-### Existing Enterprise deployments
-
-If you're running a supported version of Windows 10 or Windows 11, subscription activation will automatically pull the firmware-embedded Windows activation key and activate the underlying Pro license. The license will then step-up to Enterprise using subscription activation. This behavior automatically migrates your devices from KMS or MAK activated Enterprise to subscription activated Enterprise.
-
-Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows.
-
-> [!CAUTION]
-> Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE).
-
-If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console:
-
-```powershell
-$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
-```
-
-<a name='obtaining-an-azure-ad-license'></a>
-
-### Obtaining a Microsoft Entra ID license
-
-If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
-
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, you assign the licenses to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
-
-- The license administrator can assign seats to Microsoft Entra users with the same process that's used for Microsoft 365 Apps.
-
-- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
-
-If your organization has a Microsoft Products & Services Agreement (MPSA):
-
-- New customers are automatically emailed the details of the service. Take steps to process the instructions.
-
-- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
-
-- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
-
-### Deploying licenses
-
-For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
-
-## Virtual Desktop Access (VDA)
-
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
-
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
-
-## Related sites
-
-Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
-
-[Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11)
-
-[Windows for business](https://www.microsoft.com/windows/business)

windows/deployment/windows-adk-scenarios-for-it-pros.md

@@ -1,83 +1,78 @@
 ---
-title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
+title: Windows ADK for Windows scenarios for IT Pros
-description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that IT Pros can use to deploy Windows.
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.service: windows-client
 ms.localizationpriority: medium
-ms.date: 11/23/2022
+ms.date: 02/13/2024
 ms.topic: article
 ms.subservice: itpro-deploy
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
-# Windows ADK for Windows 10 scenarios for IT Pros
+# Windows ADK for Windows scenarios for IT Pros
 
-The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
+The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that IT Pros can use to deploy Windows. For an overview of what's new in the latest version of the Windows ADK, see [What's new in the ADK tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools). For the ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/).
-
-In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/).
-
-Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
 
 ## Create a Windows image using command-line tools
 
 [DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images.
 
-Here are some things you can do with DISM:
+Here are some things that can be done with DISM:
 
-- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
-- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
+- [Add and Remove Driver packages to an offline Windows Image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image).
-- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
+- [Enable or Disable Windows Features Using DISM](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism).
-- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
+- [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism).
-- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+- [Add languages to Windows images](/windows-hardware/manufacture/desktop/add-language-packs-to-windows).
-- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
+- [Preinstall Apps Using DISM](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism).
-- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
+- [Change the Windows Image to a Higher Edition Using DISM](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism).
 
-[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation.
+[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows capturing a customized Windows installation.
 
-Here are some things you can do with Sysprep:
+Here are some things that can be done with Sysprep:
 
-- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
+- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation#generalize-a-windows-installation).
-- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
+- [Customize the default user profile by using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile).
-- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
+- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep).
 
-[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. Windows PE can be booted into to install a new operating system, recover data, or repair an existing operating system.
 
-Here are ways you can create a WinPE image:
+A WinPE image can be created using the article [Create bootable Windows PE media](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive). Types of bootable media include:
 
-- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a bootable Windows PE USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-bootable-windows-pe-usb-drive).
-- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a WinPE ISO, DVD, or CD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-winpe-iso-dvd-or-cd).
+- [Create a Windows PE VHD to use with Hyper-V](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-windows-pe-vhd-to-use-with-hyper-v).
 
 [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems.
 
-Here are some things you can do with Windows RE:
+Here are some things that can be done with Windows RE:
 
-- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
+- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re).
-- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
+- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview).
 
-[Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation.
+[Windows System Image Manager (WSIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps create answer files that change Windows settings and run scripts during Windows installation.
 
-Here are some things you can do with Windows SIM:
+Here are some things that can be done with WSIM:
 
-- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
+- [Create or Open an Answer File](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file).
-- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
+- [Add a Device Driver Path to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file).
-- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
+- [Add a Package to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file).
-- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
+- [Add a Custom Command to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file).
 
-For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center.
+For a list of settings that can be changed, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/).
 
 ### Create a provisioning package using Windows ICD
 
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) or Windows 10 IoT Core (IoT Core) image.
+[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows for desktop editions (Home, Pro, Enterprise, and Education) or a Windows IoT Core (IoT Core) image. Creating, applying, and exporting provisioning packages with the Windows ICD is covered in the article [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
-
-Here are some things you can do with Windows ICD:
-
-- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
-- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
 
 ### IT Pro Windows deployment tools
 
-There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
+There are also a few tools included in the Windows ADK that are specific to IT Pros:
 
 - [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
 - [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)

windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md

@@ -1,7 +1,7 @@
 ---
 title: Device registration overview
-description: This article provides an overview on how to register devices in Autopatch
+description: This article provides an overview on how to register devices in Autopatch.
-ms.date: 07/25/2023
+ms.date: 02/15/2024
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: conceptual
@@ -19,13 +19,13 @@ ms.collection:
 
 Windows Autopatch must [register your existing devices](windows-autopatch-register-devices.md) into its service to manage update deployments on your behalf.
 
-The Windows Autopatch device registration process is transparent for end-users because it doesn’t require devices to be reset.
+The Windows Autopatch device registration process is transparent for end-users because it doesn't require devices to be reset.
 
 The overall device registration process is as follows:
 
 :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
 
-1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch.
+1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) before registering devices with Windows Autopatch.
 2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Microsoft Entra groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
 3. Windows Autopatch then:
     1. Performs device readiness prior registration (prerequisite checks).
@@ -47,12 +47,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
 | ----- | ----- |
 | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
 | **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Microsoft Entra ID assigned or dynamic groups into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group when using adding existing device-based Microsoft Entra groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
-| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.<ol><li>Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
+| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.<ol><li>Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements before registration.</li></ol> |
-| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Microsoft Entra device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
+| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.</li><li>A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
-| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
+| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
-| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
+| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
 | **Step 7: Assign devices to a Microsoft Entra group** | Windows Autopatch also assigns devices to the following Microsoft Entra groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>**Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all **virtual devices** managed by Windows Autopatch.</li></ol> |
-| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
+| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension's allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
 | **Step 9: Review device registration status** | IT admins review the device registration status in both the **Registered** and **Not registered** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Registered** tab.</li><li>If **not**, the device shows up in the **Not registered** tab.</li></ol> |
 | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
 
@@ -86,7 +86,7 @@ The five Microsoft Entra ID assigned groups that are used to organize devices fo
 | Windows Autopatch - Ring1 | First production deployment ring for early adopters. |
 | Windows Autopatch - Ring2 | Fast deployment ring for quick rollout and adoption. |
 | Windows Autopatch - Ring3 | Final deployment ring for broad rollout into the organization. |
-| Windows Autopatch - Last | Optional deployment ring for specialized devices or VIP/executives that must receive software update deployments after it’s well tested with early and general populations in an organization. |
+| Windows Autopatch - Last | Optional deployment ring for specialized devices or VIP/executives that must receive software update deployments after it's well tested with early and general populations in an organization. |
 
 In the software-based deployment ring set, each deployment ring has a different set of update deployment policies to control the updates rollout.
 
@@ -94,7 +94,7 @@ In the software-based deployment ring set, each deployment ring has a different
 > Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](#moving-devices-in-between-deployment-rings).
 
 > [!IMPORTANT]
-> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or software updates-based (**Windows Autopatch – Test and Windows Autopatch – Last**) in the Default Autopatch group. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.
+> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or software updates-based (**Windows Autopatch - Test and Windows Autopatch - Last**) in the Default Autopatch group. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.
 
 During the device registration process, Windows Autopatch assigns each device to a [service-based and software-update based deployment ring](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings) so that the service has the proper representation of device diversity across your organization.
 
@@ -107,15 +107,15 @@ The deployment ring distribution is designed to release software update deployme
 
 The Windows Autopatch deployment ring calculation occurs during the device registration process and it applies to both the [service-based and the software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings):
 
-- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**.
+- If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**.
-- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**.
+- If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**.
 
 > [!NOTE]
 > You can customize the deployment ring calculation logic by editing the Default Autopatch group.
 
 | Service-based deployment ring | Default Autopatch group deployment ring | Default device balancing percentage | Description |
 | ----- | ----- | ----- | ----- |
-| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0–500** devices: minimum **one** device.</li><li>**500–5000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
+| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0-500** devices: minimum **one** device.</li><li>**500-5000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
 | First | Ring 1 |  **1%** | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
 | Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.<p><p>The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.</p> |
 | Broad | Ring 3 | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.|
@@ -123,17 +123,17 @@ The Windows Autopatch deployment ring calculation occurs during the device reg
 
 ## Software update-based to service-based deployment ring mapping
 
-There’s a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don’t yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge.
+There's a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don't yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge.
 
 | If moving a device to | The device also moves to |
 | ----- | ----- |
-| Windows Autopatch – Test | Modern Workplace Devices-Windows Autopatch-Test |
+| Windows Autopatch - Test | Modern Workplace Devices-Windows Autopatch-Test |
-| Windows Autopatch – Ring1 | Modern Workplace Devices-Windows Autopatch-First |
+| Windows Autopatch - Ring1 | Modern Workplace Devices-Windows Autopatch-First |
-| Windows Autopatch – Ring2 | Modern Workplace Devices-Windows Autopatch-Fast |
+| Windows Autopatch - Ring2 | Modern Workplace Devices-Windows Autopatch-Fast |
-| Windows Autopatch – Ring3 | Modern Workplace Devices-Windows Autopatch-Broad |
+| Windows Autopatch - Ring3 | Modern Workplace Devices-Windows Autopatch-Broad |
-| Windows Autopatch – Last | Modern Workplace Devices-Windows Autopatch-Broad |
+| Windows Autopatch - Last | Modern Workplace Devices-Windows Autopatch-Broad |
 
-If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, `<Autopatch group name – Ring4, Ring5, Ring6, etc.>`. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**.
+If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, `<Autopatch group name - Ring4, Ring5, Ring6, etc.>`. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**.
 
 ## Moving devices in between deployment rings
 
@@ -162,7 +162,7 @@ If you don't see the Ring assigned by column change to **Pending** in St
 
 ## Automated deployment ring remediation functions
 
-Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
+Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
 
 - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
 - An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process.
@@ -171,8 +171,8 @@ There are two automated deployment ring remediation functions:
 
 | Function | Description |
 | ----- | ----- |
-| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test and Windows Autopatch – Last** rings). |
+| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test and Windows Autopatch - Last** rings). |
-| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. |
+| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. |
 
 > [!IMPORTANT]
-> Windows Autopatch automated deployment ring functions don’t assign or remove devices to or from the following deployment rings:<li>**Modern Workplace Devices-Windows Autopatch-Test**</li><li>**Windows Autopatch – Test**</li><li>**Windows Autopatch – Last**</li></ul>
+> Windows Autopatch automated deployment ring functions don't assign or remove devices to or from the following deployment rings:<li>**Modern Workplace Devices-Windows Autopatch-Test**</li><li>**Windows Autopatch - Test**</li><li>**Windows Autopatch - Last**</li></ul>

windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md

@@ -23,7 +23,7 @@ Autopatch groups is a logical container or unit that groups several [Microsoft E
 
 ## Autopatch groups prerequisites
 
-Before you start managing Autopatch groups, ensure you’ve met the following prerequisites:
+Before you start managing Autopatch groups, ensure you've met the following prerequisites:
 
 - Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) to understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits), [concepts](../deploy/windows-autopatch-groups-overview.md#key-concepts) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization.
 - Ensure the following [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) are created in your tenant:
@@ -32,23 +32,23 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 	- Modern Workplace Update Policy [Fast]-[Windows Autopatch]
 	- Modern Workplace Update Policy [Broad]-[Windows Autopatch]
 - Ensure the following [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) are created in your tenant:
-	- Windows Autopatch – DSS Policy [Test]
+	- Windows Autopatch - DSS Policy [Test]
-	- Windows Autopatch – DSS Policy [First]
+	- Windows Autopatch - DSS Policy [First]
-	- Windows Autopatch – DSS Policy [Fast]
+	- Windows Autopatch - DSS Policy [Fast]
-	- Windows Autopatch – DSS Policy [Broad]
+	- Windows Autopatch - DSS Policy [Broad]
-- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
+- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Don't** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
     - Modern Workplace Devices-Windows Autopatch-Test
     - Modern Workplace Devices-Windows Autopatch-First
     - Modern Workplace Devices-Windows Autopatch-Fast
     - Modern Workplace Devices-Windows Autopatch-Broad
-    - Windows Autopatch – Test
+    - Windows Autopatch - Test
-    - Windows Autopatch – Ring1
+    - Windows Autopatch - Ring1
-    - Windows Autopatch – Ring2
+    - Windows Autopatch - Ring2
-    - Windows Autopatch – Ring3
+    - Windows Autopatch - Ring3
-    - Windows Autopatch – Last
+    - Windows Autopatch - Last
 - Additionally, **don't** modify the Microsoft Entra group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** enterprise application as the owner of these groups.
 	- For more information, see [assign an owner or member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Microsoft Entra groups.
-- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to:
+- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won't work properly. Autopatch uses app-only auth to:
     - Read device attributes to successfully register devices.
     - Manage all configurations related to the operation of the service.
 - Make sure that all device-based Microsoft Entra groups you intend to use with Autopatch groups are created prior to using the feature.
@@ -86,7 +86,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. Once the review is done, select **Create** to save your custom Autopatch group.
 
 > [!CAUTION]
-> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
+> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
 
 > [!IMPORTANT]
 > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
@@ -94,13 +94,13 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 ## Edit the Default or a Custom Autopatch group
 
 > [!TIP]
-> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there’s one or more on-going Windows feature update release targeted to this Autopatch group.**"
+> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more on-going Windows feature update release targeted to this Autopatch group.**"
 > See [Manage Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) for more information on release and phase statuses.
 
 **To edit either the Default or a Custom Autopatch group:**
 
 1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit.
-1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can’t** modify the name. Once the description is modified, select **Next: Deployment rings**.
+1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can't** modify the name. Once the description is modified, select **Next: Deployment rings**.
 1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**.
 1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**.
 1. Select **Review + create** to review all changes made.
@@ -111,7 +111,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 
 ## Rename a Custom Autopatch group
 
-You **can’t** rename the Default Autopatch group. However, you can rename a Custom Autopatch group.
+You **can't** rename the Default Autopatch group. However, you can rename a Custom Autopatch group.
 
 **To rename a Custom Autopatch group:**
 
@@ -123,7 +123,7 @@ You **can’t** rename the Default Autopatch group. However, you can rename a Cu
 
 ## Delete a Custom Autopatch group
 
-You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group.
+You **can't** delete the Default Autopatch group. However, you can delete a Custom Autopatch group.
 
 **To delete a Custom Autopatch group:**
 
@@ -131,7 +131,7 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu
 1. Select **Yes** to confirm you want to delete the Custom Autopatch group.
 
 > [!CAUTION]
-> You can’t delete a Custom Autopatch group when it’s being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses.
+> You can't delete a Custom Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses.
 
 ## Manage device conflict scenarios when using Autopatch groups
 
@@ -140,7 +140,7 @@ Overlap in device membership is a common scenario when working with device-based
 Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur.
 
 > [!CAUTION]
-> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
+> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
 
 ### Device conflict in deployment rings within an Autopatch group
 
@@ -162,21 +162,21 @@ Device conflict across different deployment rings in different Autopatch groups
 
 | Conflict scenario | Conflict resolution |
 | -----  | ----- |
-| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called “Marketing”.<p>However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.</p> | Autopatch groups automatically resolve this conflict on your behalf.<p>In this example, devices that belong to the deployment rings as part of the “Marketing” Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.</p> |
+| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called "Marketing".<p>However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.</p> | Autopatch groups automatically resolve this conflict on your behalf.<p>In this example, devices that belong to the deployment rings as part of the "Marketing" Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.</p> |
 
 #### Custom to Custom Autopatch group device conflict
 
 | Conflict scenario | Conflict resolution |
 | -----  | ----- |
-| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.<p>Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You’re required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.</p> |
+| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.<p>Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You're required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.</p> |
 
 #### Device conflict prior to device registration
 
-When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups’ deployment rings, are registered with the service.
+When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups' deployment rings, are registered with the service.
 
 | Conflict scenario | Conflict resolution |
 | -----  | ----- |
-| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don’t have device membership overlaps.</p> |
+| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. You're required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don't have device membership overlaps.</p> |
 
 #### Device conflict post device registration
 

windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md

@@ -17,7 +17,7 @@ ms.collection:
 
 # Windows Autopatch groups overview
 
-As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
+As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they're challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
 
 ## What are Windows Autopatch groups?
 
@@ -56,7 +56,7 @@ There are a few key concepts to be familiar with before using Autopatch groups.
 > [!NOTE]
 > The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition.
 
-The Default Autopatch group uses Windows Autopatch’s default update management process recommendation. The Default Autopatch group contains:
+The Default Autopatch group uses Windows Autopatch's default update management process recommendation. The Default Autopatch group contains:
 
 - A set of **[five deployment rings](#default-deployment-ring-composition)**
 - A default update deployment cadence for both [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md) and [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md).
@@ -64,21 +64,21 @@ The Default Autopatch group uses Windows Autopatch’s default update management
 The Default Autopatch group is intended to serve organizations that are looking to:
 
 - Enroll into the service
-- Align to Windows Autopatch’s default update management process without requiring more customizations.
+- Align to Windows Autopatch's default update management process without requiring more customizations.
 
-The Default Autopatch group **can’t** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it.
+The Default Autopatch group **can't** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it.
 
 #### Default deployment ring composition
 
 By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Microsoft Entra ID assigned groups, are used:
 
-- Windows Autopatch – Test
+- Windows Autopatch - Test
-- Windows Autopatch – Ring1
+- Windows Autopatch - Ring1
-- Windows Autopatch – Ring2
+- Windows Autopatch - Ring2
-- Windows Autopatch – Ring3
+- Windows Autopatch - Ring3
-- Windows Autopatch – Last
+- Windows Autopatch - Last
 
-**Windows Autopatch – Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch – Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types.
+**Windows Autopatch - Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch - Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types.
 
 > [!TIP]
 > For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions.
@@ -86,7 +86,7 @@ By default, the following [software update-based deployment rings](#software-bas
 > [!CAUTION]
 > These and other Microsoft Entra ID assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly.
 
-The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization’s general population to mitigate disruptions to your organization’s critical businesses.
+The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization's general population to mitigate disruptions to your organization's critical businesses.
 
 #### Default update deployment cadences
 
@@ -144,7 +144,7 @@ Both the **Test** and **Last** deployment rings are default deployment rings tha
 If you only keep Test and Last deployment rings in your Default Autopatch group, or you don't add more deployment rings when creating a Custom Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring.
 
 > [!IMPORTANT]
-> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch.
+> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn't required, consider managing these devices outside Windows Autopatch.
 
 > [!TIP]
 > Both the **Test** and **Last** deployment rings only support one single Microsoft Entra group assignment at a time. If you need to assign more than one Microsoft Entra group, you can nest the other Microsoft Entra groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Microsoft Entra group nesting is supported.
@@ -168,7 +168,7 @@ The following are the Microsoft Entra ID assigned groups that represent the serv
 - Modern Workplace Devices-Windows Autopatch-Broad
 
 > [!CAUTION]
-> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
+> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
 
 ##### Software-based deployment rings
 
@@ -177,16 +177,16 @@ The software-based deployment ring set is exclusively used with software update
 The following are the Microsoft Entra ID assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed:
 
 - Windows Autopatch - Test
-- Windows Autopatch – Ring1
+- Windows Autopatch - Ring1
-- Windows Autopatch – Ring2
+- Windows Autopatch - Ring2
-- Windows Autopatch – Ring3
+- Windows Autopatch - Ring3
-- Windows Autopatch – Last
+- Windows Autopatch - Last
 
 > [!IMPORTANT]
 > Additional Microsoft Entra ID assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group.
 
 > [!CAUTION]
-> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
+> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
 
 ### About device registration
 
@@ -203,7 +203,7 @@ The following are three common uses for using Autopatch groups.
 
 | Scenario | Solution |
 | ----- | ----- |
-| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.<p>Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s precommunicated to your end-users.</p> | If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.<p>The Default Autopatch group is preconfigured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.</p><p>The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.</p> |
+| You're working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don't have extra time to spend setting up and managing several Autopatch groups.<p>Your organization currently operates its update management by using five deployment rings, but there's an opportunity to have flexible deployment cadences if it's precommunicated to your end-users.</p> | If you don't have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.<p>The Default Autopatch group is preconfigured and doesn't require extra configurations when registering devices with the Windows Autopatch service.</p><p>The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.</p> |
 
 :::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png":::
 
@@ -211,7 +211,7 @@ The following are three common uses for using Autopatch groups.
 
 | Scenario | Solution |
 | ----- | ----- |
-| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.<p>The following is a visual representation of a gradual rollout for Contoso’s Finance department.</p> |
+| You're working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.<p>The following is a visual representation of a gradual rollout for Contoso's Finance department.</p> |
 
 :::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png":::
 
@@ -222,7 +222,7 @@ The following are three common uses for using Autopatch groups.
 
 | Scenario | Solution |
 | ----- | ----- |
-| You’re working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn’t experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.<p>The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.</p> |
+| You're working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn't experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.<p>The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.</p> |
 
 :::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png":::
 

windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md

@@ -18,7 +18,7 @@ ms.collection:
 # Post-device registration readiness checks (public preview)
 
 > [!IMPORTANT]
-> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a “Preview” basis. You can test and use these features in production environments and scenarios, and provide feedback.
+> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios, and provide feedback.
 
 One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle.
 
@@ -41,7 +41,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios:
 | ----- | ----- |
 | <ul><li>Windows OS (build, architecture and edition)</li></li><li>Managed by either Intune or ConfigMgr co-management</li><li>ConfigMgr co-management workloads</li><li>Last communication with Intune</li><li>Personal or non-Windows devices</li></ul> | <ul><li>Windows OS (build, architecture and edition)</li><li>Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict</li><li>Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)</li><li>Internet connectivity</li></ul> |
 
-The status of each post-device registration readiness check is shown in the Windows Autopatch’s Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service.
+The status of each post-device registration readiness check is shown in the Windows Autopatch's Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service.
 
 ## About the three tabs in the Devices blade
 
@@ -57,8 +57,8 @@ Windows Autopatch has three tabs within its Devices blade. Each tab is designed
 | Tab | Description |
 | ----- | ----- |
 | Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:<ul><li>Passed the prerequisite checks.</li><li>Registered with Windows Autopatch.</li></ul>This tab also lists devices that have passed all postdevice registration readiness checks. |
-| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.<ul><li>**Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.</li><li>**Inactive**: Devices that haven't communicated with the Microsoft Intune service in the last 28 days.</li></ul> |
+| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.<ul><li>**Readiness failed status**: Devices that didn't pass one or more post-device registration readiness checks.</li><li>**Inactive**: Devices that haven't communicated with the Microsoft Intune service in the last 28 days.</li></ul> |
-| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. |
+| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn't pass one or more prerequisite checks during the device registration process. |
 
 ## Details about the post-device registration readiness checks
 
@@ -76,12 +76,12 @@ The following list of post-device registration readiness checks is performed in
 | ----- | ----- |
 | **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. |
 | **Windows update policies managed via Microsoft Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Intune (MDM). |
-| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Intune. |
+| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn't support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Intune. |
-| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
+| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn't support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
 | **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. |
 | **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. |
 | **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. |
-| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft’s public URLs two times each, to confirm that ping results aren't coming from the device’s cache. |
+| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft's public URLs two times each, to confirm that ping results aren't coming from the device's cache. |
 
 ## Post-device registration readiness checks workflow
 
@@ -93,8 +93,8 @@ See the following diagram for the post-device registration readiness checks work
 | ----- | ----- |
 | **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
 | **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
-| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch’s service.</li></ol>|
+| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
-| **Step 10: Add devices to the Not ready** | When devices don’t pass one or more readiness checks, even if they’re registered with Windows Autopatch, they’re added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
+| **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
 | **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show back up into the **Ready** tab. |
 
 ## FAQ
@@ -102,7 +102,7 @@ See the following diagram for the post-device registration readiness checks work
 | Question | Answer |
 | ----- | ----- |
 | **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.</li><li>The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
-| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don’t meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.</p>|
+| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.</p>|
 
 ## Additional resources
 

windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md

@@ -1,7 +1,7 @@
 ---
 title: Register your devices
-description: This article details how to register devices in Autopatch
+description: This article details how to register devices in Autopatch.
-ms.date: 07/25/2023
+ms.date: 02/15/2024
 ms.service: windows-client
 ms.subservice: itpro-updates
 ms.topic: how-to
@@ -33,7 +33,7 @@ Windows Autopatch can take over software update management control of devices th
 
 When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.
 
-If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group.
+If devices aren't registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group.
 
 For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method.
 
@@ -83,7 +83,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
 - Devices must have Serial Number, Model and Manufacturer.
 
 > [!NOTE]
-> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
+> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check.
 
 > [!IMPORTANT]
 > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
@@ -178,7 +178,7 @@ The service supports:
 
 - Personal persistent virtual machines
 
-The following Azure Virtual Desktop features aren’t supported:
+The following Azure Virtual Desktop features aren't supported:
 
 - Multi-session hosts
 - Pooled non persistent virtual machines

windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md

@@ -47,7 +47,7 @@ Windows Autopatch assigns alerts to either Microsoft Action or Customer Action.
 
 ## Alert resolutions
 
-Alert resolutions are provided through the Windows Update service and provide the reason why an update didn’t perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md).
+Alert resolutions are provided through the Windows Update service and provide the reason why an update didn't perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md).
 
 | Alert message | Description | Windows Autopatch recommendation(s) |
 | ----- | ----- | ----- |
@@ -85,11 +85,11 @@ Alert resolutions are provided through the Windows Update service and provide th
 | `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review  the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review  the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.<p>No action is required.</p><p>If the update is still available, retry the installation.</p> |
-| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don’t** retry the installation until the impact is understood.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
+| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
 | `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.<p>For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).</p> |
 | `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.<p>No action is necessary the update should retry when windows is available.</p><p>If the alert persists, ensure the device remains on during Windows installation.</p> |
 | `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.<p>Confirm whether the device is on the intended version.</p> |
-| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.<p>For more information, see [Windows boot issues – troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).</p> |
+| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.<p>For more information, see [Windows boot issues - troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).</p> |
 | `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. |
 | `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.</p> |
 | `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.</p> |

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md

@@ -23,7 +23,7 @@ You can create custom releases for Windows feature update deployments in Windows
 
 Before you start managing custom Windows feature update releases, consider the following:
 
-- If you’re planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure:
+- If you're planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure:
     - The Default Autopatch group has all deployment rings and deployment cadences you need.
     - You have created all your Custom Autopatch groups prior to creating custom releases.
 - Review [Windows feature update prerequisites](/mem/intune/protect/windows-10-feature-updates#prerequisites).
@@ -42,7 +42,7 @@ The following table explains the auto-populating assignment of your deployments
 | Phase 3 | Ring2 | Ring2 |
 | Phase 4 | Last | Ring3 |
 
-If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won’t be reflected unless you create a new custom release.
+If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won't be reflected unless you create a new custom release.
 
 If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases.
 
@@ -50,7 +50,7 @@ If you wish to change the auto-populating assignment of your deployment rings to
 
 The goal completion date of a phase is calculated using the following formula:
 
-`<First Deployment Date> + (<Number of gradual rollout groups> – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).`
+`<First Deployment Date> + (<Number of gradual rollout groups> - 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).`
 
 This formula is only applicable for **Deadline-driven** not for Scheduled-driven deployment cadences. For more information, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
 
@@ -102,7 +102,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo
 
 | Phase status | Definition |
 | ----- | ----- |
-| Scheduled | The phase is scheduled but hasn’t reached its first deployment date yet. The Windows feature update policy hasn’t been created for the respective phase yet. |
+| Scheduled | The phase is scheduled but hasn't reached its first deployment date yet. The Windows feature update policy hasn't been created for the respective phase yet. |
 | Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. |
 | Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. |
 | Paused | Phase is paused. You must resume the phase. |
@@ -112,7 +112,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo
 
 Windows Autopatch creates one Windows feature update policy per phase using the following naming convention:
 
-`Windows Autopatch – DSS policy – <Release Name> – Phase <Phase Number>`
+`Windows Autopatch - DSS policy - <Release Name> - Phase <Phase Number>`
 
 These policies can be viewed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
@@ -120,11 +120,11 @@ The following table is an example of the Windows feature update policies that we
 
 | Policy name | Feature update version | Rollout options | First deployment date| Final deployment date availability | Day between groups | Support end date |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Windows Autopatch - DSS Policy - My feature update release – Phase 1  | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 11, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 1  | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release – Phase 2  | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 11, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 2  | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release – Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 11, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release – Phase 4  | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 11, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 4  | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 11, 2024 |
-| Windows Autopatch - DSS Policy - My feature update release – Phase 5  | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 11, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release - Phase 5  | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 11, 2024 |
 
 ## Create a custom release
 
@@ -142,11 +142,11 @@ The following table is an example of the Windows feature update policies that we
     4. Select **Next**.
 1. In the **Autopatch groups** page, choose one or more existing Autopatch groups you want to include in the custom release, then select Next.
 1. You can't choose Autopatch groups that are already part of an existing custom release. Select **Autopatch groups assigned to other releases** to review existing assignments.
-1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you’re ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned.
+1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you're ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned.
-1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can’t guarantee that the release will start at the current day given the UTC variance across the globe.
+1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can't guarantee that the release will start at the current day given the UTC variance across the globe.
     1. The **Goal completion date** only applies to the [Deadline-driven deployment cadence type](../operate/windows-autopatch-groups-windows-update.md#deadline-driven). The Deadline-drive deployment cadence type can be specified when you configure the Windows Updates settings during the Autopatch group creation/editing flow.
-    2. Additionally, the formula for the goal completion date is `<First Deployment Date> + (<Number of gradual rollout groups> – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`.
+    2. Additionally, the formula for the goal completion date is `<First Deployment Date> + (<Number of gradual rollout groups> - 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`.
-1. In the **Review + create** page, review all settings. Once you’re ready, select **Create**.
+1. In the **Review + create** page, review all settings. Once you're ready, select **Create**.
 
 > [!NOTE]
 > Custom releases can't be deleted from the Windows feature updates release management blade. The custom release record serves as a historical record for auditing purposes when needed.
@@ -209,10 +209,10 @@ The following table is an example of the Windows feature update policies that we
 ## Roll back a release
 
 > [!CAUTION]
-> Do **not** use Microsoft Intune’s end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
+> Do **not** use Microsoft Intune's end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
 
-Windows Autopatch **doesn’t** support the rollback of Windows feature updates through its end-user experience flows.
+Windows Autopatch **doesn't** support the rollback of Windows feature updates through its end-user experience flows.
 
 ## Contact support
 
-If you’re experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
+If you're experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md).

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md

@@ -47,7 +47,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
 
 ## Windows feature updates
 
-You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
+You're in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
 
 The Window feature update release management experience makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
 

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md

@@ -17,7 +17,7 @@ ms.collection:
 
 # Windows feature updates overview
 
-Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
+Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization's IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
 
 Windows feature updates consist of:
 
@@ -28,11 +28,11 @@ Windows Autopatch makes it easier and less expensive for you to keep your Window
 
 ## Service level objective
 
-Windows Autopatch’s service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you.
+Windows Autopatch's service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you.
 
 ## Device eligibility criteria
 
-Windows Autopatch’s device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune’s device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites).
+Windows Autopatch's device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune's device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites).
 
 > [!IMPORTANT]
 > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
@@ -40,7 +40,7 @@ Windows Autopatch’s device eligibility criteria for Windows feature updates al
 ## Key benefits
 
 - Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
-- You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
+- You're in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
 	- Combined with custom releases, Autopatch Groups gives your organization great control and flexibility to help you plan your gradual rollout in a way that works for your organization.
 - Simplified end-user experience with rich controls for gradual rollouts, deployment cadence and speed.
 - No need to manually modify the default Windows feature update policies (default release) to be on the Windows OS version your organization is currently ready for.
@@ -59,7 +59,7 @@ Windows Autopatch’s device eligibility criteria for Windows feature updates al
 
 ### Default release
 
-Windows Autopatch’s default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
+Windows Autopatch's default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
 
 > [!TIP]
 > Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release).
@@ -82,17 +82,17 @@ If your tenant is enrolled with Windows Autopatch, you can see the following def
 
 | Policy name | Phase mapping | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Windows Autopatch – DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023  | N/A | N/A | June 11, 2024 |
+| Windows Autopatch - DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023  | N/A | N/A | June 11, 2024 |
-| Windows Autopatch – DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023  | N/A | N/A | June 11, 2024 |
+| Windows Autopatch - DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023  | N/A | N/A | June 11, 2024 |
-| Windows Autopatch – DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023  | N/A | N/A | June 11, 2024 |
+| Windows Autopatch - DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023  | N/A | N/A | June 11, 2024 |
-| Windows Autopatch – DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023  | N/A | N/A | June 11, 2024 |
+| Windows Autopatch - DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023  | N/A | N/A | June 11, 2024 |
 
 > [!NOTE]
 > Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
 
 ### Global release
 
-Windows Autopatch’s global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
+Windows Autopatch's global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
 
 There are two scenarios that the Global release is used:
 
@@ -110,7 +110,7 @@ See the following table on how Windows Autopatch configures the values for its g
 
 | Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Windows Autopatch – Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A  | N/A | N/A | June 11, 2024 |
+| Windows Autopatch - Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A  | N/A | N/A | June 11, 2024 |
 
 > [!NOTE]
 > Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
@@ -118,7 +118,7 @@ See the following table on how Windows Autopatch configures the values for its g
 ### Differences between the default and global Windows feature update policies
 
 > [!IMPORTANT]
-> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group’s deployment rings behind the scenes.
+> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group's deployment rings behind the scenes.
 
 The differences in between the global and the default Windows feature update policy values are:
 
@@ -138,7 +138,7 @@ For more information on how to create a custom release, see [Manage Windows feat
 
 ### About Windows Update rings policies
 
-Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy – <Autopatch group name> – <Deployment group name>`.
+Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy - <Autopatch group name> - <Deployment group name>`.
 
 The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases:
 
@@ -151,7 +151,7 @@ The following table details the default Windows Update rings policy values that
 | Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes |
 
 > [!IMPORTANT]
-> When you create a custom Windows feature update release, new Windows feature update policies are:<ul><li>Created corresponding to the settings you defined while creating the release.</li><li>Assigned to the Autopatch group’s deployment rings you select to be included in the release.</li></ul>
+> When you create a custom Windows feature update release, new Windows feature update policies are:<ul><li>Created corresponding to the settings you defined while creating the release.</li><li>Assigned to the Autopatch group's deployment rings you select to be included in the release.</li></ul>
 
 ## Common ways to manage releases
 
@@ -159,7 +159,7 @@ The following table details the default Windows Update rings policy values that
 
 | Scenario | Solution |
 | ----- | ----- |
-| You’re working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11’s latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.<br>Phases:<ul><li>Set your organization’s deployment cadence.</li><li>Work like deployment rings on top of Autopatch group’s deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.</li></ul><br>See the following visual for a representation of Phases with custom releases. |
+| You're working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11's latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.<br>Phases:<ul><li>Set your organization's deployment cadence.</li><li>Work like deployment rings on top of Autopatch group's deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.</li></ul><br>See the following visual for a representation of Phases with custom releases. |
 
 :::image type="content" source="../media/autopatch-groups-manage-feature-release-case-1.png" alt-text="Manage Windows feature update release use case one" lightbox="../media/autopatch-groups-manage-feature-release-case-1.png":::
 
@@ -167,6 +167,6 @@ The following table details the default Windows Update rings policy values that
 
 | Scenario | Solution |
 | ----- | ----- |
-| You’re working as the IT admin at Contoso Ltd. and your organization isn’t ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.<p>However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.</p> | Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.<p>If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).</p><p>See the following visual for a representation of default releases.</p>|
+| You're working as the IT admin at Contoso Ltd. and your organization isn't ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.<p>However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.</p> | Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.<p>If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).</p><p>See the following visual for a representation of default releases.</p>|
 
 :::image type="content" source="../media/autopatch-groups-manage-feature-release-case-2.png" alt-text="Manage Windows feature update release use case two" lightbox="../media/autopatch-groups-manage-feature-release-case-2.png":::

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md

@@ -39,7 +39,7 @@ The following information is available in the Summary dashboard:
 | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
 | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
 | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
-| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
 | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
 
 ## Report options

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md

@@ -38,7 +38,7 @@ The Windows quality report types are organized into the following focus areas:
 
 The Windows feature update reports monitor the health and activity of your deployments and help you understand if your devices are maintaining update compliance targets.
 
-If update deployments aren’t successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue.
+If update deployments aren't successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue.
 
 The Windows feature update report types are organized into the following focus areas:
 
@@ -82,7 +82,7 @@ Up to date devices are devices that meet all of the following prerequisites:
 - Have applied the current monthly cumulative updates
 
 > [!NOTE]
-> [Up to Date devices](#up-to-date-devices) will remain with the **In Progress** status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device’s status will change to [Not up to Date](#not-up-to-date-devices).
+> [Up to Date devices](#up-to-date-devices) will remain with the **In Progress** status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device's status will change to [Not up to Date](#not-up-to-date-devices).
 
 #### Up to Date sub statuses
 
@@ -93,7 +93,7 @@ Up to date devices are devices that meet all of the following prerequisites:
 
 ### Not up to Date devices
 
-Not Up to Date means a device isn’t up to date when the:
+Not Up to Date means a device isn't up to date when the:
 
 - Quality or feature update is out of date, or the device is on the previous update.
 - Device is more than 21 days overdue from the last release.

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md

@@ -27,14 +27,14 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
 | [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays)    | Before the deadline, users can schedule restarts or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
 | [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
 
-For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
+For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group's deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
 
 > [!IMPORTANT]
 > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed.  These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
 
 ## Service level objective
 
-Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column “% with the latest quality update” displayed in release management and reporting.
+Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column "% with the latest quality update" displayed in release management and reporting.
 
 ### Service level objective calculation
 
@@ -68,7 +68,7 @@ The service level objective for each of these states is calculated as:
 > [!IMPORTANT]
 > This feature is in **public preview**. It's being actively developed, and might not be complete.
 
-You can import your organization’s existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization’s Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization’s existing update rings. 
+You can import your organization's existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization's Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization's existing update rings. 
 
 Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-device-registration-overview.md#detailed-device-registration-workflow-diagram).
 
@@ -76,7 +76,7 @@ Imported rings automatically register all targeted devices into Windows Autopatc
 > Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md).
 
 > [!NOTE]
-> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch’s ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md).
+> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md).
 
 ### Import Update rings for Windows 10 and later
 

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md

@@ -38,7 +38,7 @@ The following information is available in the Summary dashboard:
 | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
 | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
 | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
-| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
 | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
 
 ## Report options

windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md

@@ -56,7 +56,7 @@ However, if an update has already started for a particular deployment ring, Wind
 #### Scheduled install
 
 > [!NOTE]
->If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective).
+>If you select the Schedule install cadence type, the devices in that ring won't be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective).
 
 While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified.
 
@@ -118,5 +118,5 @@ For more information, see [Windows Update settings you can manage with Intune up
         1. Turn off all notifications included restart warnings
     1. Select **Save** once you select the preferred setting.
 7. Repeat the same process to customize each of the rings. Once done, select **Next**.
-8. In **Review + apply**, you’ll be able to review the selected settings for each of the rings.
+8. In **Review + apply**, you'll be able to review the selected settings for each of the rings.
 9. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings.

windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md

@@ -58,7 +58,7 @@ The type of banner that appears depends on the severity of the action. Currently
 | Action type | Severity | Description |
 | ----- | ----- | ----- |
 | Maintain tenant access | Critical | Required licenses have expired. The licenses include:<ul><li>Microsoft Intune</li><li>Microsoft Entra ID P1 or P2</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
-| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can’t manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You have blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
+| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You have blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
 
 ### Inactive status
 
@@ -76,5 +76,5 @@ To be taken out of the **inactive** status, you must [resolve any critical actio
 
 | Impact area | Description |
 | ----- | ----- |
-| Management | Windows Autopatch isn’t able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:<ul><li>Managing the Windows Autopatch service</li><li>Publishing the baseline configuration updates to your tenant’s devices</li><li>Maintaining overall service health</li></ul><p>For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).</p>|
+| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:<ul><li>Managing the Windows Autopatch service</li><li>Publishing the baseline configuration updates to your tenant's devices</li><li>Maintaining overall service health</li></ul><p>For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).</p>|
 | Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. |

windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md

@@ -20,7 +20,7 @@ ms.collection:
 You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment.
 
 > [!TIP]
-> Windows Autopatch's driver and firmware update management is based on [Intune’s driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates.
+> Windows Autopatch's driver and firmware update management is based on [Intune's driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates.
 
 ## Automatic and Self-managed modes
 
@@ -29,7 +29,7 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
 | Modes | Description |
 | ----- | -----|
 | Automatic | We recommend using **Automatic** mode.<p>Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.</p> |
-| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
+| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatch's automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
 
 ## Set driver and firmware updates to Automatic or Self-managed mode
 
@@ -46,16 +46,16 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
 
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Devices** > **Driver updates for Windows 10 and later**.
-1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch – Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch – Driver Update Policy [Test]**.
+1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch - Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch - Driver Update Policy [Test]**.
 
 The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table:
 
 | Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays |
 | ----- | ----- | ----- | ----- | ----- |
-| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` |
+| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` |
-| `CreateDriverUpdatePolicy`| Windows Autopatch – Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` |
+| `CreateDriverUpdatePolicy`| Windows Autopatch - Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` |
-| `CreateDriverUpdatePolicy` |Windows Autopatch – Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` |
+| `CreateDriverUpdatePolicy` |Windows Autopatch - Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` |
-| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` |
+| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` |
 
 ## Feedback and support
 

windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md

@@ -97,10 +97,10 @@ For organizations seeking greater control, you can allow or block Microsoft 365
 2. Navigate to the **Devices** > **Release Management** > **Release settings**.
 3. Go to the **Microsoft 365 apps updates** section. By default, the **Allow/Block** toggle is set to **Allow**.
 4. Turn off the **Allow** toggle to opt out of Microsoft 365 App update policies. You'll see the notification: *Update in process. This setting will be unavailable until the update is complete.*
-5. Once the update is complete, you’ll receive the notification: *This setting is updated.*
+5. Once the update is complete, you'll receive the notification: *This setting is updated.*
 
 > [!NOTE]
-> If the notification: *This setting couldn’t be updated. Please try again or submit a support request.* appears, use the following steps:<ol><li>Refresh your page.</li><li>Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.</li><li>If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md).</li>
+> If the notification: *This setting couldn't be updated. Please try again or submit a support request.* appears, use the following steps:<ol><li>Refresh your page.</li><li>Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.</li><li>If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md).</li>
 
 **To verify if the Microsoft 365 App update setting is set to Allow:**
 
@@ -117,7 +117,7 @@ For organizations seeking greater control, you can allow or block Microsoft 365
 
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Navigate to **Devices** > **Configuration profiles** > **Profiles**.
-3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords “Office Configuration”. The result should return *0 profiles filtered*.
+3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Office Configuration". The result should return *0 profiles filtered*.
     1. Windows Autopatch - Office Configuration
     2. Windows Autopatch - Office Update Configuration [Test]
     3. Windows Autopatch - Office Update Configuration [First]

windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md

@@ -36,7 +36,7 @@ With this feature, IT admins can:
 - Initiate action for the Autopatch service to restore the deployment rings without having to raise an incident.
 
 > [!NOTE]
-> You can rename your policies to meet your organization’s requirements. Do **not** rename the underlying Autopatch deployment groups.
+> You can rename your policies to meet your organization's requirements. Do **not** rename the underlying Autopatch deployment groups.
 
 ## Check policy health
 

windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md

@@ -35,15 +35,15 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
 
 | Responsibility | Description |
 | ----- | ----- |
-| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
+| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won't make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
 | Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Microsoft Entra device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
 
 ## Your responsibilities after unenrolling your tenant
 
 | Responsibility | Description |
 | ----- | ----- |
-| Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices.  You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
+| Updates | After the Windows Autopatch service is unenrolled, we'll no longer provide updates to your devices.  You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
-| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). |
+| Optional Windows Autopatch configuration | Windows Autopatch won't remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don't wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). |
 | Microsoft Intune roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. |
 
 ## Unenroll from Windows Autopatch
@@ -56,4 +56,4 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
     2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
 1. The Windows Autopatch Service Engineering Team proceeds with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
 1. The Windows Autopatch Service Engineering Team informs you when unenrollment is complete.
-1. You’re responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).
+1. You're responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).

windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md

@@ -259,7 +259,7 @@ For example, Configuration Manager Software Update Policy settings exclude Autop
 | Enable management of the Office 365 Client Agent | No |
 
 > [!NOTE]
-> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren’t in use.
+> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren't in use.
 
 #### Existing Mobile Device Management (MDM) policies
 

windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md

@@ -84,7 +84,7 @@ Windows Autopatch creates and uses guest accounts using just-in-time access func
 | Account name | Usage | Mitigating controls |
 | ----- | ----- | -----|
 | MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive sign-in permissions. The account performs operations only through the service.</li></ul> | Audited sign-ins |
-| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer’s tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li></ul> |
+| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer's tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li></ul> |
 | MsTest@tenantDomain.onmicrosoft.com | This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
 
 ## Microsoft Windows Update for Business

windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md

@@ -99,4 +99,4 @@ For more information and assistance with preparing for your Windows Autopatch de
 | Review and respond to Windows Autopatch management alerts<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :heavy_check_mark: | :x: |
 | [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
 | [Manage and respond to support requests](../operate/windows-autopatch-support-request.md#manage-an-active-support-request) | :x: | :heavy_check_mark: |
-| Review the [What’s new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: |
+| Review the [What's new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: |

windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md

@@ -22,7 +22,7 @@ ms.collection:
 
 During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state.
 
-Windows Autopatch monitors conflicting configurations. You’re notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it’s possible that other services write back the registry keys. It’s recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.
+Windows Autopatch monitors conflicting configurations. You're notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it's possible that other services write back the registry keys. It's recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.
 
 The most common sources of conflicting configurations include:
 
@@ -47,11 +47,11 @@ Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
 Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed clients.
 
 > [!IMPORTANT]
-> **It’s recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that aren’t managed by Windows Autopatch, be sure to target accordingly.
+> **It's recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that aren't managed by Windows Autopatch, be sure to target accordingly.
 
 ### Intune Remediation
 
-Navigate to Intune Remediations and create a remediation using the following examples. It’s recommended to create a single remediation per value to understand if the value persists after removal.
+Navigate to Intune Remediations and create a remediation using the following examples. It's recommended to create a single remediation per value to understand if the value persists after removal.
 
 If you use either [**Detect**](#detect) and/or [**Remediate**](#remediate) actions, ensure to update the appropriate **Path** and **Value** called out in the Alert. For more information, see [Remediations](/mem/intune/fundamentals/remediations).
 
@@ -97,7 +97,7 @@ Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpda
 
 ### Batch file
 
-Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. For more information, see [Using batch files: Scripting; Management Services](/previous-versions/windows/it-pro/windows-server-2003/cc758944(v=ws.10)?redirectedfrom=MSDN).
+Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service.
 
 ```cmd
 @echo off
@@ -128,15 +128,15 @@ Windows Registry Editor Version 5.00
 
 ## Common sources of conflicting configurations
 
-The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn’t an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly.
+The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn't an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly.
 
 ### Group Policy management
 
-Group Policy management is the most popular client configuration tool in most organizations. For this reason, it’s most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy.
+Group Policy management is the most popular client configuration tool in most organizations. For this reason, it's most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy.
 
 1. Launch an Elevated Command Prompt and enter `RSOP`.
 1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**
-1. If a Policy **doesn’t exist** in Windows Update, then it appears to not be Group Policy.
+1. If a Policy **doesn't exist** in Windows Update, then it appears to not be Group Policy.
 1. If a Policy **exists** in Windows Update is present, modify or limit the target of the conflicting policy to resolve the Alert.
 1. If the **Policy name** is labeled **Local Group Policy**, these settings could have been applied during imaging or by Configuration Manager.
 
@@ -146,7 +146,7 @@ Configuration Manager is a common enterprise management tool that, among many th
 
 1. Go the **Microsoft Endpoint Configuration Manager Console**.
 1. Navigate to **Administration** > **Overview** > **Client Settings**.
-1. Ensure **Software Updates** isn’t configured. If configured, it’s recommended to remove these settings to prevent conflicts with Windows Autopatch.
+1. Ensure **Software Updates** isn't configured. If configured, it's recommended to remove these settings to prevent conflicts with Windows Autopatch.
 
 ## Third-party solutions
 

windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md

@@ -20,7 +20,7 @@ ms.collection:
 
 The following policies contain settings that apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
 
-**Modern Workplace Update Policy [ring name] – [Windows Autopatch]**
+**Modern Workplace Update Policy [ring name] - [Windows Autopatch]**
 
 ### Windows 10 and later update settings
 
@@ -52,7 +52,7 @@ The following policies contain settings that apply to both Windows quality and f
 
 | Setting name | Test | First | Fast | Broad |
 | ----- | ----- | ----- | ----- | ----- |
-| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad |
 | Excluded groups | None | None | None | None |
 
 ## Windows feature update policies
@@ -76,8 +76,8 @@ These policies control the minimum target version of Windows that a device is me
 
 | Setting name | Test | First | Fast | Broad |
 | ----- | ----- | ----- | ----- | ----- |
-| Included groups | Modern Workplace Devices–Windows Autopatch-Test  | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Included groups | Modern Workplace Devices-Windows Autopatch-Test  | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad |
-| Excluded groups | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices |
+| Excluded groups | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices |
 
 #### Windows 11 testing
 
@@ -94,7 +94,7 @@ To allow customers to test Windows 11 in their environment, there's a separate D
 
 | Setting name | Test |
 | ----- | ----- |
-| Included groups | Modern Workplace – Windows 11 Pre-Release Test Devices |
+| Included groups | Modern Workplace - Windows 11 Pre-Release Test Devices |
 | Excluded groups | None |
 
 ## Conflicting and unsupported policies

windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md

@@ -34,7 +34,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 | Message center post number | Description |
 | ----- | ----- |
 | [MC697414](https://admin.microsoft.com/adminportal/home#/MessageCenter) | New Feature: Alerts for Windows Autopatch policy conflicts Public Preview announcement |
-| [MC695483](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Windows Autopatch configuration update – December 2023 |
+| [MC695483](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Windows Autopatch configuration update - December 2023 |
 
 ## November service release
 

windows/deployment/windows-deployment-scenarios.md

@@ -0,0 +1,205 @@
+---
+title: Windows deployment scenarios
+description: Understand the different ways Windows operating system can be deployed in an organization. Explore several Windows deployment scenarios.
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
+ms.service: windows-client
+ms.localizationpriority: medium
+ms.topic: article
+ms.date: 02/13/2024
+ms.subservice: itpro-deploy
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Windows deployment scenarios
+
+To successfully deploy the Windows operating system in an organization, it's important to understand the different ways that it can be deployed. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each.
+
+## Deployment categories
+
+The following tables summarize various Windows deployment scenarios. The scenarios are each assigned to one of three categories.
+
+- Modern deployment methods are recommended unless a specific need requires use of a different procedure. These methods are supported with existing tools such as Microsoft Configuration Manager.
+
+   > [!NOTE]
+   >
+   > Once Windows is deployed in an organization, it's important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows feature updates.
+
+- Dynamic deployment methods enable configuration of applications and settings for specific use cases.
+
+- Traditional deployment methods use existing tools to deploy operating system images.
+
+### Modern
+
+|Scenario|Description|More information|
+|--- |--- |--- |
+|[Windows Autopilot](#windows-autopilot)|Customize the out-of-box-experience (OOBE) for an organization, and deploy a new system with apps and settings already configured|[Overview of Windows Autopilot](/autopilot/windows-autopilot)|
+|[In-place upgrade](#in-place-upgrade)|Use Windows Setup to update the Windows version and migrate apps and settings. Rollback data is saved in Windows.old.|[Perform an in-place upgrade to Windows using Configuration Manager](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager)|
+
+### Dynamic
+
+|Scenario|Description|More information|
+|--- |--- |--- |
+|[Subscription Activation](#windows-subscription-activation)|Switch from Windows Pro to Enterprise when a subscribed user signs in.|[Windows Subscription Activation](windows-subscription-activation.md)|
+|[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
+|[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
+
+### Traditional
+
+|Scenario|Description|More information|
+|--- |--- |--- |
+|[Bare metal](#new-computer)|Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy Windows using PXE and Configuration Manager](/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager)|
+|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows client with a currently supported version of Windows using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
+|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows client with a currently supported version of Windows using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
+
+> [!IMPORTANT]
+>
+> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS is a currently supported version of Windows.
+>
+> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
+
+## Modern deployment methods
+
+Modern deployment methods embrace both traditional on-premises and cloud services to deliver a streamlined and cost effective deployment experience.
+
+### Windows Autopilot
+
+Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows PCs and provide end users with a fully configured new Windows device. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
+
+For more information about Windows Autopilot, see [Overview of Windows Autopilot](/autopilot/windows-autopilot) and [Modernizing Windows deployment with Windows Autopilot](https://techcommunity.microsoft.com/t5/windows-blog-archive/modernizing-windows-deployment-with-windows-autopilot/ba-p/167042).
+
+### In-place upgrade
+
+For existing computers running out of support versions of Windows, the recommended path for organizations deploying Windows is to perform an in-place upgrade. An in-place upgrade uses the Windows installation program (`Setup.exe`) to:
+
+- Automatically preserves all data, settings, applications, and drivers from the existing operating system version
+- Requires the least IT effort, because there's no need for any complex deployment infrastructure
+
+Although consumer PCs are upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Configuration Manager to completely automate the upgrade process through simple task sequences.
+
+The in-place upgrade process is designed to be reliable. An in-place upgrade has the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by using the automatically created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications don't need to be reinstalled as part of the process.
+
+Existing applications are preserved through the process. The upgrade process uses the standard Windows installation media image (Install.wim). Custom images not only aren't needed, but they also can't be used. Custom images can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. For example, Contoso Timecard 1.0 in Windows 10 and Contoso Timecard 3.0 in the Windows 11 image.
+
+Scenarios that support in-place upgrade with some other procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
+
+- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it works fine to upgrade a system using legacy BIOS emulation. After the upgrade, the system disk can be converted to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk is converted, the firmware of the device must also be configured to boot in UEFI mode. Enabling UEFI also UEFI features such as Secure Boot to be enabled.
+
+> [!IMPORTANT]
+>
+> Performing an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS is only possible with Windows 10. Windows versions newer than Windows 10 only support UEFI-capable systems and don't support legacy BIOS or MBR.
+
+- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs might provide instructions on how to integrate their software into the in-place upgrade process. Check with the ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
+
+  - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+  - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
+
+There are some situations where an in-place upgrade can't be used. In these situations, use traditional deployment methods instead. Examples of these situations include:
+
+- Changing from an x86 version of Windows 10 to an x64 version of Windows. Versions of Windows newer than Windows 10 are only x64 and don't have an x86 version. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
+
+- Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+
+- Updating existing images. It can be tempting to try to upgrade existing Windows images to a newer version of Windows by installing the old image, upgrading it, and then recapturing the new Windows image. However, this scenario isn't supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and doesn't work. When `Sysprep.exe` detects the upgraded OS, it fails.
+
+- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If using dual-boot or multi-boot systems with multiple operating systems, then extra care should be taken. Dual-boot and multi-boot systems doesn't include using virtual machines for the second and subsequent operating systems.
+
+## Dynamic provisioning
+
+For new PCs, organizations historically replaced the version of Windows included on the device with their own custom Windows image. A custom image was used because a custom image was often faster and easier than using the preinstalled version. However, reimaging with a custom image is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows, it's now possible to avoid using custom images.
+
+The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
+
+### Windows Subscription Activation
+
+Windows Subscription Activation is a dynamic deployment method that enables changing the edition of Windows from Pro to Enterprise. Windows Subscription Activation requires no keys and no reboots. For more information about Subscription Activation, see [Windows Subscription Activation](windows-subscription-activation.md).
+
+### Microsoft Entra join with automatic mobile device management (MDM) enrollment
+
+In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+
+### Provisioning package configuration
+
+With the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a device. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
+
+These scenarios can be used to enable "Bring Your Own Device" (BYOD) or "Choose Your Own Device" (CYOD) programs. With these programs, an organization's users can pick their own PC. They aren't restricted to a small list of approved or certified models. These programs are difficult to implement using traditional deployment scenarios.
+
+While Windows includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
+
+## Traditional deployment
+
+In the past, organizations typically deployed Windows using an image-based process built on top of tools provided in:
+
+- [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md).
+- [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+- Windows Deployment Services (WDS).
+- Microsoft Deployment Toolkit.
+
+Scenarios such as in-place upgrade and dynamic provisioning might reduce the need for traditional deployment capabilities in some organizations. However, traditional methods might still need to be used under certain circumstances.
+
+The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
+
+- **New computer**: A bare-metal deployment of a new device.
+- **Computer refresh**: A reinstall of the same device (with user-state migration and an optional full Windows Imaging (WIM) image backup).
+- **Computer replace**: A replacement of the old device with a new device (with user-state migration and an optional full WIM image backup).
+
+### New computer
+
+Also called a "bare metal" deployment. This scenario occurs when there's a device with no OS installed on it that needs to be deployed. This scenario can also be an existing device that needs to be wiped and redeployed without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). A full offline media that includes all the files needed for a client deployment can also be generated, allowing deployment without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
+
+The deployment process for the new device scenario is as follows:
+
+1. Start the setup from boot media (CD, USB, ISO, or PXE).
+
+1. Wipe the hard disk clean and create new volume(s).
+
+1. Install the operating system image.
+
+1. Install other applications (as part of the task sequence).
+
+After following these steps, the computer is ready for use.
+
+### Computer refresh
+
+A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
+
+The deployment process for the wipe-and-load scenario is as follows:
+
+1. Start the setup on a running operating system.
+
+1. Save the user state locally.
+
+1. Wipe the hard disk clean (except for the folder containing the backup).
+
+1. Install the operating system image.
+
+1. Install other applications.
+
+1. Restore the user state.
+
+After following these steps, the device is ready for use.
+
+### Computer replace
+
+A computer replace is similar to the refresh scenario. However, since we're replacing the device, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
+
+The deployment process for the replace scenario is as follows:
+
+1. Save the user state (data and settings) on the server through a backup job on the running operating system.
+
+1. Deploy the new computer as a bare-metal deployment.
+
+    > [!NOTE]
+    >
+    > In some situations, the replace scenario can be used even if the target is the same device. For example, replace can be used if disk layout needs to be changed from master boot record (MBR) to GUID partition table (GPT). This conversion allows taking advantage of Unified Extensible Firmware Interface (UEFI) functionality.
+
+## Related articles
+
+- [Upgrade to Windows with Microsoft Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md).
+- [Deploy Windows using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md).
+- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference).
+- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi).

windows/deployment/windows-enterprise-e3-overview.md

@@ -0,0 +1,193 @@
+---
+title: Windows Enterprise E3 in CSP
+description: Describes Windows Enterprise E3, an offering that delivers, by subscription, the features of Windows Enterprise edition.
+ms.service: windows-client
+ms.localizationpriority: medium
+ms.date: 02/13/2024
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
+ms.topic: article
+ms.subservice: itpro-deploy
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Windows Enterprise E3 in CSP
+
+Windows Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, the following prerequisites must be met:
+
+- A currently supported version of Windows, installed and activated, on the devices to be upgraded.
+- Microsoft Entra available for identity management.
+
+Moving from Windows Pro to Windows Enterprise is more easy than ever before with no keys and no reboots. After a user enters the Microsoft Entra credentials associated with a Windows Enterprise E3 license, the operating system turns from Windows Pro to Windows Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows Pro.
+
+Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows Enterprise to their users. Now, with Windows Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
+
+When Windows Enterprise E3 is purchased via a partner, the following benefits are included:
+
+- **Windows Enterprise edition**. Devices currently running Windows Pro can get Windows Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
+- **Support from one to hundreds of users**. Although the Windows Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
+- **Deploy on up to five devices**. For each user covered by the license, Windows Enterprise edition can be deployed on up to five devices.
+- **Roll back to Windows Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows Enterprise device reverts seamlessly to Windows Pro edition (after a grace period of up to 90 days).
+- **Monthly, per-user pricing model**. This model makes Windows Enterprise E3 affordable for organizations.
+- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing optimization of the licensing investment against changing needs.
+
+How does the Windows Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
+
+- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
+- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
+
+  - **Deployment and management**. These benefits include planning services:
+    - Microsoft Desktop Optimization (MDOP).
+    - Windows Virtual Desktop Access Rights.
+    - Windows Roaming Use Rights.
+    - Other benefits.
+  - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
+  - **Support**. These benefits include:
+    - 24x7 problem resolution support.
+    - Backup capabilities for disaster recovery.
+    - System Center Global Service Monitor.
+    - A passive secondary instance of SQL Server.
+  - **Specialized**. These benefits include step-up licensing availability, which enables migration of software from an earlier edition to a higher-level edition. It also spreads license and Software Assurance payments across three equal, annual sums.
+
+    In addition, in Windows Enterprise E3 in CSP, a partner can manage the licenses for an organization. With Software Assurance, the organization has to manager their own licenses.
+
+In summary, the Windows Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows Enterprise edition. Microsoft Volume Licensing programs and Software Assurance on the other hand are broader in scope and provide benefits beyond access to the Enterprise edition of Windows.
+
+## Compare Windows Pro and Enterprise editions
+
+Windows Enterprise edition has many features that are unavailable in Windows Pro. Table 1 lists some of the Windows Enterprise features not found in Windows Pro. Many of these features are security-related, whereas others enable finer-grained device management.
+
+### Table 1. Windows Enterprise features not found in Windows Pro
+
+|Feature|Description|
+|--- |--- |
+|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires <ul><li>UEFI 2.3.1 or greater with Trusted Boot</li><li>Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled</li><li>x64 version of Windows</li><li>IOMMU, such as Intel VT-d, AMD-Vi</li><li>BIOS Lockdown</li><li>TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*</li></ul>|
+|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they're much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
+|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
+|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started).|
+|User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.<br><br>When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows).|
+|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, a device can be configured for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. Access to services such as the Windows Store can also be restricted. For Windows 10, Start layout options can also be managed, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
+
+## Deployment of Windows Enterprise E3 licenses
+
+See [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Deploy Windows Enterprise features
+
+Now that Windows Enterprise edition is running on devices, how are Enterprise edition features and capabilities taken advantage of? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-pro-and-enterprise-editions)?
+
+The following sections provide with the high-level tasks that need to be performed in an environment to help users take advantage of the Windows Enterprise edition features.
+
+### Credential Guard
+
+> [!NOTE]
+>
+> Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present).
+
+Credential Guard can be implemented on Windows Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows virtualization-based (Hyper-V) security features that must be enabled on each device before Credential Guard can be turned on. Credential Guard can be turned on by using one of the following methods:
+
+- **Automated**. Credential Guard can be turned on for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
+
+- **Manual**. Credential Guard can be manually turned on by taking one of the following actions:
+
+  - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
+
+  - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+    These manual steps can be automated by using a management tool such as Microsoft Configuration Manager.
+
+For more information about implementing Credential Guard, see the following resources:
+
+- [Credential Guard overview](/windows/security/identity-protection/credential-guard/)
+- [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
+- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
+
+### Device Guard
+
+Now that the devices have Windows Enterprise, Device Guard can be implemented on the Windows Enterprise devices by performing the following steps:
+
+1. **Optionally, create a signing certificate for code integrity policies**. As code integrity policies are deployed, catalog files or code integrity policies might need to be signed internally. To sign catalog files or code integrity policies internally, either a publicly issued code signing certificate (normally purchase) or an internal certificate authority (CA) is needed. If an internal CA is chosen, a code signing certificate needs to be created.
+
+2. **Create code integrity policies from "golden" computers**. Departments or roles sometimes use distinctive or partly distinctive sets of hardware and software. In these instances, "golden" computers containing the software and hardware for these departments or roles can be set up. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, a code integrity policy can be created and then decided how to manage that policy. Code integrity policies can be merged to create a broader policy or a primary policy, or each policy can be managed and deployed individually.
+
+3. **Audit the code integrity policy and capture information about applications that are outside the policy**. Microsoft recommends using "audit mode" to carefully test each code integrity policy before enforcing it. With audit mode, no application is blocked. The policy just logs an event whenever an application outside the policy is started. Later, the policy can be expanded to allow these applications, as needed.
+
+4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for the unsigned LOB applications. In later steps, the catalog file's signature can be merged into the code integrity policy so that the policy allows applications in the catalog.
+
+5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log. Once the information is captured, merge that information into the existing policy. Code integrity policies can also be merged from other sources, which allow flexibility in creating the final code integrity policies.
+
+6. **Deploy code integrity policies and catalog files**. After confirming that all the preceding steps are completed, catalog files can be deployed and the code integrity policies can be taken out of audit mode. Microsoft strongly recommends beginning this process with a test group of users. Testing provides a final quality-control validation before deploying the catalog files and code integrity policies more broadly.
+
+7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
+
+For more information about implementing Device Guard, see:
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
+
+### AppLocker management
+
+AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices.
+
+For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
+
+### App-V
+
+App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that are required are:
+
+- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, multiple streaming servers might exist. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
+
+- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. Apps are installed on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
+
+- **App-V client**. The App-V client must be enabled on any Windows Enterprise E3 client device that needs to run apps from the App-V server.
+
+For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
+
+- [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started)
+- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
+- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
+
+### UE-V
+
+UE-V requires server and client-side components that need to be downloaded, activated, and installed. These components include:
+
+- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
+
+- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.
+
+- **Settings storage location**. This location is a standard network share that users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
+
+- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. Custom settings location templates can also be created, edited, or validated by using the UE-V template generator. Settings location templates aren't required for Windows applications.
+
+- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
+
+For more information about deploying UE-V, see the following resources:
+
+- [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows)
+- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
+- [Prepare a UE-V Deployment](/windows/configuration/ue-v/uev-prepare-for-deployment)
+
+### Managed User Experience
+
+The Managed User Experience feature is a set of Windows Enterprise edition features and corresponding settings that can be used to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, AD DS is required with the Windows Enterprise devices joined to an AD DS domain.
+
+#### Table 2. Managed User Experience features
+
+| Feature          | Description     |
+|------------------|-----------------|
+| Start layout customization | A customized Start layout can be deployed to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables customization of Start layouts for different departments or organizations, with minimal management overhead.<br>For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
+| Unbranded boot | Windows elements that appear when Windows starts or resumes can be suppressed. The crash screen when Windows encounters an error from which it can't recover can also be suppressed.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
+| Custom Logon | The Custom Logon feature can be used to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, all elements of the Welcome screen UI can be suppressed and a custom logon UI can be provided. The Blocked Shutdown Resolver (BSDR) screen can also be suppressed and applications can be automatically ended while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
+| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
+| Keyboard filter | Keyboard Filter can be used to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. These keyboard actions aren't desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
+| Unified write filter | The Unified Write Filter (UWF) can be used on a device to help protect physical storage media, including most standard writable storage types supported by Windows, such as: <ul><li>Physical hard disks</li><li>Solid-state drives</li><li>Internal USB devices</li><li>External SATA devices</li></ui>. UWF can also be used to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
+
+## Related articles
+
+- [Windows Enterprise Subscription Activation](windows-subscription-activation.md).
+- [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan).
+- [Compare Windows editions](https://www.microsoft.com/windows/business/windows-10-pro-vs-windows-11-pro).
+- [Windows for business](https://www.microsoft.com/windows/business).

windows/deployment/windows-subscription-activation.md

@@ -0,0 +1,216 @@
+---
+title: Windows subscription activation
+description: Learn how to dynamically enable Windows Enterprise or Education subscriptions.
+ms.service: windows-client
+ms.subservice: itpro-fundamentals
+ms.localizationpriority: medium
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
+ms.collection:
+  - highpri
+  - tier2
+ms.topic: conceptual
+ms.date: 02/13/2024
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+---
+
+# Windows subscription activation
+
+The subscription activation feature enables a "step-up" from Windows Pro edition to Enterprise edition or from Windows Pro Education edition to Education edition. This feature can be used with a subscription to Windows Enterprise E3 or E5 licenses.
+
+> [!TIP]
+>
+> Windows Pro Education is analogous to Windows Pro, while Windows Education is analogous to Windows Enterprise. In other words, Windows Education is a step-up from Windows Pro Education, similar to how Windows Enterprise is a step-up from Windows Pro.
+
+The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later:
+
+- Standing up on-premises key management services such as KMS or MAK based activation.
+- Entering Generic Volume License Keys (GVLKs).
+- Rebooting client devices.
+
+For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
+
+> [!NOTE]
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app depends on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+
+## Subscription activation for Enterprise
+
+Windows Enterprise E3 and E5 are available as online services via subscription. Windows Enterprise can be deployed in an organization without keys and reboots.
+
+- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
+- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
+
+Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+
+> [!NOTE]
+>
+> Subscription activation is available for qualifying devices running currently supported versions of Windows. Subscription activation can't be used to upgrade to a newer version of Windows.
+
+## Subscription activation for Education
+
+Subscription activation for Education works the same as the Enterprise edition. However, in order to use subscription activation for Education, the device must have Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section.
+
+## Inherited activation
+
+Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows virtual machine (VM) using a Windows host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
+
+To support inherited activation, both the host computer and the VM must be running a currently supported version of Windows. The hypervisor platform must also be Windows Hyper-V.
+
+## Requirements
+
+### Windows Enterprise requirements
+
+> [!NOTE]
+>
+> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+
+> [!IMPORTANT]
+>
+> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. <!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+
+For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), the following requirements must be met:
+
+- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
+- Microsoft Entra available for identity management.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
+
+For Microsoft customers that don't have EA or MPSA, Windows Enterprise E3/E5 or A3/A5 licenses can be obtained through a cloud solution provider (CSP). Identity management and device requirements are the same when using CSP to manage licenses. For more information about getting Windows Enterprise E3 through a CSP, see [Windows Enterprise E3 in CSP](windows-enterprise-e3-overview.md).
+
+### Windows Education requirements
+
+- A supported version of Windows Pro Education installed on the devices to be upgraded.
+- A device with a Windows Pro Education digital license. This information can be confirmed under **Settings > System > Activation** or under **Settings > Update & Security > Activation**.
+- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
+
+> [!IMPORTANT]
+>
+> If Windows Pro is converted to Windows Pro Education, then subscription activation doesn't work. The device needs to be reimaged to Windows Pro Education for subscription activation to work. Alternatively, reimage the device directly to Windows Education.
+
+## Benefits
+
+With Windows Enterprise or Education editions, an organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features.
+
+To compare Windows editions and review pricing, see the following sites:
+
+- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro)
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
+
+Benefits of moving to Windows as an online service include:
+
+- Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. There's a systematic way to assign licenses to end users and groups in an organization.
+
+- User sign-in triggers a silent edition upgrade, with no reboot required.
+
+- Support for mobile worker and "Bring Your Own Device" (BYOD) or "Choose Your Own Device" (CYOD) activation. This support transitions away from on-premises KMS and MAK keys.
+
+- Compliance support via license assignment.
+
+- Licenses can be updated to different users dynamically, which allows optimization of the licensing investment against changing needs.
+
+## How it works
+
+The device is Microsoft Entra joined, for example from **Settings** > **Accounts** > **Access work or school**.
+
+Windows Enterprise is assigned to a user, for example through the Microsoft 365 admin center. When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise, or from Pro Education to Education. Once the edition is stepped up, Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows Pro or Windows Pro Education edition, once the current subscription validity expires.
+
+> [!NOTE]
+>
+> - Devices running a supported version of Windows Pro can get Windows Enterprise general availability channel on up to five devices for each user covered by the license. This limit also applies when stepping up from Windows Pro Education to Windows Education. This benefit doesn't include the long term servicing channel.
+>
+> - A Windows Pro device only steps up to Windows Enterprise edition when a **Windows Enterprise** license is assigned from the Microsoft 365 admin center.
+>
+> - A Windows Pro Education device only steps up to Windows Education edition a **Windows Enterprise** license is assigned from the Microsoft 365 admin center.
+
+### Scenarios
+
+#### Scenario #1
+
+A supported version of Windows is being used. A Windows Enterprise E3 or E5 subscription is purchased, or there's an existing E3 or E5 subscription but Windows Enterprise isn't yet deployed.
+
+All of the Windows Pro devices step-up to Windows Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows Enterprise migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition.
+
+#### Scenario #2
+
+Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows are being used. Microsoft Entra synchronization is configured. The steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) are followed to get a $0 SKU and a new Windows Enterprise E3 or E5 license in Microsoft Entra ID. The license is then assigned to all of the Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device automatically steps up from Windows Pro to Windows Enterprise or from Windows Pro Education to Windows Education.
+
+#### Earlier versions of Windows
+
+If devices are running Windows 7 or Windows 8.1, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to a currently supported Windows 10 Enterprise edition. This path is supported, and completes the move in one step. However, versions of Windows newer than Windows 10 don't support upgrading from Windows 7 or Windows 8.1. For versions of Windows newer than Windows 10, an upgrade to Windows 10 would first be required, followed by upgrading to the version of Windows Enterprise newer than Windows 10. In this scenario, a wipe-and-load might be more practical.
+
+### Licenses
+
+The following policies apply to acquisition and renewal of licenses on devices:
+
+- Upgraded devices attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license.
+
+- If a device is disconnected from the internet, until its current subscription expires Windows reverts to Pro or Pro Education. As soon as the device is connected to the internet again, the license automatically renew.
+
+- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the computer where the user hasn't signed in for the longest time reverts to Pro or Pro Education.
+
+- If a device meets the requirements and a licensed user signs in on that device, the device is upgraded.
+
+Licenses can be reallocated from one user to another user, allowing optimization of the licensing investment against changing needs.
+
+With a Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
+
+### Existing Enterprise deployments
+
+With currently supported version of Windows, subscription activation automatically pulls the firmware-embedded Windows activation key and activates the underlying Pro license. The license then steps up to Enterprise using subscription activation. This behavior automatically migrates devices from KMS or MAK activated Enterprise to subscription activated Enterprise.
+
+Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows.
+
+> [!CAUTION]
+>
+> Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE).
+
+If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console:
+
+```powershell
+$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
+```
+
+### Obtaining a Microsoft Entra ID license
+
+If an organization has an Enterprise Agreement (EA) or Software Assurance (SA):
+
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, licenses are assigned to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+
+- The license administrator can assign licenses to Microsoft Entra users with the same process used for Microsoft 365 Apps.
+
+- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
+
+If an organization has a Microsoft Products & Services Agreement (MPSA):
+
+- New customers are automatically emailed the details of the service. Take steps to process the instructions.
+
+- Existing MPSA customers receive service activation emails that allow their customer administrator to assign users to the service.
+
+- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 are enabled for both the traditional key-based and new subscriptions activation method.
+
+### Deploying licenses
+
+For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
+
+Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+
+## Related sites
+
+- Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan).
+- [Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11).
+- [Windows for business](https://www.microsoft.com/windows/business).

windows/hub/docfx.json

@@ -45,7 +45,7 @@
       "ms.service": "windows-client",
       "ms.subservice": "itpro-fundamentals",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.windows-hub",
@@ -64,7 +64,8 @@
         "beccarobins",
         "Stacyrch140",
         "v-stsavell",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ]
     },
     "fileMetadata": {},
@@ -72,4 +73,4 @@
     "dest": "windows-hub",
     "markdownEngineName": "markdig"
   }
-}
+}

windows/privacy/docfx.json

@@ -40,11 +40,11 @@
       "ms.service": "windows-client",
       "ms.subservice": "itpro-privacy",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.privacy",
-                            "folder_relative_path_in_docset": "./"
+          "folder_relative_path_in_docset": "./"
         }
       },
       "titleSuffix": "Windows Privacy",
@@ -59,13 +59,16 @@
         "beccarobins",
         "Stacyrch140",
         "v-stsavell",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ]
     },
-      "searchScope": ["Windows 10"]
+    "searchScope": [
+      "Windows 10"
+    ]
   },
-    "fileMetadata": {},
+  "fileMetadata": {},
-    "template": [],
+  "template": [],
-    "dest": "privacy",
+  "dest": "privacy",
-    "markdownEngineName": "markdig"
+  "markdownEngineName": "markdig"
-}
+}

windows/security/docfx.json

@@ -46,7 +46,7 @@
       "ms.localizationpriority": "medium",
       "manager": "aaroncz",
       "feedback_system": "Standard",
-            "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+      "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
       "_op_documentIdPathDepotMapping": {
         "./": {
           "depot_name": "MSDN.security",
@@ -68,14 +68,15 @@
         "beccarobins",
         "Stacyrch140",
         "v-stsavell",
-        "American-Dipper"
+        "American-Dipper",
+        "shdyas"
       ],
       "searchScope": [
         "Windows 10"
       ]
     },
     "fileMetadata": {
-      "author":{
+      "author": {
         "application-security//**/*.md": "vinaypamnani-msft",
         "application-security//**/*.yml": "vinaypamnani-msft",
         "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974",
@@ -93,7 +94,7 @@
         "operating-system-security/network-security/**/*.md": "paolomatarazzo",
         "operating-system-security/network-security/**/*.yml": "paolomatarazzo"
       },
-      "ms.author":{
+      "ms.author": {
         "application-security//**/*.md": "vinpa",
         "application-security//**/*.yml": "vinpa",
         "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther",
@@ -218,7 +219,7 @@
         "identity-protection/virtual-smart-cards/*.md": "ardenw",
         "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
         "operating-system-security/network-security/vpn/*.md": "pesmith",
-        "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
+        "operating-system-security/data-protection/personal-data-encryption/*.md": "rhonnegowda",
         "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
       },
       "ms.collection": {
@@ -234,4 +235,4 @@
     "dest": "security",
     "markdownEngineName": "markdig"
   }
-}
+}

windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md

@@ -2,20 +2,20 @@
 title: Microsoft Pluton security processor
 description: Learn more about Microsoft Pluton security processor
 ms.topic: conceptual
-ms.date: 07/31/2023
+ms.date: 02/19/2024
 ---
 
 # Microsoft Pluton security processor
 
-Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
+Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
 
 Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
 
 ## What is Microsoft Pluton?
 
-Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC.
+Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker installs malware or has complete physical possession of the PC.
 
-Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
+Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) and deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for other Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
 
 Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/).
 
@@ -28,17 +28,17 @@ Pluton Security subsystem consists of the following layers:
 | | Description |
 |--|--|
 | **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. |
-| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) |
+| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For more information, see [Firmware load flow](#firmware-load-flow) |
 | **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. |
 
 ## Firmware load flow
 
-When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process:
+When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware isn't available, Windows uses the firmware that was loaded during the hardware initialization. This diagram illustrates this process:
 
 ![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png)
 
 [!INCLUDE [microsoft-pluton](../../../../includes/licensing/microsoft-pluton.md)]
 
-## Related topics
+## Related articles
 
 [Microsoft Pluton as TPM](pluton-as-tpm.md)

windows/security/hardware-security/pluton/pluton-as-tpm.md

@@ -2,16 +2,16 @@
 title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
 description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
 ms.topic: conceptual
-ms.date: 07/31/2023
+ms.date: 02/19/2024
 ---
 
 # Microsoft Pluton as Trusted Platform Module
 
 Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard.
 
-As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material.
+As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installs malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution can't access key material.
 
-Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates.
+Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from various sources, which can make it difficult for them to apply these updates.
 
 To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features).
 
@@ -25,7 +25,7 @@ Pluton is integrated within the SoC subsystem, and provides a flexible, updatabl
 
 Devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device.
 
-UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM.
+UEFI setup options differ from product to product. Visit the product website and check for guidance to enable Pluton as TPM.
 
 > [!WARNING]
 > If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive.
@@ -35,6 +35,6 @@ UEFI setup options differ from product to product, visit the product website and
 > [!TIP]
 > On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit.
 
-## Related topics
+## Related articles
 
 [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)

windows/security/identity-protection/hello-for-business/configure.md

@@ -87,7 +87,7 @@ To check the Windows Hello for Business policy settings applied at enrollment ti
 
 ## Policy conflicts from multiple policy sources
 
-Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business. If you mix GPO and CSP policy settings, the CSP settings are ignored until all group policy settings are cleared.
+Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business, as it can lead to unexpected results. If you mix GPO and CSP policy settings, the conflicting CSP settings aren't applied until the group policy settings are cleared.
 
 > [!IMPORTANT]
 > The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*.

windows/security/introduction.md

@@ -12,6 +12,7 @@ content_well_notification:
 author: paolomatarazzo
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+ai-usage: ai-assisted
 ---
 
 # Introduction to Windows security

windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md

@@ -0,0 +1,222 @@
+---
+title: Windows Firewall dynamic keywords
+description: Learn about Windows Firewall dynamic keywords and how to configure it using Windows PowerShell.
+ms.topic: how-to
+ms.date: 01/16/2024
+---
+
+# Windows Firewall dynamic keywords
+
+> [!IMPORTANT]
+>This article describes features or settings that are in preview. The content is subject to change and may have dependencies on other features or services in preview.
+
+Windows Firewall includes a functionality called *dynamic keywords*, which simplifies the configuration and management of Windows Firewall.
+
+With dynamic keywords, you can define a set of IP address ranges, fully qualified domain names (FQDNs), and **autoresolution** options, to which one or more Firewall rules can refer.
+
+## Configure dynamic keywords
+
+To configure dynamic keywords, you can use:
+
+- [Firewall CSP][CSP-1], which can be used with a Mobile Device Management (MDM) solution like Microsoft Intune
+- Windows PowerShell
+
+> [!TIP]
+> Microsoft Intune offers a simplified management experience called *reusable settings groups*. For more information, see [Add reusable settings groups to profiles for Firewall rules][MEM-1].
+
+This article describes how to configure dynamic keywords using Windows PowerShell.
+
+## Dynamic keywords and Fully Qualified Domain Names (FQDN)
+
+Dynamic keywords can be configured by defining a set of IP address ranges or FQDNs. Here are important things to consider when using FQDNs:
+
+- FQDN support is for reducing the overhead of managing IP rules where IP addresses are dynamic and change frequently
+- FQDNs aren't a replacement for IP addresses in all scenarios. IP addresses should be used when possible, for security and performance reasons
+  - FQDN rules can affect performance on the endpoint, caused by DNS latency and other factors
+  - FQDN isn't a secure DNS service. The FQDN resolution uses the default DNS configuration of the endpoint
+- An FQDN rule requires a DNS query to happen for that FQDN to be resolved to an IP address. Traffic to IP addresses must generate a DNS query for FQDN rules
+  - Limitations include: websites accessed via proxy, secure DNS services, certain VPN tunnel configurations, cached IPs on the endpoint
+- While Partially Qualified Domain Names (PQDNs) are allowed, FQDNs are preferred. Wildcards `*` are supported for hosts, for example `*.contoso.com`
+
+Two examples of FQDN rules are:
+
+- Block all outbound and inbound by default and allow specific outbound traffic
+- Block all inbound by default and block some specific outbound traffic
+
+> [!NOTE]
+> Inbound FQDN rules aren't natively supported. However, it's possible to use *pre-hydration* scripts to generate inbound IP entries for the rules.
+
+> [!CAUTION]
+> The default configuration of *Blocked for Outbound* rules can be considered for certain highly secure environments. However, the *Inbound* rule configuration should never be changed in a way that allows traffic by default.
+
+In high security environments, an inventory of all apps should be maintained. Records should include whether an app requires network connectivity. Administrators should create new rules specific to each app that needs network connectivity, and push those rules centrally, using a device management solution.
+
+### Functions and known limitations
+
+The Windows Firewall FQDN feature uses the Network Protection external callout driver, to inspect DNS responses where the DNS query matches FQDN rules. Some important functions and limitations of the feature are:
+
+- The Network Protection component doesn't periodically execute DNS queries. It requires an application to execute a DNS query
+- Windows Firewall flushes all stored resolved IP addresses on device restart
+- Network protection doesn't synchronously inspect the DNS response, as it doesn't hold the UDP packet during inspection. The result is a potential condition where an application, after receiving the DNS response, attempts to connect, but gets blocked if it's faster than the firewall rule update
+  - Generally, applications have retry logic for an initial failed connection and as a result the issue is transparent to the end user
+  - On occasion a component might not have retry logic on initial connection fail. Which is solved in two ways:
+    - The user can hit *refresh* in the application they're using, and it should connect successfully
+    - Administrators can use the *prehydration* scripts tactfully, where this condition is occurring in their environment
+
+### FQDN Feature requirements
+
+The following are requirements for the FQDN feature:
+
+- Microsoft Defender Antivirus must be turned on and running platform version `4.18.2209.7` or later.
+  - To verify, open [Windows Security](windowsdefender://) and select **Settings** > **About**
+- Network Protection must be in *block* or *audit* mode. For more information, see [Check if network protection is enabled][M365-1].
+- DNS over HTTPS (DoH) must be disabled. To configure your preferred browser, you can use the following settings:
+  - [Microsoft Edge][EDGE-1]
+  - [Chrome][HTTP-1]
+  - [Firefox][HTTP-2]
+- The device's default DNS resolution settings apply. This feature doesn't provide DNS security or functionality changes
+    > [!TIP]
+    > You can also download the ADMX file from there, follow the directions, and configure it via gpedit.msc for local testing.
+
+## Manage dynamic keywords with Windows PowerShell
+
+This section provides some examples how to manage dynamic keywords using Windows PowerShell. A few important things to consider when using dynamic keywords are:
+
+- All dynamic keyword objects must have a unique identifier (GUID) to represent them
+- A firewall rule can use dynamic keywords instead of explicitly defining IP addresses for its conditions
+- A firewall rule can use both dynamic keywords and statically defined address ranges
+- A dynamic keyword object can be reused across multiple firewall rules
+- If a firewall rule doesn't have any configured remote addresses, then the rule isn't enforced. For example, if a rule is configured with only `AutoResolve` objects that aren't yet resolved
+- If a rule uses multiple dynamic keywords, then the rule is enforced for all addresses that are *currently* resolved. The rule is enforced even if there are unresolved objects. When a dynamic keyword address is updated, all associated rule objects have their remote addresses updated
+- Windows doesn't enforce any dependencies between a rule and a dynamic keyword address, and either object can be created first. A rule can reference dynamic keyword IDs that don't yet exist, in which case the rule isn't enforced
+- You can delete a dynamic keyword address, even if it's in use by a firewall rule
+
+### Allow Outbound
+
+Here's an example script to allow an FQDN from PowerShell. Replace the `$fqdn` variable value with the FQDN you wish to block (line #1):
+
+```PowerShell
+$fqdn = 'contoso.com'
+$id = '{' + (new-guid).ToString() + '}'
+New-NetFirewallDynamicKeywordAddress -id $id -Keyword $fqdn -AutoResolve $true
+New-NetFirewallRule -DisplayName "allow $fqdn" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id
+```
+
+Dynamic keyword addresses can be created with the `AutoResolve` parameter set to `$true` or `$false`. If `AutoResolve` is set to `$true`, then Windows attempts to resolve the keyword to an IP address.
+
+### Block Outbound
+
+Here's an example script to block an FQDN from PowerShell. Replace the `$fqdn` variable value with the FQDN you wish to block (line #1):
+
+```PowerShell
+$fqdn = 'contoso.com'
+$id = '{' + (new-guid).ToString() + '}'
+New-NetFirewallDynamicKeywordAddress -id $id -Keyword $fqdn -AutoResolve $true
+New-NetFirewallRule -DisplayName "block $fqdn" -Action Block -Direction Outbound -RemoteDynamicKeywordAddresses $id
+```
+
+### Display Auto resolve rules and associated resolved IP addresses
+
+This example shows how to display all dynamic keyword addresses that have the `AutoResolve` parameter set to `$true` and the associated resolved IP addresses.
+
+```PowerShell
+Get-NetFirewallDynamicKeywordAddress -AllAutoResolve
+```
+
+> [!NOTE]
+> IP addresses will not populate until DNS query is observed.
+
+### Hydrate FQDN rules
+
+The following sample scripts read the current Windows Firewall configuration, extract FQDN-based rules, and perform DNS resolution on each domain. The result is that the IP addresses for those rules get "prehydrated."
+
+```PowerShell
+Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |`
+ForEach-Object {
+  if(!$_.Keyword.Contains("*")) {
+    Write-Host "Getting" $_.Keyword
+    resolve-dnsname -Name $_.Keyword -DNSOnly | out-null
+  }
+}
+```
+
+A similar script can be used to perform DNS resolution using `nslookup.exe`:
+
+```PowerShell
+Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |`
+ForEach-Object {
+  if(!$_.Keyword.Contains("*")) {
+    Write-Host "Getting" $_.Keyword
+    nslookup $_.Keyword
+  }
+}
+```
+
+If using `nslookup.exe`, you must create an outbound firewall rule when using the *block all outbound* posture. Here's the command to create the outbound rule for `nslookup.exe`:
+
+```PowerShell
+$appName = 'nslookup'
+$appPath = 'C:\Windows\System32\nslookup.exe'
+New-NetFirewallRule -DisplayName "allow $appName" -Program $appPath -Action Allow -Direction Outbound -Protocol UDP -RemotePort 53
+```
+
+### Block all outbound and allow some FQDNs
+
+In the next example, a list of applications is parsed for FQDN evaluation. The FQDNs listed in the scripts were observed when inspecting traffic on the first launch of Microsoft Edge.
+
+> [!IMPORTANT]
+> This is not a complete list nor a recommendation. It's an example of how an application should be evaluated to ensure proper connectivity and function.
+
+To learn more about Microsoft Edge requirements for Internet connectivity, see [allowlist for Microsoft Edge endpoints][EDGE-4].
+
+```PowerShell
+$domains = @(
+    '*.microsoft.com',
+    '*.msftconnecttest.com',
+    'assets.msn.com',
+    'client.wns.windows.com',
+    'config.edge.skype.com',
+    'ctldl.windowsupdate.com',
+    'dns.msftncsi.com',
+    'login.live.com',
+    'ntp.msn.com'
+)
+
+foreach ($domain in $domains) {
+    $id = '{' + (New-Guid).ToString() + '}'
+    New-NetFirewallDynamicKeywordAddress -Id $id -Keyword $domain -AutoResolve $true
+    New-NetFirewallRule -DisplayName "allow $domain" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id
+}
+```
+
+For more information about the PowerShell cmdlets used to manage dynamic keywords, see:
+
+- [Get-NetFirewallDynamicKeywordAddress][PS-1]
+- [New-NetFirewallDynamicKeywordAddress][PS-2]
+- [Remove-NetFirewallDynamicKeywordAddress][PS-3]
+- [Update-NetFirewallDynamicKeywordAddress][PS-4]
+
+For information about the API structure, see [Firewall dynamic keywords][WIN-1].
+
+<!--links-->
+
+[CSP-1]: /windows/client-management/mdm/firewall-csp
+
+[EDGE-1]: /deployedge/microsoft-edge-policies#control-the-mode-of-dns-over-https
+[EDGE-2]: /deployedge/microsoft-edge-policies#builtindnsclientenabled
+[EDGE-3]: /deployedge/configure-microsoft-edge
+[EDGE-4]: /deployedge/microsoft-edge-security-endpoints
+
+[HTTP-1]: https://chromeenterprise.google/policies?policy=DnsOverHttpsMode
+[HTTP-2]: https://support.mozilla.org/kb/firefox-dns-over-https
+
+[M365-1]: /microsoft-365/security/defender-endpoint/enable-network-protection#check-if-network-protection-is-enabled
+
+[MEM-1]: /mem/intune/protect/endpoint-security-firewall-policy#add-reusable-settings-groups-to-profiles-for-firewall-rules
+
+[PS-1]: /powershell/module/netsecurity/get-netfirewalldynamickeywordaddress
+[PS-2]: /powershell/module/netsecurity/new-netfirewalldynamickeywordaddress
+[PS-3]: /powershell/module/netsecurity/remove-netfirewalldynamickeywordaddress
+[PS-4]: /powershell/module/netsecurity/update-netfirewalldynamickeywordaddress
+
+[WIN-1]: /windows/win32/ics/firewall-dynamic-keywords

windows/security/operating-system-security/network-security/windows-firewall/toc.yml

@@ -13,6 +13,8 @@ items:
       href: configure.md
     - name: Configure with command line tools
       href: configure-with-command-line.md
+    - name: Dynamic keywords
+      href: dynamic-keywords.md
   - name: Hyper-V firewall
     href: hyper-v-firewall.md
   - name: Troubleshoot

windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md

@@ -47,6 +47,10 @@ Enhanced Phishing Protection can be configured via Microsoft Intune, Group Polic
 | Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<li> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. |
 | Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. |
 
+Enhanced Phishing Protection allows organizations to add their custom identity provider sign-in URL as a recognized URL. Then Enhanced Phishing Protection doesn't consider Microsoft passwords typed into an internal identity provider (IdP) as unknown or password reuse. Without knowledge of an enterprise's custom identity provider URL, SmartScreen might not have enough information about the URL. If you configure warning dialogs for Enhanced Phishing Protection, it might show an unsafe password usage dialog to the user entering their Microsoft password into the URL.
+
+To add your organization's custom sign-in URL to Enhanced Phishing Protection, configure the `EnableWebSignIn` policy in the [Authentication Policy CSP](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin). For more information, see [Web sign-in for Windows](../../../identity-protection/web-sign-in/index.md).
+
 Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
 
 #### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
@@ -91,7 +95,7 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n
 
 | Setting                   | Default Value                                                                                              | Recommendation                                                                                                                                                                                                        |
 |---------------------------|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.<br>**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence                                                              |
+| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.<br>**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.                                                              |
 | Service Enabled           | **Enabled**                                                                                                | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.                     |
 | Notify Malicious          | **Disabled** for devices onboarded to MDE.<br>**Enabled** for all other devices.                           | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
 | Notify Password Reuse     | **Disabled**                                                                                               | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.                                                         |
@@ -99,14 +103,6 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n
 
 To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
 
-| Setting                   | Default Value                                                                                              | Recommendation                                                                                                                                                                                                                                                       |
-|---------------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Automatic Data Collection | **Disabled** for domain joined devices or devices enrolled with MDM.<br>**Enabled** for all other devices. | **Enabled**: Turns on collection of additional content when users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. |
-| Service Enabled           | **Enabled**                                                                                                | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.                                                                    |
-| Notify Malicious          | **Disabled** for devices onboarded to MDE.<br>**Enabled** for all other devices.                           | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.                                                |
-| Notify Password Reuse     | **Disabled**                                                                                               | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.                                                                                                        |
-| Notify Unsafe App         | **Disabled**                                                                                               | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.                                                                                                            |
-
 #### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
 
 | Settings catalog element  | Recommended value |

windows/security/threat-protection/auditing/TOC.yml

@@ -1,767 +0,0 @@
-        - name: Security auditing
-          href: security-auditing-overview.md
-          items: 
-            - name: Basic security audit policies
-              href: basic-security-audit-policies.md
-              items: 
-                - name: Create a basic audit policy for an event category
-                  href: create-a-basic-audit-policy-settings-for-an-event-category.md
-                - name: Apply a basic audit policy on a file or folder
-                  href: apply-a-basic-audit-policy-on-a-file-or-folder.md
-                - name: View the security event log
-                  href: view-the-security-event-log.md
-                - name: Basic security audit policy settings
-                  href: basic-security-audit-policy-settings.md
-                  items: 
-                    - name: Audit account logon events
-                      href: basic-audit-account-logon-events.md
-                    - name: Audit account management
-                      href: basic-audit-account-management.md
-                    - name: Audit directory service access
-                      href: basic-audit-directory-service-access.md
-                    - name: Audit logon events
-                      href: basic-audit-logon-events.md
-                    - name: Audit object access
-                      href: basic-audit-object-access.md
-                    - name: Audit policy change
-                      href: basic-audit-policy-change.md
-                    - name: Audit privilege use
-                      href: basic-audit-privilege-use.md
-                    - name: Audit process tracking
-                      href: basic-audit-process-tracking.md
-                    - name: Audit system events
-                      href: basic-audit-system-events.md
-            - name: Advanced security audit policies
-              href: advanced-security-auditing.md
-              items: 
-                - name: Planning and deploying advanced security audit policies
-                  href: planning-and-deploying-advanced-security-audit-policies.md
-                - name: Advanced security auditing FAQ
-                  href: advanced-security-auditing-faq.yml
-                  items: 
-                    - name: Which editions of Windows support advanced audit policy configuration
-                      href: which-editions-of-windows-support-advanced-audit-policy-configuration.md
-                    - name: How to list XML elements in \<EventData>
-                      href: how-to-list-xml-elements-in-eventdata.md
-                    - name: Using advanced security auditing options to monitor dynamic access control objects
-                      href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
-                      items: 
-                        - name: Monitor the central access policies that apply on a file server
-                          href: monitor-the-central-access-policies-that-apply-on-a-file-server.md
-                        - name: Monitor the use of removable storage devices
-                          href: monitor-the-use-of-removable-storage-devices.md
-                        - name: Monitor resource attribute definitions
-                          href: monitor-resource-attribute-definitions.md
-                        - name: Monitor central access policy and rule definitions
-                          href: monitor-central-access-policy-and-rule-definitions.md
-                        - name: Monitor user and device claims during sign-in
-                          href: monitor-user-and-device-claims-during-sign-in.md
-                        - name: Monitor the resource attributes on files and folders
-                          href: monitor-the-resource-attributes-on-files-and-folders.md
-                        - name: Monitor the central access policies associated with files and folders
-                          href: monitor-the-central-access-policies-associated-with-files-and-folders.md
-                        - name: Monitor claim types
-                          href: monitor-claim-types.md
-                    - name: Advanced security audit policy settings
-                      href: advanced-security-audit-policy-settings.md
-                      items: 
-                        - name: Audit Credential Validation
-                          href: audit-credential-validation.md
-                        - name: "Event 4774 S, F: An account was mapped for logon."
-                          href: event-4774.md
-                        - name: "Event 4775 F: An account could not be mapped for logon."
-                          href: event-4775.md
-                        - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account."
-                          href: event-4776.md
-                        - name: "Event 4777 F: The domain controller failed to validate the credentials for an account."
-                          href: event-4777.md
-                    - name: Audit Kerberos Authentication Service
-                      href: audit-kerberos-authentication-service.md
-                      items: 
-                        - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested."
-                          href: event-4768.md
-                        - name: "Event 4771 F: Kerberos pre-authentication failed."
-                          href: event-4771.md
-                        - name: "Event 4772 F: A Kerberos authentication ticket request failed."
-                          href: event-4772.md
-                    - name: Audit Kerberos Service Ticket Operations
-                      href: audit-kerberos-service-ticket-operations.md
-                      items: 
-                        - name: "Event 4769 S, F: A Kerberos service ticket was requested."
-                          href: event-4769.md
-                        - name: "Event 4770 S: A Kerberos service ticket was renewed."
-                          href: event-4770.md
-                        - name: "Event 4773 F: A Kerberos service ticket request failed."
-                          href: event-4773.md
-                    - name: Audit Other Account Logon Events
-                      href: audit-other-account-logon-events.md
-                    - name: Audit Application Group Management
-                      href: audit-application-group-management.md
-                    - name: Audit Computer Account Management
-                      href: audit-computer-account-management.md
-                      items: 
-                        - name: "Event 4741 S: A computer account was created."
-                          href: event-4741.md
-                        - name: "Event 4742 S: A computer account was changed."
-                          href: event-4742.md
-                        - name: "Event 4743 S: A computer account was deleted."
-                          href: event-4743.md
-                    - name: Audit Distribution Group Management
-                      href: audit-distribution-group-management.md
-                      items: 
-                        - name: "Event 4749 S: A security-disabled global group was created."
-                          href: event-4749.md
-                        - name: "Event 4750 S: A security-disabled global group was changed."
-                          href: event-4750.md
-                        - name: "Event 4751 S: A member was added to a security-disabled global group."
-                          href: event-4751.md
-                        - name: "Event 4752 S: A member was removed from a security-disabled global group."
-                          href: event-4752.md
-                        - name: "Event 4753 S: A security-disabled global group was deleted."
-                          href: event-4753.md
-                    - name: Audit Other Account Management Events
-                      href: audit-other-account-management-events.md
-                      items: 
-                        - name: "Event 4782 S: The password hash of an account was accessed."
-                          href: event-4782.md
-                        - name: "Event 4793 S: The Password Policy Checking API was called."
-                          href: event-4793.md
-                    - name: Audit Security Group Management
-                      href: audit-security-group-management.md
-                      items: 
-                        - name: "Event 4731 S: A security-enabled local group was created."
-                          href: event-4731.md
-                        - name: "Event 4732 S: A member was added to a security-enabled local group."
-                          href: event-4732.md
-                        - name: "Event 4733 S: A member was removed from a security-enabled local group."
-                          href: event-4733.md
-                        - name: "Event 4734 S: A security-enabled local group was deleted."
-                          href: event-4734.md
-                        - name: "Event 4735 S: A security-enabled local group was changed."
-                          href: event-4735.md
-                        - name: "Event 4764 S: A group<75>s type was changed."
-                          href: event-4764.md
-                        - name: "Event 4799 S: A security-enabled local group membership was enumerated."
-                          href: event-4799.md
-                    - name: Audit User Account Management
-                      href: audit-user-account-management.md
-                      items: 
-                        - name: "Event 4720 S: A user account was created."
-                          href: event-4720.md
-                        - name: "Event 4722 S: A user account was enabled."
-                          href: event-4722.md
-                        - name: "Event 4723 S, F: An attempt was made to change an account's password."
-                          href: event-4723.md
-                        - name: "Event 4724 S, F: An attempt was made to reset an account's password."
-                          href: event-4724.md
-                        - name: "Event 4725 S: A user account was disabled."
-                          href: event-4725.md
-                        - name: "Event 4726 S: A user account was deleted."
-                          href: event-4726.md
-                        - name: "Event 4738 S: A user account was changed."
-                          href: event-4738.md
-                        - name: "Event 4740 S: A user account was locked out."
-                          href: event-4740.md
-                        - name: "Event 4765 S: SID History was added to an account."
-                          href: event-4765.md
-                        - name: "Event 4766 F: An attempt to add SID History to an account failed."
-                          href: event-4766.md
-                        - name: "Event 4767 S: A user account was unlocked."
-                          href: event-4767.md
-                        - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups."
-                          href: event-4780.md
-                        - name: "Event 4781 S: The name of an account was changed."
-                          href: event-4781.md
-                        - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password."
-                          href: event-4794.md
-                        - name: "Event 4798 S: A user's local group membership was enumerated."
-                          href: event-4798.md
-                        - name: "Event 5376 S: Credential Manager credentials were backed up."
-                          href: event-5376.md
-                        - name: "Event 5377 S: Credential Manager credentials were restored from a backup."
-                          href: event-5377.md
-                    - name: Audit DPAPI Activity
-                      href: audit-dpapi-activity.md
-                      items: 
-                        - name: "Event 4692 S, F: Backup of data protection master key was attempted."
-                          href: event-4692.md
-                        - name: "Event 4693 S, F: Recovery of data protection master key was attempted."
-                          href: event-4693.md
-                        - name: "Event 4694 S, F: Protection of auditable protected data was attempted."
-                          href: event-4694.md
-                        - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted."
-                          href: event-4695.md
-                    - name: Audit PNP Activity
-                      href: audit-pnp-activity.md
-                      items: 
-                        - name: "Event 6416 S: A new external device was recognized by the System."
-                          href: event-6416.md
-                        - name: "Event 6419 S: A request was made to disable a device."
-                          href: event-6419.md
-                        - name: "Event 6420 S: A device was disabled."
-                          href: event-6420.md
-                        - name: "Event 6421 S: A request was made to enable a device."
-                          href: event-6421.md
-                        - name: "Event 6422 S: A device was enabled."
-                          href: event-6422.md
-                        - name: "Event 6423 S: The installation of this device is forbidden by system policy."
-                          href: event-6423.md
-                        - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy."
-                          href: event-6424.md
-                    - name: Audit Process Creation
-                      href: audit-process-creation.md
-                      items: 
-                        - name: "Event 4688 S: A new process has been created."
-                          href: event-4688.md
-                        - name: "Event 4696 S: A primary token was assigned to process."
-                          href: event-4696.md
-                    - name: Audit Process Termination
-                      href: audit-process-termination.md
-                      items: 
-                        - name: "Event 4689 S: A process has exited."
-                          href: event-4689.md
-                    - name: Audit RPC Events
-                      href: audit-rpc-events.md
-                      items: 
-                        - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted."
-                          href: event-5712.md
-                    - name: Audit Token Right Adjusted
-                      href: audit-token-right-adjusted.md
-                      items: 
-                        - name: "Event 4703 S: A user right was adjusted."
-                          href: event-4703.md
-                    - name: Audit Detailed Directory Service Replication
-                      href: audit-detailed-directory-service-replication.md
-                      items: 
-                        - name: "Event 4928 S, F: An Active Directory replica source naming context was established."
-                          href: event-4928.md
-                        - name: "Event 4929 S, F: An Active Directory replica source naming context was removed."
-                          href: event-4929.md
-                        - name: "Event 4930 S, F: An Active Directory replica source naming context was modified."
-                          href: event-4930.md
-                        - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified."
-                          href: event-4931.md
-                        - name: "Event 4934 S: Attributes of an Active Directory object were replicated."
-                          href: event-4934.md
-                        - name: "Event 4935 F: Replication failure begins."
-                          href: event-4935.md
-                        - name: "Event 4936 S: Replication failure ends."
-                          href: event-4936.md
-                        - name: "Event 4937 S: A lingering object was removed from a replica."
-                          href: event-4937.md
-                    - name: Audit Directory Service Access
-                      href: audit-directory-service-access.md
-                      items: 
-                        - name: "Event 4662 S, F: An operation was performed on an object."
-                          href: event-4662.md
-                        - name: "Event 4661 S, F: A handle to an object was requested."
-                          href: event-4661.md
-                    - name: Audit Directory Service Changes
-                      href: audit-directory-service-changes.md
-                      items: 
-                        - name: "Event 5136 S: A directory service object was modified."
-                          href: event-5136.md
-                        - name: "Event 5137 S: A directory service object was created."
-                          href: event-5137.md
-                        - name: "Event 5138 S: A directory service object was undeleted."
-                          href: event-5138.md
-                        - name: "Event 5139 S: A directory service object was moved."
-                          href: event-5139.md
-                        - name: "Event 5141 S: A directory service object was deleted."
-                          href: event-5141.md
-                    - name: Audit Directory Service Replication
-                      href: audit-directory-service-replication.md
-                      items: 
-                        - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun."
-                          href: event-4932.md
-                        - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended."
-                          href: event-4933.md
-                    - name: Audit Account Lockout
-                      href: audit-account-lockout.md
-                      items: 
-                        - name: "Event 4625 F: An account failed to log on."
-                          href: event-4625.md
-                    - name: Audit User/Device Claims
-                      href: audit-user-device-claims.md
-                      items: 
-                        - name: "Event 4626 S: User/Device claims information."
-                          href: event-4626.md
-                    - name: Audit Group Membership
-                      href: audit-group-membership.md
-                      items: 
-                        - name: "Event 4627 S: Group membership information."
-                          href: event-4627.md
-                    - name: Audit IPsec Extended Mode
-                      href: audit-ipsec-extended-mode.md
-                    - name: Audit IPsec Main Mode
-                      href: audit-ipsec-main-mode.md
-                    - name: Audit IPsec Quick Mode
-                      href: audit-ipsec-quick-mode.md
-                    - name: Audit Logoff
-                      href: audit-logoff.md
-                      items: 
-                        - name: "Event 4634 S: An account was logged off."
-                          href: event-4634.md
-                        - name: "Event 4647 S: User initiated logoff."
-                          href: event-4647.md
-                    - name: Audit Logon
-                      href: audit-logon.md
-                      items: 
-                        - name: "Event 4624 S: An account was successfully logged on."
-                          href: event-4624.md
-                        - name: "Event 4625 F: An account failed to log on."
-                          href: event-4625.md
-                        - name: "Event 4648 S: A logon was attempted using explicit credentials."
-                          href: event-4648.md
-                        - name: "Event 4675 S: SIDs were filtered."
-                          href: event-4675.md
-                    - name: Audit Network Policy Server
-                      href: audit-network-policy-server.md
-                    - name: Audit Other Logon/Logoff Events
-                      href: audit-other-logonlogoff-events.md
-                      items: 
-                        - name: "Event 4649 S: A replay attack was detected."
-                          href: event-4649.md
-                        - name: "Event 4778 S: A session was reconnected to a Window Station."
-                          href: event-4778.md
-                        - name: "Event 4779 S: A session was disconnected from a Window Station."
-                          href: event-4779.md
-                        - name: "Event 4800 S: The workstation was locked."
-                          href: event-4800.md
-                        - name: "Event 4801 S: The workstation was unlocked."
-                          href: event-4801.md
-                        - name: "Event 4802 S: The screen saver was invoked."
-                          href: event-4802.md
-                        - name: "Event 4803 S: The screen saver was dismissed."
-                          href: event-4803.md
-                        - name: "Event 5378 F: The requested credentials delegation was disallowed by policy."
-                          href: event-5378.md
-                        - name: "Event 5632 S, F: A request was made to authenticate to a wireless network."
-                          href: event-5632.md
-                        - name: "Event 5633 S, F: A request was made to authenticate to a wired network."
-                          href: event-5633.md
-                    - name: Audit Special Logon
-                      href: audit-special-logon.md
-                      items: 
-                        - name: "Event 4964 S: Special groups have been assigned to a new logon."
-                          href: event-4964.md
-                        - name: "Event 4672 S: Special privileges assigned to new logon."
-                          href: event-4672.md
-                    - name: Audit Application Generated
-                      href: audit-application-generated.md
-                    - name: Audit Certification Services
-                      href: audit-certification-services.md
-                    - name: Audit Detailed File Share
-                      href: audit-detailed-file-share.md
-                      items: 
-                        - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access."
-                          href: event-5145.md
-                    - name: Audit File Share
-                      href: audit-file-share.md
-                      items: 
-                        - name: "Event 5140 S, F: A network share object was accessed."
-                          href: event-5140.md
-                        - name: "Event 5142 S: A network share object was added."
-                          href: event-5142.md
-                        - name: "Event 5143 S: A network share object was modified."
-                          href: event-5143.md
-                        - name: "Event 5144 S: A network share object was deleted."
-                          href: event-5144.md
-                        - name: "Event 5168 F: SPN check for SMB/SMB2 failed."
-                          href: event-5168.md
-                    - name: Audit File System
-                      href: audit-file-system.md
-                      items: 
-                        - name: "Event 4656 S, F: A handle to an object was requested."
-                          href: event-4656.md
-                        - name: "Event 4658 S: The handle to an object was closed."
-                          href: event-4658.md
-                        - name: "Event 4660 S: An object was deleted."
-                          href: event-4660.md
-                        - name: "Event 4663 S: An attempt was made to access an object."
-                          href: event-4663.md
-                        - name: "Event 4664 S: An attempt was made to create a hard link."
-                          href: event-4664.md
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                        - name: "Event 5051: A file was virtualized."
-                          href: event-5051.md
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                    - name: Audit Filtering Platform Connection
-                      href: audit-filtering-platform-connection.md
-                      items: 
-                        - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network."
-                          href: event-5031.md
-                        - name: "Event 5150: The Windows Filtering Platform blocked a packet."
-                          href: event-5150.md
-                        - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet."
-                          href: event-5151.md
-                        - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections."
-                          href: event-5154.md
-                        - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections."
-                          href: event-5155.md
-                        - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection."
-                          href: event-5156.md
-                        - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection."
-                          href: event-5157.md
-                        - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port."
-                          href: event-5158.md
-                        - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port."
-                          href: event-5159.md
-                    - name: Audit Filtering Platform Packet Drop
-                      href: audit-filtering-platform-packet-drop.md
-                      items: 
-                        - name: "Event 5152 F: The Windows Filtering Platform blocked a packet."
-                          href: event-5152.md
-                        - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet."
-                          href: event-5153.md
-                    - name: Audit Handle Manipulation
-                      href: audit-handle-manipulation.md
-                      items: 
-                        - name: "Event 4690 S: An attempt was made to duplicate a handle to an object."
-                          href: event-4690.md
-                    - name: Audit Kernel Object
-                      href: audit-kernel-object.md
-                      items: 
-                        - name: "Event 4656 S, F: A handle to an object was requested."
-                          href: event-4656.md
-                        - name: "Event 4658 S: The handle to an object was closed."
-                          href: event-4658.md
-                        - name: "Event 4660 S: An object was deleted."
-                          href: event-4660.md
-                        - name: "Event 4663 S: An attempt was made to access an object."
-                          href: event-4663.md
-                    - name: Audit Other Object Access Events
-                      href: audit-other-object-access-events.md
-                      items: 
-                        - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS."
-                          href: event-4671.md
-                        - name: "Event 4691 S: Indirect access to an object was requested."
-                          href: event-4691.md
-                        - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."
-                          href: event-5148.md
-                        - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed."
-                          href: event-5149.md
-                        - name: "Event 4698 S: A scheduled task was created."
-                          href: event-4698.md
-                        - name: "Event 4699 S: A scheduled task was deleted."
-                          href: event-4699.md
-                        - name: "Event 4700 S: A scheduled task was enabled."
-                          href: event-4700.md
-                        - name: "Event 4701 S: A scheduled task was disabled."
-                          href: event-4701.md
-                        - name: "Event 4702 S: A scheduled task was updated."
-                          href: event-4702.md
-                        - name: "Event 5888 S: An object in the COM+ Catalog was modified."
-                          href: event-5888.md
-                        - name: "Event 5889 S: An object was deleted from the COM+ Catalog."
-                          href: event-5889.md
-                        - name: "Event 5890 S: An object was added to the COM+ Catalog."
-                          href: event-5890.md
-                    - name: Audit Registry
-                      href: audit-registry.md
-                      items: 
-                        - name: "Event 4663 S: An attempt was made to access an object."
-                          href: event-4663.md
-                        - name: "Event 4656 S, F: A handle to an object was requested."
-                          href: event-4656.md
-                        - name: "Event 4658 S: The handle to an object was closed."
-                          href: event-4658.md
-                        - name: "Event 4660 S: An object was deleted."
-                          href: event-4660.md
-                        - name: "Event 4657 S: A registry value was modified."
-                          href: event-4657.md
-                        - name: "Event 5039: A registry key was virtualized."
-                          href: event-5039.md
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                    - name: Audit Removable Storage
-                      href: audit-removable-storage.md
-                    - name: Audit SAM
-                      href: audit-sam.md
-                      items: 
-                        - name: "Event 4661 S, F: A handle to an object was requested."
-                          href: event-4661.md
-                    - name: Audit Central Access Policy Staging
-                      href: audit-central-access-policy-staging.md
-                      items: 
-                        - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy."
-                          href: event-4818.md
-                    - name: Audit Audit Policy Change
-                      href: audit-audit-policy-change.md
-                      items: 
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                        - name: "Event 4715 S: The audit policy, SACL, on an object was changed."
-                          href: event-4715.md
-                        - name: "Event 4719 S: System audit policy was changed."
-                          href: event-4719.md
-                        - name: "Event 4817 S: Auditing settings on object were changed."
-                          href: event-4817.md
-                        - name: "Event 4902 S: The Per-user audit policy table was created."
-                          href: event-4902.md
-                        - name: "Event 4906 S: The CrashOnAuditFail value has changed."
-                          href: event-4906.md
-                        - name: "Event 4907 S: Auditing settings on object were changed."
-                          href: event-4907.md
-                        - name: "Event 4908 S: Special Groups Logon table modified."
-                          href: event-4908.md
-                        - name: "Event 4912 S: Per User Audit Policy was changed."
-                          href: event-4912.md
-                        - name: "Event 4904 S: An attempt was made to register a security event source."
-                          href: event-4904.md
-                        - name: "Event 4905 S: An attempt was made to unregister a security event source."
-                          href: event-4905.md
-                    - name: Audit Authentication Policy Change
-                      href: audit-authentication-policy-change.md
-                      items: 
-                        - name: "Event 4706 S: A new trust was created to a domain."
-                          href: event-4706.md
-                        - name: "Event 4707 S: A trust to a domain was removed."
-                          href: event-4707.md
-                        - name: "Event 4716 S: Trusted domain information was modified."
-                          href: event-4716.md
-                        - name: "Event 4713 S: Kerberos policy was changed."
-                          href: event-4713.md
-                        - name: "Event 4717 S: System security access was granted to an account."
-                          href: event-4717.md
-                        - name: "Event 4718 S: System security access was removed from an account."
-                          href: event-4718.md
-                        - name: "Event 4739 S: Domain Policy was changed."
-                          href: event-4739.md
-                        - name: "Event 4864 S: A namespace collision was detected."
-                          href: event-4864.md
-                        - name: "Event 4865 S: A trusted forest information entry was added."
-                          href: event-4865.md
-                        - name: "Event 4866 S: A trusted forest information entry was removed."
-                          href: event-4866.md
-                        - name: "Event 4867 S: A trusted forest information entry was modified."
-                          href: event-4867.md
-                    - name: Audit Authorization Policy Change
-                      href: audit-authorization-policy-change.md
-                      items: 
-                        - name: "Event 4703 S: A user right was adjusted."
-                          href: event-4703.md
-                        - name: "Event 4704 S: A user right was assigned."
-                          href: event-4704.md
-                        - name: "Event 4705 S: A user right was removed."
-                          href: event-4705.md
-                        - name: "Event 4670 S: Permissions on an object were changed."
-                          href: event-4670.md
-                        - name: "Event 4911 S: Resource attributes of the object were changed."
-                          href: event-4911.md
-                        - name: "Event 4913 S: Central Access Policy on the object was changed."
-                          href: event-4913.md
-                    - name: Audit Filtering Platform Policy Change
-                      href: audit-filtering-platform-policy-change.md
-                    - name: Audit MPSSVC Rule-Level Policy Change
-                      href: audit-mpssvc-rule-level-policy-change.md
-                      items: 
-                        - name: "Event 4944 S: The following policy was active when the Windows Firewall started."
-                          href: event-4944.md
-                        - name: "Event 4945 S: A rule was listed when the Windows Firewall started."
-                          href: event-4945.md
-                        - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added."
-                          href: event-4946.md
-                        - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified."
-                          href: event-4947.md
-                        - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted."
-                          href: event-4948.md
-                        - name: "Event 4949 S: Windows Firewall settings were restored to the default values."
-                          href: event-4949.md
-                        - name: "Event 4950 S: A Windows Firewall setting has changed."
-                          href: event-4950.md
-                        - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall."
-                          href: event-4951.md
-                        - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced."
-                          href: event-4952.md
-                        - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed."
-                          href: event-4953.md
-                        - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied."
-                          href: event-4954.md
-                        - name: "Event 4956 S: Windows Firewall has changed the active profile."
-                          href: event-4956.md
-                        - name: "Event 4957 F: Windows Firewall did not apply the following rule."
-                          href: event-4957.md
-                        - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer."
-                          href: event-4958.md
-                    - name: Audit Other Policy Change Events
-                      href: audit-other-policy-change-events.md
-                      items: 
-                        - name: "Event 4714 S: Encrypted data recovery policy was changed."
-                          href: event-4714.md
-                        - name: "Event 4819 S: Central Access Policies on the machine have been changed."
-                          href: event-4819.md
-                        - name: "Event 4826 S: Boot Configuration Data loaded."
-                          href: event-4826.md
-                        - name: "Event 4909: The local policy settings for the TBS were changed."
-                          href: event-4909.md
-                        - name: "Event 4910: The group policy settings for the TBS were changed."
-                          href: event-4910.md
-                        - name: "Event 5063 S, F: A cryptographic provider operation was attempted."
-                          href: event-5063.md
-                        - name: "Event 5064 S, F: A cryptographic context operation was attempted."
-                          href: event-5064.md
-                        - name: "Event 5065 S, F: A cryptographic context modification was attempted."
-                          href: event-5065.md
-                        - name: "Event 5066 S, F: A cryptographic function operation was attempted."
-                          href: event-5066.md
-                        - name: "Event 5067 S, F: A cryptographic function modification was attempted."
-                          href: event-5067.md
-                        - name: "Event 5068 S, F: A cryptographic function provider operation was attempted."
-                          href: event-5068.md
-                        - name: "Event 5069 S, F: A cryptographic function property operation was attempted."
-                          href: event-5069.md
-                        - name: "Event 5070 S, F: A cryptographic function property modification was attempted."
-                          href: event-5070.md
-                        - name: "Event 5447 S: A Windows Filtering Platform filter has been changed."
-                          href: event-5447.md
-                        - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully."
-                          href: event-6144.md
-                        - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects."
-                          href: event-6145.md
-                    - name: Audit Sensitive Privilege Use
-                      href: audit-sensitive-privilege-use.md
-                      items: 
-                        - name: "Event 4673 S, F: A privileged service was called."
-                          href: event-4673.md
-                        - name: "Event 4674 S, F: An operation was attempted on a privileged object."
-                          href: event-4674.md
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                    - name: Audit Non Sensitive Privilege Use
-                      href: audit-non-sensitive-privilege-use.md
-                      items: 
-                        - name: "Event 4673 S, F: A privileged service was called."
-                          href: event-4673.md
-                        - name: "Event 4674 S, F: An operation was attempted on a privileged object."
-                          href: event-4674.md
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                    - name: Audit Other Privilege Use Events
-                      href: audit-other-privilege-use-events.md
-                      items: 
-                        - name: "Event 4985 S: The state of a transaction has changed."
-                          href: event-4985.md
-                    - name: Audit IPsec Driver
-                      href: audit-ipsec-driver.md
-                    - name: Audit Other System Events
-                      href: audit-other-system-events.md
-                      items: 
-                        - name: "Event 5024 S: The Windows Firewall Service has started successfully."
-                          href: event-5024.md
-                        - name: "Event 5025 S: The Windows Firewall Service has been stopped."
-                          href: event-5025.md
-                        - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy."
-                          href: event-5027.md
-                        - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy."
-                          href: event-5028.md
-                        - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy."
-                          href: event-5029.md
-                        - name: "Event 5030 F: The Windows Firewall Service failed to start."
-                          href: event-5030.md
-                        - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network."
-                          href: event-5032.md
-                        - name: "Event 5033 S: The Windows Firewall Driver has started successfully."
-                          href: event-5033.md
-                        - name: "Event 5034 S: The Windows Firewall Driver was stopped."
-                          href: event-5034.md
-                        - name: "Event 5035 F: The Windows Firewall Driver failed to start."
-                          href: event-5035.md
-                        - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating."
-                          href: event-5037.md
-                        - name: "Event 5058 S, F: Key file operation."
-                          href: event-5058.md
-                        - name: "Event 5059 S, F: Key migration operation."
-                          href: event-5059.md
-                        - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content."
-                          href: event-6400.md
-                        - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded."
-                          href: event-6401.md
-                        - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted."
-                          href: event-6402.md
-                        - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client."
-                          href: event-6403.md
-                        - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."
-                          href: event-6404.md
-                        - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred."
-                          href: event-6405.md
-                        - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2."
-                          href: event-6406.md
-                        - name: "Event 6407: 1%."
-                          href: event-6407.md
-                        - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."
-                          href: event-6408.md
-                        - name: "Event 6409: BranchCache: A service connection point object could not be parsed."
-                          href: event-6409.md
-                    - name: Audit Security State Change
-                      href: audit-security-state-change.md
-                      items: 
-                        - name: "Event 4608 S: Windows is starting up."
-                          href: event-4608.md
-                        - name: "Event 4616 S: The system time was changed."
-                          href: event-4616.md
-                        - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail."
-                          href: event-4621.md
-                    - name: Audit Security System Extension
-                      href: audit-security-system-extension.md
-                      items: 
-                        - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority."
-                          href: event-4610.md
-                        - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority."
-                          href: event-4611.md
-                        - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager."
-                          href: event-4614.md
-                        - name: "Event 4622 S: A security package has been loaded by the Local Security Authority."
-                          href: event-4622.md
-                        - name: "Event 4697 S: A service was installed in the system."
-                          href: event-4697.md
-                    - name: Audit System Integrity
-                      href: audit-system-integrity.md
-                      items: 
-                        - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits."
-                          href: event-4612.md
-                        - name: "Event 4615 S: Invalid use of LPC port."
-                          href: event-4615.md
-                        - name: "Event 4618 S: A monitored security event pattern has occurred."
-                          href: event-4618.md
-                        - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message."
-                          href: event-4816.md
-                        - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid."
-                          href: event-5038.md
-                        - name: "Event 5056 S: A cryptographic self-test was performed."
-                          href: event-5056.md
-                        - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed."
-                          href: event-5062.md
-                        - name: "Event 5057 F: A cryptographic primitive operation failed."
-                          href: event-5057.md
-                        - name: "Event 5060 F: Verification operation failed."
-                          href: event-5060.md
-                        - name: "Event 5061 S, F: Cryptographic operation."
-                          href: event-5061.md
-                        - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid."
-                          href: event-6281.md
-                        - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process."
-                          href: event-6410.md
-                    - name: Other Events
-                      href: other-events.md
-                      items: 
-                        - name: "Event 1100 S: The event logging service has shut down."
-                          href: event-1100.md
-                        - name: "Event 1102 S: The audit log was cleared."
-                          href: event-1102.md
-                        - name: "Event 1104 S: The security log is now full."
-                          href: event-1104.md
-                        - name: "Event 1105 S: Event log automatic backup."
-                          href: event-1105.md
-                        - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1."
-                          href: event-1108.md
-                    - name: "Appendix A: Security monitoring recommendations for many audit events"
-                      href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md
-                    - name: Registry (Global Object Access Auditing)
-                      href: registry-global-object-access-auditing.md
-                    - name: File System (Global Object Access Auditing)
-                      href: file-system-global-object-access-auditing.md
-        - name: Windows security
-          href: /windows/security/

windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md

@@ -1,174 +0,0 @@
----
-title: Advanced security audit policy settings
-description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
-ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
-ms.author: vinpa
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: reference
-ms.date: 09/06/2021
----
-
-# Advanced security audit policy settings (Windows 10)
-
-This reference for IT professionals provides information about:
-- The advanced audit policy settings available in Windows
-- The audit events that these settings generate.
-
-The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
-
--   A group administrator has modified settings or data on servers that contain finance information.
--   An employee within a defined group has accessed an important file.
--   The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
-    -  every file and folder
-    -  registry key on a computer
-    -  file share.
-
-You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
-
-These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
-- That are of little or no concern to you
-- That create an excessive number of log entries.
-
-In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
-Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
-
-## Account Logon
-
-Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, Account Logon settings and events focus on the account database that is used. This category includes the following subcategories:
-
--   [Audit Credential Validation](audit-credential-validation.md)
--   [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
--   [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
--   [Audit Other Account Logon Events](audit-other-account-logon-events.md)
-
-## Account Management
-
-The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
-
--   [Audit Application Group Management](audit-application-group-management.md)
--   [Audit Computer Account Management](audit-computer-account-management.md)
--   [Audit Distribution Group Management](audit-distribution-group-management.md)
--   [Audit Other Account Management Events](audit-other-account-management-events.md)
--   [Audit Security Group Management](audit-security-group-management.md)
--   [Audit User Account Management](audit-user-account-management.md)
-
-## Detailed Tracking
-
-Detailed Tracking security policy settings and audit events can be used for the following purposes:
-- To monitor the activities of individual applications and users on that computer
-- To understand how a computer is being used.
-
-This category includes the following subcategories:
-
-- [Audit DPAPI Activity](audit-dpapi-activity.md)
-- [Audit PNP activity](audit-pnp-activity.md)
-- [Audit Process Creation](audit-process-creation.md)
-- [Audit Process Termination](audit-process-termination.md)
-- [Audit RPC Events](audit-rpc-events.md)
-- [Audit Token Right Adjusted](audit-token-right-adjusted.md)
-
-## DS Access
-
-DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
-
--   [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
--   [Audit Directory Service Access](audit-directory-service-access.md)
--   [Audit Directory Service Changes](audit-directory-service-changes.md)
--   [Audit Directory Service Replication](audit-directory-service-replication.md)
-
-## Logon/Logoff
-
-Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
-
--   [Audit Account Lockout](audit-account-lockout.md)
--   [Audit User/Device Claims](audit-user-device-claims.md)
--   [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
--   [Audit Group Membership](audit-group-membership.md)
--   [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
--   [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
--   [Audit Logoff](audit-logoff.md)
--   [Audit Logon](audit-logon.md)
--   [Audit Network Policy Server](audit-network-policy-server.md)
--   [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
--   [Audit Special Logon](audit-special-logon.md)
-
-## Object Access
-
-Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to audit registry accesses.
-
-Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
-
-This category includes the following subcategories:
-
--   [Audit Application Generated](audit-application-generated.md)
--   [Audit Certification Services](audit-certification-services.md)
--   [Audit Detailed File Share](audit-detailed-file-share.md)
--   [Audit File Share](audit-file-share.md)
--   [Audit File System](audit-file-system.md)
--   [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
--   [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
--   [Audit Handle Manipulation](audit-handle-manipulation.md)
--   [Audit Kernel Object](audit-kernel-object.md)
--   [Audit Other Object Access Events](audit-other-object-access-events.md)
--   [Audit Registry](audit-registry.md)
--   [Audit Removable Storage](audit-removable-storage.md)
--   [Audit SAM](audit-sam.md)
--   [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
-
-## Policy Change
-
-Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, tracking changes (or its attempts) to these policies is an important aspect of security management for a network. This category includes the following subcategories:
-
--   [Audit Audit Policy Change](audit-audit-policy-change.md)
--   [Audit Authentication Policy Change](audit-authentication-policy-change.md)
--   [Audit Authorization Policy Change](audit-authorization-policy-change.md)
--   [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
--   [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
--   [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-## Privilege Use
-
-Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
-
--   [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
--   [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
--   [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
-
-## System
-
-System security policy settings and audit events allow you to track the following types of system-level changes to a computer:
-- Not included in other categories
-- Have potential security implications.
-
-This category includes the following subcategories:
-
--   [Audit IPsec Driver](audit-ipsec-driver.md)
--   [Audit Other System Events](audit-other-system-events.md)
--   [Audit Security State Change](audit-security-state-change.md)
--   [Audit Security System Extension](audit-security-system-extension.md)
--   [Audit System Integrity](audit-system-integrity.md)
-
-## Global Object Access Auditing
-
-Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
-Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
-
-Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
-- Setting the Global Object Access Auditing policy to log all the activities for a specific user
-- Enabling the policy to track "Access denied" events for the file system or registry can help
-
-> [!NOTE]
-> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
-
-This category includes the following subcategories:
--   [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
--   [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
-
-## Related topics
-
--   [Basic security audit policy settings](basic-security-audit-policy-settings.md)

windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml

@@ -1,175 +0,0 @@
-### YamlMime:FAQ
-metadata:
-  title: Advanced security auditing FAQ
-  description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
-  author: vinaypamnani-msft
-  ms.author: vinpa
-  manager: aaroncz
-  ms.topic: faq
-  ms.date: 05/24/2022
-
-title: Advanced security auditing FAQ
-
-summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.  
-
-sections:
-  - name: Ignored
-    questions:
-      - question: |
-          What is Windows security auditing and why might I want to use it?
-        answer: |
-          Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is the features and services for an administrator to log and review events for specified security-related activities.
-          
-          Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
-          
-      - question: |
-          What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
-        answer: |
-          The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
-          
-          There are several other differences between the security audit policy settings in these two locations.
-          
-          There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
-          Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking.
-          
-          In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
-          
-          The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows.
-          
-      - question: |
-          What is the interaction between basic audit policy settings and advanced audit policy settings?
-        answer: |
-          Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
-          
-          Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied.
-          
-          > [!Important]
-          > Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
-          
-          If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
-           
-      - question: |
-          How are audit settings merged by group policy?
-        answer: |
-          By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
-          
-          For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing.
-          
-          The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
-          
-          
-          | Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
-          | - | - | - | -|
-          | Detailed File Share Auditing | Success | Failure | Success |
-          | Process Creation Auditing | Disabled | Success | Disabled |
-          | Logon Auditing | Failure | Success | Failure |
-          
-      - question: |
-          What is the difference between an object DACL and an object SACL?
-        answer: |
-          All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
-          
-          -   A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
-          -   A system access control list (SACL) that controls how access is audited
-          
-          The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
-          
-          If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
-          
-      - question: |
-          Why are audit policies applied on a per-computer basis rather than per user?
-        answer: |
-          In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
-          
-          Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
-          
-          However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
-          
-      - question: |
-          Are there any differences in auditing functionality between versions of Windows?
-        answer: |
-          No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings.
-
-      - question: |
-          What is the difference between success and failure events? Is something wrong if I get a failure audit?
-        answer: |
-          A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
-          
-          A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully.
-          
-          The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
-          
-      - question: |
-          How can I set an audit policy that affects all objects on a computer?
-        answer: |
-          System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
-
-          Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
-          
-      - question: |
-          How do I figure out why someone was able to access a resource?
-        answer: |
-          Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
-
-      - question: |
-          How do I know when changes are made to access control settings, by whom, and what the changes were?
-        answer: |
-          To track access control changes, you need to enable the following settings, which track changes to DACLs:
-          -   **Audit File System** subcategory: Enable for success, failure, or success and failure
-          -   **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
-          -   A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
-
-      - question: |
-          How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
-        answer: |
-          Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
-          
-          1.  Set all Advanced Audit Policy subcategories to **Not configured**.
-          2.  Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller.
-          3.  Reconfigure and apply the basic audit policy settings.
-          
-          Unless you complete all of these steps, the basic audit policy settings won't be restored.
-          
-      - question: |
-          How can I monitor if changes are made to audit policy settings?
-        answer: |
-          Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
-          
-          -   Permissions and audit settings on the audit policy object are changed
-          -   The system audit policy is changed
-          -   Security event sources are registered or unregistered
-          -   Per-user audit settings are changed
-          -   The value of **CrashOnAuditFail** is modified
-          -   Audit settings on a file or registry key are changed
-          -   A Special Groups list is changed
-          
-      - question: |
-          How can I minimize the number of events that are generated?
-        answer: |
-          Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
-          
-      - question: |
-          What are the best tools to model and manage audit policies?
-        answer: |
-          The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies.
-          On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks.
-          
-          There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs).
-          
-      - question: |
-          Where can I find information about all the possible events that I might receive?
-        answer: |
-          Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources:
-          
-          - [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034)
-          - [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
-          - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-          
-      - question: |
-          Where can I find more detailed information?
-        answer: |
-          To learn more about security audit policies, see the following resources:
-          
-          - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
-          - [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753)
-          - [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561)