diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index bc99fd3bd8..d786e0bbfb 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -33,7 +33,7 @@ "ms.technology": "microsoft-edge", "audience": "ITPro", "ms.topic": "article", - "manager": "laurawi", + "manager": "dansimp", "ms.prod": "edge", "feedback_system": "None", "hideEdit": true, diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index c9dd04c446..053f03eeb7 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -48,8 +48,6 @@ landingContent: links: - text: Test your site on Microsoft Edge for free on BrowserStack url: https://developer.microsoft.com/microsoft-edge/tools/remote/ - - text: Use sonarwhal to improve your website - url: https://sonarwhal.com/ # Card (optional) - title: Improve compatibility with Enterprise Mode @@ -126,10 +124,8 @@ landingContent: url: ./edge-technical-demos.md - linkListType: how-to-guide links: - - text: Import bookmarks - url: https://microsoftedgetips.microsoft.com/2/39 - - text: Password management - url: https://microsoftedgetips.microsoft.com/2/18 + - text: Microsoft Edge features and tips + url: https://microsoftedgetips.microsoft.com # Card (optional) - title: Stay informed diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 9a7a5d7e4a..37391cc166 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -30,7 +30,7 @@ "ms.technology": "internet-explorer", "ms.prod": "ie11", "ms.topic": "article", - "manager": "laurawi", + "manager": "dansimp", "ms.date": "04/05/2017", "feedback_system": "None", "hideEdit": true, diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index 37ef55dea6..18c0b63cac 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -16,9 +16,9 @@ ms.date: 10/24/2017 --- -# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) - -[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] +# Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) + +[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)] **Applies to:** @@ -91,7 +91,7 @@ The following is an example of what your XML file should look like when you’re ``` In the above example, the following is true: -- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. +- ```www.cpandl.com```, as the main domain, must use IE8 Enterprise Mode. However, ```www.cpandl.com/images``` must use IE7 Enterprise Mode. - contoso.com, and all of its domain paths, can use the default compatibility mode for the site. diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index 8ee8fbf055..e486ed248d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -35,7 +35,7 @@ If you don't want to use the Enterprise Mode Site List Manager, you also have th The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. > [!IMPORTANT] -> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com. +> Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both `http://contoso.com` and `https://contoso.com`. ```xml @@ -71,7 +71,7 @@ This table includes the elements used by the Enterprise Mode schema. |<emie> |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
**Example** 
<rules version="205"> 
 <emie> 
   <domain>contoso.com</domain> 
 </emie>
</rules>

**or**
For IPv6 ranges: 


<rules version="205"> 
 <emie> 
  <domain>[10.122.34.99]:8080</domain> 
 </emie>
</rules>


**or**
For IPv4 ranges:

<rules version="205"> 
 <emie> 
  <domain>[10.122.34.99]:8080</domain> 
 </emie>
</rules> | Internet Explorer 11 and Microsoft Edge       |
 |<docMode>     |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.  
 **Example** 
 
<rules version="205"> 
 <docmode> 
   <domain docMode="7">contoso.com</domain> 
 </docmode>
</rules>     |Internet Explorer 11         |
 |<domain>     |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. 
 **Example** 
 
<emie> 
 <domain>contoso.com:8080</domain>
</emie>       |Internet Explorer 11 and Microsoft Edge         |
-|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
 **Example**  
 
<emie> 
 <domain exclude="true">fabrikam.com 
   <path exclude="false">/products</path>
 </domain>
</emie>
 
 Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
+|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
 **Example**  
 
<emie> 
 <domain exclude="true">fabrikam.com 
   <path exclude="false">/products</path>
 </domain>
</emie>
 
 Where `https://fabrikam.com` doesn't use IE8 Enterprise Mode, but `https://fabrikam.com/products` does.   |Internet Explorer 11 and Microsoft Edge         |
 
 ### Schema attributes
 This table includes the attributes used by the Enterprise Mode schema.
@@ -79,10 +79,10 @@ This table includes the attributes used by the Enterprise Mode schema.
 |Attribute|Description|Supported browser|
 |--- |--- |--- |
 |version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
-|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
 **Example** 
<emie>
  <domain exclude="false">fabrikam.com 
    <path exclude="true">/products</path>
  </domain>
</emie> 
 Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
 **Example** 
<emie>
  <domain exclude="false">fabrikam.com 
    <path exclude="true">/products</path>
  </domain>
</emie> 
 Where `https://fabrikam.com` doesn't use IE8 Enterprise Mode, but `https://fabrikam.com/products` does.|Internet Explorer 11 and Microsoft Edge|
 |docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
 **Example**
<docMode> 
  <domain exclude="false">fabrikam.com 
    <path docMode="9">/products</path>
  </domain>
</docMode>|Internet Explorer 11|
-|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
 **Example**
<emie>
 <domain doNotTransition="false">fabrikam.com 
   <path doNotTransition="true">/products</path>
 </domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
-|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
 **Example**
<emie>
 <domain exclude="true">fabrikam.com 
   <path forcecompatview="true">/products</path>
 </domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
+|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
 **Example**
<emie>
 <domain doNotTransition="false">fabrikam.com 
   <path doNotTransition="true">/products</path>
 </domain>
</emie>
Where `https://fabrikam.com` opens in the IE11 browser, but `https://fabrikam.com/products` loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
+|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
 **Example**
<emie>
 <domain exclude="true">fabrikam.com 
   <path forcecompatview="true">/products</path>
 </domain>
</emie>
Where `https://fabrikam.com` does not use Enterprise Mode, but `https://fabrikam.com/products` uses IE7 Enterprise Mode.|Internet Explorer 11|
 
 ### Using Enterprise Mode and document mode together
 If you want to use both Enterprise Mode and document mode together, you need to be aware that  <emie> entries override <docMode> entries for the same domain. 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 825646b237..5af6fab521 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -45,7 +45,7 @@ You can continue to use the v.1 version of the schema on Windows 10, but you wo
 The following is an example of the v.2 version of the Enterprise Mode schema.
 
 > [!IMPORTANT]
-> Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com.
+> Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both `http://contoso.com` and `https://contoso.com`.
  
 ```xml
 
@@ -109,9 +109,9 @@ The <url> attribute, as part of the <site> element in the v.2 versio
 
 |Attribute|Description|Supported browser|
 |---------|---------|---------|
-|allow-redirect|A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
**Example**
<site url="contoso.com/travel">
  <open-in allow-redirect="true">IE11 </open-in>
</site>
 In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. 
  • | Internet Explorer 11 and Microsoft Edge|
+|allow-redirect|A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
    **Example**
    <site url="contoso.com/travel">
      <open-in allow-redirect="true">IE11 </open-in>
    </site>
     In this example, if `https://contoso.com/travel` is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. | Internet Explorer 11 and Microsoft Edge|
 |version     |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.   | Internet Explorer 11 and Microsoft Edge|
-|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
     **Note**
     Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). 
     **Example**
    <site url="contoso.com:8080">
       <compat-mode>IE8Enterprise</compat-mode> 
     <open-in>IE11</open-in>
    </site>
    In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
     **Note**
     Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both `http://contoso.com` and `https://contoso.com`. 
     **Example**
    <site url="contoso.com:8080">
       <compat-mode>IE8Enterprise</compat-mode> 
     <open-in>IE11</open-in>
    </site>
    In this example, going to `https://contoso.com:8080` using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
 
 ### Deprecated attributes
 These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index cd8bea93d3..bbfd85b95e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -2,7 +2,7 @@
 ms.localizationpriority: medium
 ms.mktglfcycl: support
 ms.pagetype: security
-description: 
+description: A high-level overview of the delivery process and your options to control deployment of Internet Explorer through automatic updates.
 author: dansimp
 ms.author: dansimp
 ms.manager: dansimp
@@ -60,7 +60,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
     If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
 
     > [!NOTE]
-    > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202).
+    > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
 
 Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 125703ca28..0ec2a15346 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -47,7 +47,7 @@ For more info about this, see [Deploy and configure apps](/mem/intune/).
 
 2.  Any employee in the assigned group can now install the package. 
 
-For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808)
+For more info about this, see [Update apps using Microsoft Intune](/mem/intune/apps/apps-windows-10-app-deploy)
 
  
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index fbcbcbadb9..f701d8ff8d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -42,7 +42,7 @@ RIES does not:
 
 -   Affect the applied Administrative Template Group Policy settings.
 
-RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://go.microsoft.com/fwlink/p/?LinkId=214528).
+RIES turns off all custom toolbars, browser extensions, and customizations installed with IE11. If you change your mind, you can turn each of the customizations back on through the **Manage Add-ons** dialog box. For more information about resetting IE settings, see [How to Reset Internet Explorer Settings](https://support.microsoft.com/windows/change-or-reset-internet-explorer-settings-2d4bac50-5762-91c5-a057-a922533f77d5).
 
 ## IE is crashing or seems slow
 If you notice that CPU usage is running higher than normal, or that IE is frequently crashing or slowing down, you should check your browser add-ons and video card. By default, IE11 uses graphics processing unit (GPU) rendering mode. However, some outdated video cards and video drivers don't support GPU hardware acceleration. If IE11 determines that your current video card or video driver doesn't support GPU hardware acceleration, it'll use Software Rendering mode.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index a216f90395..613d58863c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -27,7 +27,7 @@ We strongly suggest that while you're using virtualization, you also update your
 
 The Microsoft-supported options for virtualizing web apps are:
 
--   **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](https://go.microsoft.com/fwlink/p/?LinkId=271653).
+-   **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](/microsoft-desktop-optimization-pack/medv-v2/).
 
 -   **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](/previous-versions/windows/it-pro/windows-8.1-and-8/hh857623(v=ws.11)).
    
 For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index bebac3ffe6..fd8cca1014 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -170,6 +170,4 @@ Because the tool is open-source, the source code is readily available for examin
 
 - [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
 
-- [Microsoft Services Support](https://www.microsoft.com/microsoftservices/support.aspx)
-
 - [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
index 0a4a146634..96fce41e4b 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.yml
@@ -83,7 +83,7 @@ sections:
       - question: |
           What test tools exist to test for potential application compatibility issues?
         answer: |
-          The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
+          The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://testdrive-archive.azurewebsites.net/html5/compatinspector/help/post.htm). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
           
       - question: |
           Why am I having problems launching my legacy apps with Internet Explorer 11?
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 9ed59cf64e..634e13f2fb 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -19,7 +19,7 @@ ms.date: 07/27/2017
 
 [!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
 
-Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ( [OpenSearch 1.1 Draft 5](https://go.microsoft.com/fwlink/p/?LinkId=208582)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
+Internet Explorer lets websites advertise any search provider that uses the open search standard described at the A9 website ([OpenSearch 1.1 Draft 5](https://opensearch.org/docs/latest/opensearch/index/)). When IE detects new search providers, the **Search** box becomes active and adds the new providers to the drop-down list of providers.
 
 Using the **Administrative Templates** section of Group Policy, you can prevent the search box from appearing, you can add a list of acceptable search providers, or you can restrict your employee’s ability to add or remove search providers.
 
diff --git a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
index 57128dfefe..391784b8a4 100644
--- a/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
+++ b/browsers/internet-explorer/ie11-ieak/iexpress-command-line-options.md
@@ -39,8 +39,6 @@ These command-line options work with IExpress:
    
 |`/r:a` |Always restarts the computer after installation. |
 |`/r:s` |Restarts the computer after installation without prompting the employee. |
 
-For more information, see [Command-line switches for IExpress software update packages](https://go.microsoft.com/fwlink/p/?LinkId=317973).
-
 ## Related topics
 - [IExpress Wizard for Windows Server 2008 R2 with SP1](iexpress-wizard-for-win-server.md)
 - [Internet Explorer Setup command-line options and return codes](ie-setup-command-line-options-and-return-codes.md)
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 54ae269373..9eba34b5e1 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -104,7 +104,7 @@ Support for some of the Internet Explorer settings on the wizard pages varies de
 Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
 
 -   **External Distribution**
-    You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy).
+    You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy).
 
 -   **Internal Distribution - corporate intranet**
     The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
\ No newline at end of file
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 464a472b2f..2908606c60 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -35,7 +35,7 @@
       "ms.technology": "windows",
       "ms.topic": "article",
       "audience": "ITPro",
-      "manager": "laurawi",
+      "manager": "dansimp",
       "ms.date": "04/05/2017",
       "feedback_system": "GitHub",
       "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index 2e2fb12b63..1e0f65ecc7 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -30,7 +30,7 @@
       "ms.technology": "windows",
       "audience": "ITPro",
       "ms.topic": "article",
-      "manager": "laurawi",
+      "manager": "dansimp",
       "ms.mktglfcycl": "manage",
       "ms.sitesec": "library",
       "ms.date": "05/23/2017",
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index eba515451e..da410e3263 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -28,7 +28,7 @@
       "ms.technology": "windows",
       "audience": "ITPro",
       "ms.topic": "article",
-      "manager": "laurawi",
+      "manager": "dansimp",
       "ms.date": "05/09/2017",
       "feedback_system": "GitHub",
       "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/education/docfx.json b/education/docfx.json
index 7cac8a75b9..04a27cb629 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -31,7 +31,7 @@
       "audience": "windows-education",
       "ms.topic": "article",
       "ms.technology": "windows",
-      "manager": "laurawi",
+      "manager": "dansimp",
       "audience": "ITPro",
       "breadcrumb_path": "/education/breadcrumb/toc.json",
       "ms.date": "05/09/2017",
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 0f7ca6f332..8100e0959b 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,6 +2,15 @@
 

 
 
+## Week of April 25, 2022
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+
+
 ## Week of April 18, 2022
 
 
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index c0ac95e03e..5e41713a4b 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -19,7 +19,7 @@ manager: dansimp
 
 -   Windows 10, version 1709 
 
-IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
+IT admins or technical teachers can use Autopilot Reset to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen anytime and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Autopilot Reset, devices are returned to a fully configured or known IT-approved state.
 
 To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), you must:
 
@@ -30,7 +30,7 @@ To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), yo
 
 To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre).
 
-**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident.
+**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It's a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This setting ensures that Autopilot Reset isn't triggered by accident.
 
 You can set the policy using one of these methods:
 
@@ -49,11 +49,11 @@ You can set the policy using one of these methods:
 
 - Set up School PCs app
 
-  Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways:
+  Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you're running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways:
 
   - Reach out to your device manufacturer.
 
-  - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If  you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
+  - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If  you're using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
 
   - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
 
@@ -72,7 +72,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png)
 
-   This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
+   This keystroke will open up a custom sign-in screen for Autopilot Reset. The screen serves two purposes:
 
    1. Confirm/verify that the end user has the right to trigger Autopilot Reset
 
@@ -93,7 +93,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    - Connects to Wi-Fi.
 
-   - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. 
+   - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will reapply the original provisioning package on the device. 
 
    - Is returned to a known good managed state, connected to Azure AD and MDM.
 
@@ -105,7 +105,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
 ## Troubleshoot Autopilot Reset
 
-Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
+Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) isn't enabled on the device. You'll see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
 
 To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
 
@@ -113,8 +113,8 @@ To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/man
 reagentc /enable
 ```
 
-If Autopilot Reset fails after enabling WinRE, or if you are unable to enable WinRE, please contact [Microsoft Support](https://support.microsoft.com) for assistance.
+If Autopilot Reset fails after enabling WinRE, or if you're unable to enable WinRE, kindly contact [Microsoft Support](https://support.microsoft.com) for assistance.
 
-## Related topics
+## Related articles
 
 [Set up Windows devices for education](set-up-windows-10.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index aafc6c622f..9a828c6755 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -42,7 +42,7 @@ New or changed topic | Description
 | [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the list of device manufacturers. |
 | [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
 | [Set up Take a Test on a single PC](take-a-test-single-pc.md) | Updated instances of the parameter enablePrint, or enablePrinting, to requirePrinting. |
-| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added additional info about the Ctrl+Alt+Del key combination. |
+| [Take a Test app technical reference](take-a-test-app-technical.md) | Added a note that the Alt+F4 key combination for enabling students to exit the test is disabled in Windows 10, version 1703 (Creators Update) and later. Also added more information about the Ctrl+Alt+Del key combination. |
 
 ## RELEASE: Windows 10, version 1709 (Fall Creators Update)
 
@@ -62,7 +62,7 @@ New or changed topic | Description
 
 | New or changed topic | Description |
 | --- | ---- |
-| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
+| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | New. Find out how you can test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us. |
 | [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated the instructions to reflect the new or updated functionality in the latest version of the app. |
 
 ## July 2017
@@ -85,16 +85,16 @@ New or changed topic | Description
 
 | New or changed topic | Description |
 | --- | ---- |
-| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. |
+| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt in to a free switch to Windows 10 Pro Education. |
 | [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. |
 
 ## RELEASE: Windows 10, version 1703 (Creators Update)
 
 | New or changed topic | Description|
 | --- | --- |
-| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. |
+| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. |
 | [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. |
-| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)  | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. |
+| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)  | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school. |
 | [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)  | Updated the screenshots and related instructions to reflect the current UI and experience.  |
 | [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. |
 | Set up School PCs app: 
     [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) 
     [Use the Set up School PCs app](use-set-up-school-pcs-app.md) | Updated. Describes the school-specific settings and policies that Set up School PC configures. Also provides step-by-step instructions for using the latest version of the app to create a provisioning package that you can use to set up student PCs. |
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index ea30225b3e..9d165c8892 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -17,7 +17,7 @@ manager: dansimp
 # Change to Windows 10 Pro Education from Windows 10 Pro
 Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
 
-If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario.
+If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt in to a free change to Windows 10 Pro Education depending on your scenario.
 - [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](./s-mode-switch-to-edu.md)
 
 To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance.
@@ -43,7 +43,7 @@ For more info about Windows 10 default settings and recommendations for educatio
 
 ## Change from Windows 10 Pro to Windows 10 Pro Education
 
-For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free change through the Microsoft Store for Education.
+For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt in to a free change through the Microsoft Store for Education.
 
 In this scenario:
 
@@ -51,7 +51,7 @@ In this scenario:
 - Any device that joins the Azure AD will change automatically to Windows 10 Pro Education.
 - The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
 
-See [change using Microsoft Store for Education](#change-using-microsoft-store-for-education) for details on how to do this.
+See [change using Microsoft Store for Education](#change-using-microsoft-store-for-education) for details on how to turn on the change.
 
 ### Change using Intune for Education
 
@@ -98,8 +98,8 @@ Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Educ
 
 When you change to Windows 10 Pro Education, you get the following benefits:
 
-- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
-- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
+- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit doesn't include Long Term Service Branch (LTSB).
+- **Support from one to hundreds of users**. The Windows 10 Pro Education program doesn't have a limitation on the number of licenses an organization can have.
 - **Roll back options to Windows 10 Pro**
   - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). 
   - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. 
@@ -108,13 +108,13 @@ When you change to Windows 10 Pro Education, you get the following benefits:
 
 
 ### Change using Microsoft Store for Education
-Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the change. The change will only apply to Windows 10 Pro devices.
+Once you enable the setting to change to Windows 10 Pro Education, the change will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you can't select which users will receive the change. The change will only apply to Windows 10 Pro devices.
 
 **To turn on the automatic change to Windows 10 Pro Education**
 
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account.
 
-   If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
+   If you're signing into the Microsoft Store for Education for the first time, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
 
 2. Click **Manage** from the top menu and then select the **Benefits tile**.
 3. In the **Benefits** tile, look for the **Change to Windows 10 Pro Education for free** link and then click it.
@@ -130,11 +130,11 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi
     A confirmation window pops up to let you know that an email has been sent to you to enable the change. 
 
 6. Close the confirmation window and check the email to proceed to the next step.
-7. In the email, click the link to **Change to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal.
+7. In the email, click the link to **Change to Windows 10 Pro Education**. Once you click the link, you are taken back to the Microsoft Store for Education portal.
 
 8. Click **Change now** in the **changing your device to Windows 10 Pro Education for free** page in the Microsoft Store. 
 
-    You will see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device.
+    You'll see a window that confirms you've successfully changed all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro will automatically change the next time someone in your organization signs in to the device.
 
 9. Click **Close** in the **Success** window.
 
@@ -146,7 +146,7 @@ Enabling the automatic change also triggers an email message notifying all globa
 So what will users experience? How will they change their devices?
 
 ### For existing Azure AD joined devices
-Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
+Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No other steps are needed.
 
 ### For new devices that are not Azure AD joined
 Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition.
@@ -197,7 +197,7 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
 
     ![Select the option to join the device to Azure Active Directory.](images/settings_setupworkorschoolaccount_2.png)
 
-4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD.
+4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. The device is joined with the school's Azure AD.
 5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
 
     **Figure 8** - Verify the device connected to Azure AD
@@ -207,7 +207,7 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
 
 #### Step 2: Sign in using Azure AD account
 
-Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
+Once the device is joined to your Azure AD subscription, users will sign in by using their Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
 
 
 #### Step 3: Verify that Pro Education edition is enabled
@@ -224,7 +224,7 @@ If there are any problems with the Windows 10 Pro Education license or the acti
 
 In some instances, users may experience problems with the Windows 10 Pro Education change. The most common problems that users may experience are as follows:
 
--   The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) is not activated.
+-   The existing operating system (Windows 10 Pro, version 1607 or higher, or version 1703) isn't activated.
 -   The Windows 10 Pro Education change has lapsed or has been removed.
 
 Use the following figures to help you troubleshoot when users experience these common problems:
@@ -234,7 +234,7 @@ Use the following figures to help you troubleshoot when users experience these c
 Windows 10 activated and subscription active

    
 
 
-**Figure 11** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education change is active.
+**Figure 11** - Illustrates a device on which the existing operating system isn't activated, but the Windows 10 Pro Education change is active.
 
 Windows 10 not activated and subscription active

    
 
@@ -245,7 +245,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined
 
 **To determine if a device is Azure AD joined**
 
-1.  Open a command prompt and type the following:
+1.  Open a command prompt and type the following command:
 
     ```
     dsregcmd /status
@@ -268,19 +268,19 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined
 
 ### Roll back Windows 10 Pro Education to Windows 10 Pro
 
-If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, you can do this by:
+If your organization has the Windows 10 Pro to Windows 10 Pro Education change enabled, and you decide to roll back to Windows 10 Pro or to cancel the change, perform the following task:
 
-- Logging into Microsoft Store for Education page and turning off the automatic change.
+- Log into Microsoft Store for Education page and turning off the automatic change.
 - Selecting the link to turn off the automatic change from the notification email sent to all global administrators.
 
-Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro.
+Once the automatic change to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were changed will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. Therefore, users whose device was changed may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a change was enabled and then turned off will never see their device change from Windows 10 Pro.
 
 > [!NOTE]  
-> Devices that were changed from  mode to Windows 10 Pro Education cannot roll back to Windows 10 Pro Education S mode.
+> Devices that were changed from  mode to Windows 10 Pro Education can't roll back to Windows 10 Pro Education S mode.
 
 **To roll back Windows 10 Pro Education to Windows 10 Pro**
 
-1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change.
+1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic change.
 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.
 
@@ -288,7 +288,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change
 
     ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png)
 
-4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
+4. You'll be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
 5. Click **Close** in the **Success** page.
 
     All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic changes again, you can do this by selecting **change to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education.
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 2e01f756fe..37e9cba645 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -1,6 +1,6 @@
 ---
 title: Chromebook migration guide (Windows 10)
-description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
+description: In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
 ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
 ms.reviewer: 
 manager: dansimp
@@ -22,23 +22,23 @@ ms.date: 10/13/2017
 
 -   Windows 10
 
-In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.
+In this guide, you'll learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You'll learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You'll then learn the best method to perform the migration by using automated deployment and migration tools.
 
 ## Plan Chromebook migration
 
 
 Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process.
 
-In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration.
+In the planning portion of this guide, you'll identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you'll have a list of information you need to collect and what you need to do with the information. You'll be ready to perform your Chromebook migration.
 
 ## Plan for app migration or replacement
 
 
-App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts.
+App migration or replacement is an essential part of your Chromebook migration. In this section, you'll plan how you'll migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you'll have a list of the active Chrome OS apps and the Windows app counterparts.
 
 **Identify the apps currently in use on Chromebook devices**
 
-Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
+Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You'll create a list of apps that are currently in use (also called an app portfolio).
 
 > [!NOTE]  
 > The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
@@ -63,7 +63,7 @@ Record the following information about each app in your app portfolio:
 
 -   App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low)
 
-Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps.
+Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you've determined what you'll do with the higher priority apps.
 
 ### 
 
@@ -85,13 +85,13 @@ Table 1. Google App replacements
 
  
 
-It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide.
+It may be that you'll decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide.
 
 **Find the same or similar apps in the Microsoft Store**
 
 In many instances, software vendors will create a version of their app for multiple platforms. You can search the Microsoft Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section.
 
-In other instances, the offline app does not have a version written for the Microsoft Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS.
+In other instances, the offline app doesn't have a version written for the Microsoft Store or isn't a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher doesn't have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS.
 
 Record the Windows app that replaces the Chromebook app in your app portfolio.
 
@@ -99,20 +99,20 @@ Record the Windows app that replaces the Chromebook app in your app portfolio.
 
 **Perform app compatibility testing for web apps**
 
-The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms.
+Most of the Chromebook apps are web apps. Because you can't run native offline Chromebook apps on a Windows device, there's no reason to perform app compatibility testing for offline Chromebook apps. However, you may have many web apps that will run on both platforms.
 
 Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio.
 
 ## Plan for migration of user and device settings
 
 
-Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console.
+Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You've also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console.
 
 However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom.
 
-In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution.
+In this section, you'll identify the user and device configuration settings for your Chromebook users and devices. Then you'll prioritize these settings to focus on the configuration settings that are essential to your educational institution.
 
-At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide.
+At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, and a level of priority for each setting. You may discover at the end of this section that you've few or no higher priority settings to be migrated. If so, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide.
 
 **Identify Google Admin Console settings to migrate**
 
@@ -122,17 +122,17 @@ You use the Google Admin Console (as shown in Figure 1) to manage user and devic
 
 Figure 1. Google Admin Console
 
-Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
+Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows.
 
 Table 2. Settings in the Device Management node in the Google Admin Console
 
 |Section  |Settings  |
 |---------|---------|
 |Network     | 
    These settings configure the network connections for Chromebook devices and include the following settings categories:
    •  **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
      •  
    • **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
    • **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
    • **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
              |
-|Mobile     |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
         
      • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
      • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
      • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
      •  **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider. 
      • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.        |
-|Chrome management    |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
           
        • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
        • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
        •  **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
        • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices 
        • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.      |
+|Mobile     |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
             
          • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
          • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
          • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
          •  **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You'll need this certificate if you plan to manage iOS devices by using Intune or another MDM provider. 
          • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You'll need this token if you plan to manage Android devices by using another MDM provider.        |
+|Chrome management    |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
               
            • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
            • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
            •  **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
            • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you'll need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you'll need to manage your Windows devices 
            • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you've identified that will run on Windows devices.      |
 
-Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
+Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you'll migrate to Windows.
 
 Table 3. Settings in the Security node in the Google Admin Console
 
@@ -146,11 +146,11 @@ Table 3. Settings in the Security node in the Google Admin Console
 
 **Identify locally-configured settings to migrate**
 
-In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
+In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you'll migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
 
 ![figure 2.](images/fig2-locallyconfig.png)
 
-Figure 2. Locally-configured settings on Chromebook
+Figure 2. Locally configured settings on Chromebook
 
 Table 4. Locally-configured settings
 
@@ -183,32 +183,32 @@ Also, as a part of this planning process, consider settings that may not be curr
 
 **Prioritize settings to migrate**
 
-After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low.
+After you've collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low.
 
-Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate.
+Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that aren't necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate.
 
 ## Plan for email migration
 
 
-Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration.
+Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you'll migrate and the best time to perform the migration.
 
 Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes).
 
 **Identify the list of user mailboxes to migrate**
 
-In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff.
+With regard to creating the list of users you'll migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case, you would only need to migrate faculty and staff.
 
-Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate.
+Also, when you perform a migration, it's a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate.
 
 Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process.
 
 **Identify companion devices that access Google Apps Gmail**
 
-In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes.
+In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You'll need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes.
 
-After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox.
+After you've identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox.
 
-In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254).
+In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify these credentials on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254).
 
 **Identify the optimal timing for the migration**
 
@@ -219,13 +219,13 @@ Ensure that you communicate the time the migration will occur to your users well
 ## Plan for cloud storage migration
 
 
-Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process.
+Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You'll need to plan how to migrate your cloud storage as a part of the Chromebook migration process.
 
-In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan.
+In this section, you'll create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan.
 
 **Identify cloud storage services currently in use**
 
-Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following:
+Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following details:
 
 -   Name of the cloud storage service
 
@@ -235,7 +235,7 @@ Typically, most Chromebook users use Google Drive for cloud storage services bec
 
 -   Approximate storage currently in use per user
 
-Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section.
+Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there's no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section.
 
 **Optimize cloud storage services migration plan**
 
@@ -245,24 +245,24 @@ Consider the following to help optimize your cloud storage services migration pl
 
 -   **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate.
 
--   **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage.
+-   **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (haven't been accessed for some period of time). Eliminate or archive these files so that they don't consume cloud storage.
 
--   **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs.
+-   **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This standardization will help reduce management complexity, support time, and typically will reduce cloud storage costs.
 
 Record your optimization changes in your cloud storage services migration plan.
 
 ## Plan for cloud services migration
 
 
-Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections.
+Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You've planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections.
 
-In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services.
+In this section, you'll create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services.
 
 ### 
 
 **Identify cloud services currently in use**
 
-You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service:
+You've already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service:
 
 -   Cloud service name
 
@@ -274,9 +274,9 @@ You have already identified the individual cloud services that are currently in
 
 One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features.
 
-Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services:
+Here's a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services:
 
--   **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive.
+-   **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016), then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive.
 
 -   **Online apps offer better document compatibility.** Microsoft Office apps (such as Word and Excel for the web) provide the highest level of compatibility with Microsoft Office documents. The Office apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office app from any device with Internet connectivity.
 
@@ -288,7 +288,7 @@ Review the list of existing cloud services that you created in the [Identify clo
 
 **Prioritize cloud services**
 
-After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low.
+After you've created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low.
 
 Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority.
 
@@ -298,48 +298,48 @@ Focus on the migration of higher priority cloud services first and put less effo
 
 **Select cloud services migration strategy**
 
-When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time.
+When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you'll want to select a migration strategy that introduces many small changes over a period of time.
 
 Consider the following when you create your cloud services migration strategy:
 
 -   **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses.
 
--   **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks.
+-   **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This option gives users a familiar method to perform their day-to-day tasks.
 
--   **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use.
+-   **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it's more reliable or intuitive for them to use.
 
 -   **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms.
 
--   **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years.
+-   **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This migration will ensure you've minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they're probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions don't preserve data between semesters or academic years.
 
--   **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal.
+-   **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This overlap operation allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. The tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal.
 
 ## Plan for Windows device deployment
 
 
 You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks.
 
-In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
+In this section, you'll select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
 
 ### 
 
 **Select a Windows device deployment strategy**
 
-What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies.
+What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That approach is correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies.
 
 For each classroom that has Chromebook devices, select a combination of the following device deployment strategies:
 
--   **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices.
+-   **Deploy one classroom at a time.** In most cases, you'll want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you've deployed the devices.
 
--   **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum.
+-   **Deploy based on curriculum.** Deploy the Windows devices after you've confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum.
 
--   **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum.
+-   **Deploy side-by-side.** In some instances, you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This method helps prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum.
 
--   **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices.
+-   **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this arrangement provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices.
 
--   **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices.
+-   **Deploy after the migration of user and device settings.** Ensure that you've identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices.
 
-    If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration.
+    If you ensure that Windows devices closely mirror the Chromebook device configuration, you'll ease user learning curve and create a sense of familiarity. Also, when you've the settings ready to be applied to the devices, it helps ensure you'll deploy your new Windows devices in a secure configuration.
 
 Record the combination of Windows device deployment strategies that you selected.
 
@@ -347,7 +347,7 @@ Record the combination of Windows device deployment strategies that you selected
 
 **Plan for AD DS and Azure AD services**
 
-The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services.
+The next decision you'll need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you'll manage your users, apps, and devices and if you'll use Office 365 and other Azure-based cloud services.
 
 In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD.
 
@@ -362,13 +362,13 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
 |Use Microsoft Endpoint Manager for management|✔️||✔️|
 |Use Group Policy for management|✔️||✔️|
 |Have devices that are domain-joined|✔️||✔️|
-|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️|
+|Allow faculty and students to Bring Your Own Device (BYOD) which aren't domain-joined||✔️|✔️|
 
 ### 
 
 **Plan device, user, and app management**
 
-You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle.
+You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you'll only deploy the device once, but you'll manage the device throughout the remainder of the device's lifecycle.
 
 Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
 
@@ -384,11 +384,11 @@ Table 6. Device, user, and app management products and technologies
 |Deploy software updates during operating system deployment|||✔️||✔️||
 |Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️|
 |Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️||
-|Support devices that are not domain-joined|✔️|||✔️|✔️||
+|Support devices that aren't domain-joined|✔️|||✔️|✔️||
 |Use on-premises resources|✔️|✔️|✔️||✔️||
 |Use cloud-based services||||✔️|||
 
-You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
+You can use Configuration Manager and Intune with each other to provide features from both products and technologies. In some instances, you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
 
 Record the device, user, and app management products and technologies that you selected.
 
@@ -402,7 +402,7 @@ Examine each of the following network infrastructure technologies and services a
 
 -   **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements.
 
-    However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other.
+    However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you'll need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other.
 
 -   **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices.
 
@@ -412,7 +412,7 @@ Examine each of the following network infrastructure technologies and services a
 
     If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices.
 
--   **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices.
+-   **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This consumption behavior means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices.
 
     However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices.
 
@@ -424,7 +424,7 @@ Examine each of the following network infrastructure technologies and services a
 
     -   [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257)
 
--   **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices.
+-   **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This condition means that your existing power outlets should support the same number of Windows devices.
 
     If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices.
 
@@ -433,9 +433,9 @@ At the end of this process, you may determine that no network infrastructure rem
 ## Perform Chromebook migration
 
 
-Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created.
+Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you've created.
 
-In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide.
+In this section, you'll perform the necessary steps for the Chromebook device migration. You'll perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide.
 
 You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important.
 
@@ -444,7 +444,7 @@ You must perform some of the steps in this section in a specific sequence. Each
 
 The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform.
 
-It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each.
+It's important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each.
 
 Table 7. Network infrastructure products and technologies and deployment resources
 
@@ -459,7 +459,7 @@ If you use network infrastructure products and technologies from other vendors,
 ## Perform AD DS and Azure AD services deployment or remediation
 
 
-It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
+It's important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
 
 In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
 
@@ -475,7 +475,7 @@ If you decided not to migrate to AD DS or Azure AD as a part of the migration, o
 ## Prepare device, user, and app management systems
 
 
-In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings.
+In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you'll use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You'll use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings.
 
 Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems.
 
@@ -547,7 +547,7 @@ Alternatively, if you want to migrate to Office 365 from:
 ## Perform cloud storage migration
 
 
-In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices.
+In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you'll use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices.
 
 Manually migrate the cloud storage migration by using the following steps:
 
@@ -561,7 +561,7 @@ Manually migrate the cloud storage migration by using the following steps:
 
 5.  Optionally uninstall the Google Drive app.
 
-There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors.
+There are also many software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors.
 
 ## Perform cloud services migration
 
@@ -570,7 +570,7 @@ In the [Plan for cloud services migration](#plan-cloud-services)section, you ide
 
 Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected.
 
-There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors.
+There are also many software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors.
 
 ## Perform Windows device deployment
 
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 27b3806af5..6d0c2694a5 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -1,6 +1,6 @@
 ---
 title: Windows 10 configuration recommendations for education customers
-description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
+description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
 keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology
 ms.mktglfcycl: plan
 ms.sitesec: library
@@ -20,24 +20,24 @@ manager: dansimp
 -   Windows 10
 
 
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
+Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
 
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
+We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
 
-In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready.
+In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
 
-| Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
+| Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
 | --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
-| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set |
+| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set |
+| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set |
 | **Cortana** | **AllowCortana** | Disables Cortana 

               * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. 

               See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. 

               See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
-| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set |
+| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set |
 | **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
-| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready 

               * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set |
+| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready 

               * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set |
 
 
 ## Recommended configuration
-It is easy to be education ready when using Microsoft products. We recommend the following configuration:
+It's easy to be education ready when using Microsoft products. We recommend the following configuration:
 
 1. Use an Office 365 Education tenant. 
 
@@ -49,15 +49,15 @@ It is easy to be education ready when using Microsoft products. We recommend the
 
 3. On PCs running Windows 10, version 1703:
    1. Provision the PC using one of these methods:
-      * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
+      * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
       * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
    2. Join the PC to Azure Active Directory.
       * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
       * Manually Azure AD join the PC during the Windows device setup experience.
    3. Enroll the PCs in MDM.
-      * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
+      * If you've activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
    4. Ensure that needed assistive technology apps can be used.
-      * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
+      * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
 
 4. Distribute the PCs to students.
 
@@ -77,7 +77,7 @@ You can set all the education compliance areas through both provisioning and man
 - [Intune for Education](/intune-education/available-settings)
 
 ## AllowCortana
-**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). 
+**AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). 
 
 > [!NOTE]
 > See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
@@ -109,7 +109,7 @@ Set **Computer Configuration > Administrative Templates > Windows Components > S
         ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png)
 
 ## SetEduPolicies
-**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
+**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
 
 Use one of these methods to set this policy. 
 
@@ -126,7 +126,7 @@ Use one of these methods to set this policy.
       ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
 
 ### Group Policy
-**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
+**SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
 
 For example:
 
@@ -158,7 +158,7 @@ Provide an ad-free experience that is a safer, more private search option for K
 To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
 
 1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
-2. Domain join the Windows 10 PCs to your Azure AD tenant (this is the same as your Office 365 tenant).
+2. Domain join the Windows 10 PCs to your Azure AD tenant (this tenant is the same as your Office 365 tenant).
 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
 4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.
 > [!NOTE]
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 3672175155..aa2e5b4d70 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -20,11 +20,11 @@ manager: dansimp
 - Windows 10
 
 
-This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for district deployment
 
-Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
+Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you'll manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
 
 > [!NOTE]
 > This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
@@ -81,7 +81,7 @@ This district configuration has the following characteristics:
   
 * The devices use Azure AD in Office 365 Education for identity management.
 
-* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+* If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 
 * Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
 
@@ -132,9 +132,9 @@ For more information about Office 365 Education features and an FAQ, go to [Offi
 
 ### How to configure a district
 
-Now that you have the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+Now that you've the plan (blueprint) for your district and individual schools and classrooms, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
 
-The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
 
 You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
 
@@ -142,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us
 
 MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
 
-LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article.
+LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article.
 
 The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
 
@@ -150,23 +150,23 @@ ZTI performs fully automated deployments using Configuration Manager and MDT. Al
 
 The configuration process requires the following devices:
 
-* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device.
+* **Admin device.** This device is the one you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device.
 
-* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
+* **Reference devices.** These devices are the ones that you'll use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
 
-  You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all).
+  You'll have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all).
   
-* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+* **Faculty and staff devices.** These devices are the ones that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
 
-* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+* **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them.
 
 The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4:
 
 1. Prepare the admin device for use, which includes installing the Windows ADK, MDT, and the Configuration Manager console.
 
-2. On the admin device, create and configure the Office 365 Education subscription that you will use for the district’s classrooms.
+2. On the admin device, create and configure the Office 365 Education subscription that you'll use for the district’s classrooms.
 
-3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration).
 
 4. On the admin device, create and configure a Microsoft Store for Business portal.
 
@@ -217,7 +217,7 @@ Some constraints exist in these scenarios. As you select the deployment and mana
 
 * You can use Group Policy or Intune to manage configuration settings on a device but not both.
 * You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both.
-* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined.
+* You can't  manage multiple users on a device with Intune if the device is AD DS domain joined.
 
 Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
 
@@ -227,8 +227,8 @@ To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpo
 
 |Method|Description|
 |--- |--- |
-|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
               Select this method when you: 
            •  Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) 
            •  Don’t have an existing AD DS infrastructure. 
            •  Need to manage devices regardless of where they are (on or off premises). 
              The advantages of this method are that: 
               
            •  You can deploy Windows 10 operating systems 
            •  You can manage device drivers during initial deployment. 
            • You can deploy Windows desktop apps (during initial deployment)
            •  It doesn’t require an AD DS infrastructure.
            • It doesn’t have additional infrastructure requirements.
            • MDT doesn’t incur additional cost: it’s a free tool.
            • You can deploy Windows 10 operating systems to institution-owned and personal devices. 
               The disadvantages of this method are that it:
               
            • Can’t manage applications throughout entire application life cycle (by itself).
            • Can’t manage software updates for Windows 10 and apps (by itself).
            • Doesn’t provide antivirus and malware protection (by itself).
            • Has limited scaling to large numbers of users and devices.|
-|Microsoft Endpoint Configuration Manager|
            •  Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle 
            • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. 
               Select this method when you: 
            •  Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). 
            • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). 
            • Typically deploy Windows 10 to on-premises devices. 
               The advantages of this method are that: 
            • You can deploy Windows 10 operating systems.
            • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
            • You can manage software updates for Windows 10 and apps.
            • You can manage antivirus and malware protection.
            • It scales to large number of users and devices. 
              The disadvantages of this method are that it:
            • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
            • Can deploy Windows 10 only to domain-joined (institution-owned devices).
            • Requires an AD DS infrastructure (if the institution does not have AD DS already).|
+|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
               Select this method when you: 
            •  Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) 
            •  Don’t have an existing AD DS infrastructure. 
            •  Need to manage devices regardless of where they are (on or off premises). 
              The advantages of this method are that: 
               
            •  You can deploy Windows 10 operating systems 
            •  You can manage device drivers during initial deployment. 
            • You can deploy Windows desktop apps (during initial deployment)
            •  It doesn’t require an AD DS infrastructure.
            • It doesn’t have extra infrastructure requirements.
            • MDT doesn’t incur extra cost: it’s a free tool.
            • You can deploy Windows 10 operating systems to institution-owned and personal devices. 
               The disadvantages of this method are that it:
               
            • Can’t manage applications throughout entire application life cycle (by itself).
            • Can’t manage software updates for Windows 10 and apps (by itself).
            • Doesn’t provide antivirus and malware protection (by itself).
            • Has limited scaling to large numbers of users and devices.|
+|Microsoft Endpoint Configuration Manager|
            •  Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle 
            • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. 
               Select this method when you: 
            •  Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). 
            • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). 
            • Typically deploy Windows 10 to on-premises devices. 
               The advantages of this method are that: 
            • You can deploy Windows 10 operating systems.
            • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
            • You can manage software updates for Windows 10 and apps.
            • You can manage antivirus and malware protection.
            • It scales to large number of users and devices. 
              The disadvantages of this method are that it:
            • Carries an extra cost for Microsoft Endpoint Manager server licenses (if the institution doesn't  have Configuration Manager already).
            • Can deploy Windows 10 only to domain-joined (institution-owned devices).
            • Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
 
 *Table 2. Deployment methods*
 
@@ -243,14 +243,14 @@ Record the deployment methods you selected in Table 3.
 
 ### Select the configuration setting management methods
 
-If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, maintaining an identical configuration on every device will become virtually impossible as the number of devices in the district increases.
+If you've only one device to configure, manually configuring that one device is tedious but possible. When you've multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, maintaining an identical configuration on every device will become impossible as the number of devices in the district increases.
 
 For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
 
 |Method|Description|
 |--- |--- |
-|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. 
               Select this method when you 
            • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
            •  Want more granular control of device and user settings. 
            • Have an existing AD DS infrastructure.
            • Typically manage on-premises devices.
            • Can manage a required setting only by using Group Policy. 
              The advantages of this method include: 
            • No cost beyond the AD DS infrastructure. 
            • A larger number of settings (compared to Intune).
              The disadvantages of this method are that it:
            • Can only manage domain-joined (institution-owned devices).
            • Requires an AD DS infrastructure (if the institution does not have AD DS already).
            • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
            •  Has rudimentary app management capabilities.
            •  Cannot deploy Windows 10 operating systems.|
-|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
              Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
              Select this method when you:
            •  Want to manage institution-owned and personal devices (does not require that the device be domain joined).
            • Don’t need granular control over device and user settings (compared to Group Policy).
            • Don’t have an existing AD DS infrastructure.
            • Need to manage devices regardless of where they are (on or off premises).
            • Want to provide application management for the entire application life cycle.
            • Can manage a required setting only by using Intune.
              The advantages of this method are that:
            • You can manage institution-owned and personal devices.
            • It doesn’t require that devices be domain joined.
            • It doesn’t require any on-premises infrastructure.
            • It can manage devices regardless of their location (on or off premises).
              The disadvantages of this method are that it:
            • Carries an additional cost for Intune subscription licenses.
            • Doesn’t offer granular control over device and user settings (compared to Group Policy).
            • Cannot deploy Windows 10 operating systems.|
+|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. 
               Select this method when you 
            • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
            •  Want more granular control of device and user settings. 
            • Have an existing AD DS infrastructure.
            • Typically manage on-premises devices.
            • Can manage a required setting only by using Group Policy. 
              The advantages of this method include: 
            • No cost beyond the AD DS infrastructure. 
            • A larger number of settings (compared to Intune).
              The disadvantages of this method are that it:
            • Can only manage domain-joined (institution-owned devices).
            • Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).
            • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
            •  Has rudimentary app management capabilities.
            •  can't  deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
              Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
              Select this method when you:
            •  Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
            • Don’t need granular control over device and user settings (compared to Group Policy).
            • Don’t have an existing AD DS infrastructure.
            • Need to manage devices regardless of where they are (on or off premises).
            • Want to provide application management for the entire application life cycle.
            • Can manage a required setting only by using Intune.
              The advantages of this method are that:
            • You can manage institution-owned and personal devices.
            • It doesn’t require that devices be domain joined.
            • It doesn’t require any on-premises infrastructure.
            • It can manage devices regardless of their location (on or off premises).
              The disadvantages of this method are that it:
            • Carries an extra cost for Intune subscription licenses.
            • Doesn’t offer granular control over device and user settings (compared to Group Policy).
            • can't  deploy Windows 10 operating systems.|
 
 *Table 4. Configuration setting management methods*
 
@@ -271,9 +271,9 @@ Use the information in Table 6 to determine which combination of app and update
 
 |Selection|Management method|
 |--- |--- |
-|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
            • Selected Configuration Manager to deploy Windows 10.
            • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
            • Want to manage AD DS domain-joined devices.
            • Have an existing AD DS infrastructure.
            • Typically manage on-premises devices.
            • Want to deploy operating systems.
            • Want to provide application management for the entire application life cycle.
              The advantages of this method are that:
            • You can deploy Windows 10 operating systems.
            • You can manage applications throughout the entire application life cycle.
            • You can manage software updates for Windows 10 and apps.
            • You can manage antivirus and malware protection.
            • It scales to large numbers of users and devices.
              The disadvantages of this method are that it:
            • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
            • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
            • Can only manage domain-joined (institution-owned devices).
            • Requires an AD DS infrastructure (if the institution does not have AD DS already).
            • Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
-|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
              Select this method when you:
            • Selected MDT only to deploy Windows 10.
            • Want to manage institution-owned and personal devices that are not domain joined.
            • Want to manage Azure AD domain-joined devices.
            • Need to manage devices regardless of where they are (on or off premises).
            • Want to provide application management for the entire application life cycle.
              The advantages of this method are that:
            • You can manage institution-owned and personal devices.
            • It doesn’t require that devices be domain joined.
            • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
            • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
              The disadvantages of this method are that it:
            • Carries an additional cost for Intune subscription licenses.
            • Cannot deploy Windows 10 operating systems.|
-|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
              Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. 
              Select this method when you:
            • Selected Microsoft Endpoint Manager to deploy Windows 10.
            • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
            • Want to manage domain-joined devices.
            • Want to manage Azure AD domain-joined devices.
            • Have an existing AD DS infrastructure.
            • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
            • Want to provide application management for the entire application life cycle.
              The advantages of this method are that:
            • You can deploy operating systems.
            • You can manage applications throughout the entire application life cycle.
            • You can scale to large numbers of users and devices.
            • You can support institution-owned and personal devices.
            • It doesn’t require that devices be domain joined.
            • It can manage devices regardless of their location (on or off premises).
              The disadvantages of this method are that it:
            • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
            • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
            • Carries an additional cost for Intune subscription licenses.
            • Requires an AD DS infrastructure (if the institution does not have AD DS already).|
+|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
            • Selected Configuration Manager to deploy Windows 10.
            • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
            • Want to manage AD DS domain-joined devices.
            • Have an existing AD DS infrastructure.
            • Typically manage on-premises devices.
            • Want to deploy operating systems.
            • Want to provide application management for the entire application life cycle.
              The advantages of this method are that:
            • You can deploy Windows 10 operating systems.
            • You can manage applications throughout the entire application life cycle.
            • You can manage software updates for Windows 10 and apps.
            • You can manage antivirus and malware protection.
            • It scales to large numbers of users and devices.
              The disadvantages of this method are that it:
            • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).
            • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
            • Can only manage domain-joined (institution-owned devices).
            • Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).
            • Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
              Select this method when you:
            • Selected MDT only to deploy Windows 10.
            • Want to manage institution-owned and personal devices that aren't  domain joined.
            • Want to manage Azure AD domain-joined devices.
            • Need to manage devices regardless of where they are (on or off premises).
            • Want to provide application management for the entire application life cycle.
              The advantages of this method are that:
            • You can manage institution-owned and personal devices.
            • It doesn’t require that devices be domain joined.
            • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
            • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
              The disadvantages of this method are that it:
            • Carries an extra cost for Intune subscription licenses.
            • can't  deploy Windows 10 operating systems.|
+|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
              Configuration Manager and Intune in the hybrid configuration allows you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. 
              Select this method when you:
            • Selected Microsoft Endpoint Manager to deploy Windows 10.
            • Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
            • Want to manage domain-joined devices.
            • Want to manage Azure AD domain-joined devices.
            • Have an existing AD DS infrastructure.
            • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
            • Want to provide application management for the entire application life cycle.
              The advantages of this method are that:
            • You can deploy operating systems.
            • You can manage applications throughout the entire application life cycle.
            • You can scale to large numbers of users and devices.
            • You can support institution-owned and personal devices.
            • It doesn’t require that devices be domain joined.
            • It can manage devices regardless of their location (on or off premises).
              The disadvantages of this method are that it:
            • Carries an extra cost for Configuration Manager server licenses (if the institution doesn't  have Configuration Manager already).
            • Carries an extra cost for Windows Server licenses and the corresponding server hardware.
            • Carries an extra cost for Intune subscription licenses.
            • Requires an AD DS infrastructure (if the institution doesn't  have AD DS already).|
 
 *Table 6. App and update management products*
 
@@ -288,7 +288,7 @@ Record the app and update management methods that you selected in Table 7.
 *Table 7. App and update management methods selected*
 
 #### Summary
-In this section, you selected the methods that you will use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you will use to manage configuration settings. Finally, you selected the methods that you will use to manage Windows desktop apps, Microsoft Store apps, and software updates.
+In this section, you selected the methods that you'll use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you'll use to manage configuration settings. Finally, you selected the methods that you'll use to manage Windows desktop apps, Microsoft Store apps, and software updates.
 
 ## Prepare the admin device
 
@@ -307,7 +307,7 @@ For more information about installing the Windows ADK, see [Step 2-2: Install Wi
 
 ### Install MDT
 
-Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft.
+Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It's a free tool available directly from Microsoft.
 You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
 
 > [!NOTE]
@@ -345,7 +345,7 @@ For more information, see [Enable Configuration Manager Console Integration for
 
 #### Summary
 
-In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console.
+In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console.
 
 ## Create and configure Office 365
 
@@ -363,8 +363,8 @@ Complete the following steps to select the appropriate Office 365 Education lice
 
     |Plan  |Advantages  |Disadvantages |
     |----- |----------- |------------- |
-    |Office 365 Education |
              • Less expensive than Microsoft 365 Apps for enterprise
              • Can be run from any device
              • No installation necessary
               | 
              • Must have an Internet connection to use it
              • Does not support all the features found in Microsoft 365 Apps for enterprise
               |
-    |Microsoft 365 Apps for enterprise |
              • Only requires an Internet connection every 30 days (for activation)
              • Supports the full set of Office features
              • Can be installed on five devices per user (there is no limit to the number of devices on which you can run Office apps online)
               |
              • Requires installation
              • More expensive than Office 365 Education
              |
+    |Office 365 Education |
              • Less expensive than Microsoft 365 Apps for enterprise
              • Can be run from any device
              • No installation necessary
               | 
              • Must have an Internet connection to use it
              • Doesn't  support all the features found in Microsoft 365 Apps for enterprise
               |
+    |Microsoft 365 Apps for enterprise |
              • Only requires an Internet connection every 30 days (for activation)
              • Supports the full set of Office features
              • Can be installed on five devices per user (there's no limit to the number of devices on which you can run Office apps online)
               |
              • Requires installation
              • More expensive than Office 365 Education
              |
 
     *Table 8. Comparison of standard and Microsoft 365 Apps for enterprise plans*
 
@@ -385,7 +385,7 @@ Complete the following steps to select the appropriate Office 365 Education lice
 
     *Table 9. Office 365 Education license plans needed for the classroom*
 
-You will use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide.
+You'll use the Office 365 Education license plan information you record in Table 9 in [Create user accounts in Office 365](#create-user-accounts-in-office-365) later in this guide.
 
 ### Create a new Office 365 Education subscription
 
@@ -399,7 +399,7 @@ To create a new Office 365 Education subscription for use in the classroom, use
 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
 
    > [!NOTE]
-   > If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods:
+   > If you've already used your current sign-in account to create a new Office 365 subscription, you'll be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods:
    > 
    > - In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window.
    > 
@@ -408,7 +408,7 @@ To create a new Office 365 Education subscription for use in the classroom, use
 
 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**.
 
-   You will receive an email in your school email account.
+   You'll receive an email in your school email account.
 3. Click the hyperlink in the email in your school email account.
 
 4. On the **One last thing** page, complete your user information, and then click **Start**.
@@ -418,9 +418,9 @@ The wizard creates your new Office 365 Education subscription, and you’re auto
 
 ### Add domains and subdomains
 
-Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you've subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
 
-#### To add additional domains and subdomains
+#### To add more domains and subdomains
 
 1. In the admin center, in the list view, click **DOMAINS**.
 
@@ -444,12 +444,12 @@ To make it easier for faculty and students to join your Office 365 Education sub
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
 * If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant.
-* If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
+* If an Office 365 tenant with that domain name (contoso.edu) doesn't  exist, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
 
-You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365.
+You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365.
 
 > [!NOTE]
-> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+> You can't  merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
 
 By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
@@ -465,7 +465,7 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi
 
 ### Disable automatic licensing
 
-To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
+To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't  require administrative approval.
 
 > [!NOTE]
 > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
@@ -485,7 +485,7 @@ When you create your Office 365 subscription, you create an Office 365 tenant th
 
 Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
 
-The following Azure AD Premium features are not in Azure AD Basic:
+The following Azure AD Premium features aren't  in Azure AD Basic:
 
 * Allow designated users to manage group membership
 * Dynamic group membership based on user metadata
@@ -498,7 +498,7 @@ The following Azure AD Premium features are not in Azure AD Basic:
 
 You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
 
-You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
+You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process.
 
 For more information about:
 
@@ -507,18 +507,18 @@ For more information about:
 
 #### Summary
 
-You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
+You provision and initially configure Office 365 Education as part of initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
 
 ## Select an Office 365 user account–creation method
 
-Now that you have an Office 365 subscription, you must determine how you’ll create your Office 365 user accounts. Use one of the following methods to make your decision:
+Now that you've an Office 365 subscription, you must determine how you’ll create your Office 365 user accounts. Use one of the following methods to make your decision:
 
-* Method 1: Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain.
+* Method 1: Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain.
 * Method 2: Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
 
 ### Method 1: Automatic synchronization between AD DS and Azure AD
 
-In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+In this method, you've an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
 
 > [!NOTE]
 > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
@@ -532,7 +532,7 @@ For more information about how to perform this step, see the [Integrate on-premi
 
 ### Method 2: Bulk import into Azure AD from a .csv file
 
-In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
+In this method, you've no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
 
 > [!div class="mx-imgBorder"]
 > ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
@@ -557,7 +557,7 @@ In this section, you selected the method for creating user accounts in your Offi
 You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
 
 > [!NOTE]
-> If your institution does not have an on-premises AD DS domain, you can skip this section.
+> If your institution doesn't  have an on-premises AD DS domain, you can skip this section.
 
 ### Select a synchronization model
 
@@ -565,7 +565,7 @@ Before you deploy AD DS and Azure AD synchronization, determine where you want t
 
 You can deploy the Azure AD Connect tool:
 
-- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
   > [!div class="mx-imgBorder"]
   > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
@@ -595,7 +595,7 @@ In this synchronization model (illustrated in Figure 7), you run Azure AD Connec
 
 4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
 
-Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
 
 ### Verify synchronization
 
@@ -622,7 +622,7 @@ Azure AD Connect should start synchronization immediately. Depending on the numb
    The list of security group members should mirror the group membership for the corresponding security group in AD DS.
 8. Close the browser.
 
-Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
 
 #### Summary
 
@@ -642,14 +642,14 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
 |Method |Description and reason to select this method |
 |-------|---------------------------------------------|
 |Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).|
-|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
+|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)).|
 |Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
 
 *Table 12. AD DS bulk-import account methods*
 
 ### Create a source file that contains the user and group accounts
 
-After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods.
+After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 13 lists the source file format for the bulk import methods.
 
 |Method |Source file format |
 |-------|-------------------|
@@ -674,7 +674,7 @@ For more information about how to import user accounts into AD DS by using:
 
 #### Summary
 
-In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts into AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
 
 ## Bulk-import user and group accounts into Office 365
 
@@ -682,12 +682,12 @@ You can bulk-import user and group accounts directly into Office 365, reducing t
 
 ### Create user accounts in Office 365
 
-Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
+Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
 
 > [!NOTE]
 > If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
 
-You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
+You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you've many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
 
 The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
 
@@ -719,14 +719,14 @@ Microsoft Exchange Online uses an email distribution group as a single email rec
 You can create email distribution groups based on job role (such as teacher, administration, or student) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
 
 > [!NOTE]
-> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
+> Office 365 can take some time to complete the Exchange Online creation process. You'll have to wait until the creation process ends before you can perform the following steps.
 
 
 For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
 
 #### Summary
 
-You have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+You've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
 
 ## Assign user licenses for Azure AD Premium
 
@@ -749,7 +749,7 @@ This section shows you how to create a Microsoft Store for Business portal and c
 
 ### Create and configure your Microsoft Store for Business portal
 
-To create and configure your Microsoft Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+To create and configure your Microsoft Store for Business portal, use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator.
 
 #### To create and configure a Microsoft Store for Business portal
 
@@ -769,17 +769,17 @@ After you create the Microsoft Store for Business portal, configure it by using
 |--------------|----------------------------|
 |Account information |Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Management Portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).|
 |Device Guard signing |Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).|
-|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps).|
+|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps).|
 |Management tools |Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool).|
 |Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see the “Licensing model: online and offline licenses” section in [Apps in Microsoft Store for Business](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).|
-|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business).|
+|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you've previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business).|
 |Private store |Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store).|
 
 *Table 14. Menu selections to configure Microsoft Store for Business settings*
 
 ### Find, acquire, and distribute apps in the portal
 
-Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business.
+Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this task from the **Inventory** page in Microsoft Store for Business.
 
 > [!NOTE]
 > Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business.
@@ -790,18 +790,18 @@ For more information about how to find, acquire, and distribute apps in the port
 
 #### Summary
 
-At the end of this section, you should have a properly configured Microsoft Store for Business portal. You have also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users.
+At the end of this section, you should have a properly configured Microsoft Store for Business portal. You've also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users.
 
 ## Plan for deployment
 
-You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process.
+You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process.
 
 ### Select the operating systems
 
-Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
+Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of:
 
-* New devices or refreshing existing devices, you will completely replace the existing operating system on a device with Windows 10.
-* Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
+* New devices or refreshing existing devices, you'll completely replace the existing operating system on a device with Windows 10.
+* Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
 
 
 Depending on your school’s requirements, you may need any combination of the following Windows 10 editions:
@@ -819,12 +819,12 @@ Depending on your school’s requirements, you may need any combination of the f
 
 For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
 
-One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you've devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
 
 > [!NOTE]
 > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
 
-Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you can't  standardize personal devices on a specific operating system version or processor architecture.
 
 ### Select an image approach
 
@@ -842,7 +842,7 @@ The LTI deployment process is highly automated: it requires minimal information
 |Method|Description and reason to select this method|
 |--- |--- |
 |Windows Deployment Services|This method:
            • Uses diskless booting to initiate LTI and ZTI deployments.
            • Works only with devices that support PXE boot.
            • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
            • Deploys images more slowly than when you use local media.
            • Requires that you deploy a Windows Deployment Services server.

              Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
-|Bootable media|This method:
            • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
            • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
            • Deploys images more slowly than when using local media.
            • Requires no additional infrastructure.
               
              Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.|
+|Bootable media|This method:
            • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
            • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
            • Deploys images more slowly than when using local media.
            • Requires no extra infrastructure.
               
              Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.|
 |Deployment media|This method:
            • Initiates LTI or ZTI deployment by booting from a local USB hard disk.
            • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
            • Deploys images more quickly than network-based methods do.
            • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
               
              Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
 
 *Table 15. Methods to initiate LTI and ZTI deployments*
@@ -861,10 +861,10 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
 |Task|Description|
 |--- |--- |
 |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
-|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
              Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
-|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
              Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
            • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
            • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
               
               If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
              If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
              In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
            • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
            • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
-|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
              To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
               If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
              This is the preferred method for deploying and managing Windows desktop apps.
              **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) 
              For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
-|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
            • Deploy 64-bit Windows 10 Education to devices.
            • Deploy 32-bit Windows 10 Education to devices.
            • Upgrade existing devices to 64-bit Windows 10 Education.
            • Upgrade existing devices to 32-bit Windows 10 Education.
               
              Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
+|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't  play sounds; without the proper camera driver, the device can't  take photos or use video chat.
              Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
+|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
              Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files by performing one of the following tasks:
            • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
            • For apps that aren't  offline licensed, obtain the .appx files from the app software vendor directly.
               
               If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
              If you've Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
              In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
            • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
            • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them.
              To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
               If you've Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
              This is the preferred method for deploying and managing Windows desktop apps.
              **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) 
              For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
+|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
            • Deploy 64-bit Windows 10 Education to devices.
            • Deploy 32-bit Windows 10 Education to devices.
            • Upgrade existing devices to 64-bit Windows 10 Education.
            • Upgrade existing devices to 32-bit Windows 10 Education.
               
              Again, you'll create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
 |6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
              For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
 
 *Table 16. Tasks to configure the MDT deployment share*
@@ -872,9 +872,9 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
 ### Configure Microsoft Endpoint Configuration Manager
 
 > [!NOTE]
-> If you have already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
+> If you've already configured your Microsoft Endpoint Manager infrastructure to support the operating system deployment feature or if you selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next section.
 
-Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you will need to deploy a new infrastructure.
+Before you can use Configuration Manager to deploy Windows 10 and manage your apps and devices, you must configure Configuration Manager to support the operating system deployment feature. If you don’t have an existing Configuration Manager infrastructure, you'll need to deploy a new infrastructure.
 
 Deploying a new Configuration Manager infrastructure is beyond the scope of this guide, but the following resources can help you deploy a new Configuration Manager infrastructure:
 
@@ -889,17 +889,17 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
     Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
 2. Add the Windows PE boot images, Windows 10 operating systems, and other content.
 
-    You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you will use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard.
+    You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you'll use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard.
 
     You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
 3. Add device drivers.
 
-    You must add device drivers for the different device types in your district. For example, if you have a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device.
+    You must add device drivers for the different device types in your district. For example, if you've a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device.
 
     Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
 4. Add Windows apps.
 
-    Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
+    Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that includes Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you can't capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
 
     Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
 
@@ -921,14 +921,14 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
 
 2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
 
-    The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder.
+    The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder.
 
     For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
 
 ### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
 
 > [!NOTE]
-> If you have already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
+> If you've already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
 
 You can use Windows Deployment Services in conjunction with Configuration Manager to automatically initiate boot images on target devices. These boot images are Windows PE images that you use to boot the target devices, and then initiate Windows 10, app, and device driver deployment.
 
@@ -955,7 +955,7 @@ You can use Windows Deployment Services in conjunction with Configuration Manage
 
 #### Summary
 
-Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You have set up and configured Windows Deployment Services for MDT and for Configuration Manager. You have also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you have in your district.
+Your MDT deployment share and Microsoft Endpoint Manager are now ready for deployment. Windows Deployment Services is ready to initiate the LTI or ZTI deployment process. You've set up and configured Windows Deployment Services for MDT and for Configuration Manager. You've also ensured that your boot images are available to Windows Deployment Services (for LTI) or the distribution points (for ZTI and Configuration Manager). Now, you’re ready to capture the reference images for the different devices you've in your district.
 
 ## Capture the reference image
 
@@ -963,7 +963,7 @@ The reference device is a device that you use as the template for all the other
 
 After you deploy Windows 10 and the desktop apps to the reference device, you capture an image of the device (the reference image). You import the reference image to an MDT deployment share or into Configuration Manager. Finally, you create a task sequence to deploy the reference image to faculty and student devices.
 
-You will capture multiple reference images, one for each type of device that you have in your organization. You perform the steps in this section for each image (device) that you have in your district. Use LTI in MDT to automate the deployment and capture of the reference image.
+You'll capture multiple reference images, one for each type of device that you've in your organization. You perform the steps in this section for each image (device) that you've in your district. Use LTI in MDT to automate the deployment and capture of the reference image.
 
 > [!NOTE]
 > You can use LTI in MDT or Configuration Manager to automate the deployment and capture of the reference image, but this guide only discusses how to use LTI in MDT to capture the reference image.
@@ -991,7 +991,7 @@ You initially configured the MDT deployment share in the [Configure the MDT depl
 
     A *selection profile* lets you select specific device drivers. For example, if you want to deploy the device drivers for a Surface Pro 4 device, you can create a selection profile that contains only the Surface Pro 4 device drivers.
 
-    First, in the Out-of-Box Drivers node in the Deployment Workbench, create a folder that will contain your device drivers. Next, import the device drivers into the folder you just created. Finally, create the selection profile and specify the folder that contains the device drivers. For more information, see the following resources:
+    First, in the Out-of-Box Drivers node in the Deployment Workbench, create a folder that will contain your device drivers. Next, import the device drivers into the folder you created. Finally, create the selection profile and specify the folder that contains the device drivers. For more information, see the following resources:
 
     * [Create Folders to Organize Device Drivers for LTI Deployments](/mem/configmgr/mdt/use-the-mdt#CreateFolderstoOrganizeDeviceDriversforLTIDeployments)
     * [Create Selection Profiles to Select the Device Drivers for LTI Deployments](/mem/configmgr/mdt/use-the-mdt#CreateSelectionProfilestoSelecttheDeviceDriversforLTIDeployments)
@@ -1019,7 +1019,7 @@ In most instances, deployments occur without incident. Only in rare occasions do
 
 ### Import reference image
 
-After you have captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You will deploy the reference image to the student and faculty devices in your district.
+After you've captured the reference image (.wim file), import the image into the MDT deployment share or into Configuration Manager (depending on which method you selected to perform Windows 10 deployments). You'll deploy the reference image to the student and faculty devices in your district.
 
 Both the Deployment Workbench and the Configuration Manager console have wizards that help you import the reference image. After you import the reference image, you need to create a task sequence that will deploy the reference image.
 
@@ -1030,9 +1030,9 @@ For more information about how to import the reference image into:
 
 ### Create a task sequence to deploy the reference image
 
-You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you have captured and imported your reference image, you need to create a tasks sequence to deploy it.
+You created an LTI task sequence in the Deployment Workbench earlier in this process to deploy Windows 10 and your desktop apps to the reference device. Now that you've captured and imported your reference image, you need to create a tasks sequence to deploy it.
 
-As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you will need to customize it to deploy additional apps, device drivers, and other software.
+As you might expect, both the Deployment Workbench and the Configuration Manager console have wizards that help you create a starting task sequence. After you create your task sequence, in most instances you'll need to customize it to deploy more apps, device drivers, and other software.
 
 For more information about how to create a task sequence in the:
 
@@ -1044,7 +1044,7 @@ In this section, you customized the MDT deployment share to deploy Windows 10 an
 
 ## Prepare for device management
 
-Before you deploy Windows 10 in your district, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
+Before you deploy Windows 10 in your district, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
 
 You also want to deploy apps and software updates after you deploy Windows 10. You need to manage apps and updates by using Configuration Manager, Intune, or a combination of both (hybrid model).
 
@@ -1055,17 +1055,17 @@ Microsoft has several recommended settings for educational institutions. Table 1
 > [!NOTE]
 > The settings for Intune in Table 17 also apply to the Configuration Manager and Intune management (hybrid) method.
 
-Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
+Use the information in Table 17 to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings.
 
 |Recommendation|Description|
 |--- |--- |
-|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
              **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. 
              **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
              ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
-|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
              **Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. 
              **Intune**. Not available.|
+|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't  use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
              **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. 
              **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
              ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
+|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
              **Group Policy**. Create a Local Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. 
              **Intune**. Not available.|
 |Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
               **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
               **Intune**. Not available.|
 |Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
              **Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
              **Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
 |Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
              **Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
              **Intune**. Not available.|
 |Use of camera|A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
              **Group policy**. Not available.
              **Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.|
-|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
              **Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
              **Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.|
+|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
              **Group policy**. To disable the Sound Recorder app, use the don't  allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
              **Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.|
 |Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
              **Group policy**. Not available.
              **Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.|
 |Use of location services|Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
              **Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
              **Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.|
 |Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.
              **Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
              **Intune**. Not available.|
@@ -1076,7 +1076,7 @@ Use the information in Table 17 to help you determine whether you need to config
 
 ### Configure settings by using Group Policy
 
-Now, you’re ready to use Group Policy to configure settings. The steps in this section assume that you have an AD DS infrastructure. Here, you configure the Group Policy settings you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+Now, you’re ready to use Group Policy to configure settings. The steps in this section assume that you've an AD DS infrastructure. Here, you configure the Group Policy settings you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
 
 For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)).
 
@@ -1090,7 +1090,7 @@ For more information about Group Policy, see [Group Policy Planning and Deployme
 
 ### Configure settings by using Intune
 
-Now, you’re ready to use Intune to configure settings. The steps in this section assume that you have an Office 365 subscription. Here, you configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+Now, you’re ready to use Intune to configure settings. The steps in this section assume that you've an Office 365 subscription. Here, you configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
 
 For more information about Intune, see [Microsoft Intune Documentation](/intune/).
 
@@ -1108,7 +1108,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
 
 If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
 
-You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
+You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that aren't enrolled in Intune or that another solution manages.
 
 For more information about how to configure Intune to manage your apps, see the following resources:
 
@@ -1198,7 +1198,7 @@ In most instances, deployments occur without incident. Only in rare occasions do
 
 ### Set up printers
 
-After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to [Verify deployment](#verify-deployment).
+After you've deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to [Verify deployment](#verify-deployment).
 
 > [!NOTE]
 > If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to [Verify deployment](#verify-deployment).
@@ -1211,7 +1211,7 @@ After you have deployed Windows 10, the devices are almost ready for use. First,
 
 3. Copy the printer drivers to a USB drive.
 
-4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to log on to the device.
+4. On a device, use the same account you used to set up Windows 10 in the [Prepare for deployment](#prepare-for-deployment) section to sign in to the device.
 
 5. Plug the USB drive into the device.
 
@@ -1233,7 +1233,7 @@ As a final quality control step, verify the device configuration to ensure that
 * All Windows desktop apps are properly installed and updated.
 * Printers are properly configured.
 
-When you have verified that the first device is properly configured, you can move to the next device and perform the same steps.
+When you've verified that the first device is properly configured, you can move to the next device and perform the same steps.
 
 #### Summary
 
@@ -1251,7 +1251,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 
 |Task and resources|Monthly|New semester or academic year|As required|
 |--- |--- |--- |--- |
-|Verify that Windows Update is active and current with operating system and software updates.
              For more information about completing this task when you have:
            • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
            • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
            • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
              Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
+|Verify that Windows Update is active and current with operating system and software updates.
              For more information about completing this task when you have:
            • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/mem/intune/protect/windows-update-for-business-configure)
            • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
            • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
              Neither Intune, Group Policy, nor WSUS, see "Install, upgrade, & activate" in Windows 10 help.|✔️|✔️|✔️|
 |Verify that Windows Defender is active and current with malware Security intelligence.
              For more information about completing this task, see [Turn Windows Defender on or off](/mem/intune/user-help/turn-on-defender-windows) and [Updating Windows Defender](/mem/intune/user-help/turn-on-defender-windows).|✔️|✔️|✔️|
 |Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
              For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
 |Download and approve updates for Windows 10, apps, device driver, and other software.
              For more information, see:
            • [Manage updates by using Intune](#manage-updates-by-using-intune)
            • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
@@ -1259,9 +1259,9 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 |Refresh the operating system and apps on devices.
              For more information about completing this task, see the following resources:
            • [Prepare for deployment](#prepare-for-deployment)
            • [Capture the reference image](#capture-the-reference-image)
            • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
 |Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
              For more information, see:
            • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
            • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
 |Install new or update existing Microsoft Store apps used in the curriculum.
              Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
              You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
              For more information, see:
            • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
            • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
-|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
              For more information about how to:
            • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
            • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
-|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
              For more information about how to:
            • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
            • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
-|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
              For more information about how to:
            • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
            •  Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you've an on-premises AD DS infrastructure).
              For more information about how to:
            • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
            • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Add new accounts (and corresponding licenses) to AD DS (if you've an on-premises AD DS infrastructure).
              For more information about how to:
            • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
            • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you don't have an on-premises AD DS infrastructure).
              For more information about how to:
            • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
            •  Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
 |Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
              For more information about how to:
            • Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
            • Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
 |Create or modify security groups, and manage group membership in Office 365.
              For more information about how to:
            • Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
            • Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
 |Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
              For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️|
@@ -1271,7 +1271,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 
 #### Summary
 
-You have now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified.
+You've now identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your district and individual school configuration should match the typical school configuration you saw in the [Plan a typical district configuration](#plan-a-typical-district-configuration) section. By performing these maintenance tasks, you help ensure that your district as a whole stays secure and is configured as you specified.
 
 ## Related topics
 
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index fa698dfbff..b618ca7b09 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -20,11 +20,11 @@ manager: dansimp
 
 - Windows 10
 
-This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system.
+This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you'll perform after initial deployment and the automated tools and built-in features of the operating system.
 
 ## Prepare for school deployment
 
-Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
+Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. As with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you'll configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school.
 
 ### Plan a typical school configuration
 
@@ -58,7 +58,7 @@ This school configuration has the following characteristics:
   > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
 
 - The devices use Azure AD in Office 365 Education for identity management.
-- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+- If you've on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 - Use [Intune](/mem/intune/), [Set up Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/set-up), or Group Policy in AD DS to manage devices.
 - Each device supports a one-student-per-device or multiple-students-per-device scenario.
 - The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
@@ -86,15 +86,15 @@ For more information about Office 365 Education features and a FAQ, go to [Offic
 
 ## How to configure a school
 
-Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
+Now that you've the plan (blueprint) for your classroom, you’re ready to learn about the tools you'll use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge.
 
-The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
+The primary tool you'll use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI).
 
 You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
 
 MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. 
 
-LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You'll learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
 
 The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with [Microsoft Endpoint Manager](/mem/), the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
 
@@ -102,13 +102,13 @@ The configuration process requires the following devices:
 
 - **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device.
 - **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
-- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
+- **Student devices.** The students will use these devices. You'll use the admin device deploy (or upgrade) Windows 10 and apps to them.
 
 The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3:
 
 1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
-2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school.
-3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
+2. On the admin device, create and configure the Office 365 Education subscription that you'll use for each classroom in the school.
+3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you've an on premises AD DS configuration).
 4. On the admin device, create and configure a Microsoft Store for Business portal.
 5. On the admin device, prepare for management of the Windows 10 devices after deployment.
 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
@@ -161,7 +161,7 @@ For more information about how to create a deployment share, see [Step 3-1: Crea
 
 ### Summary
 
-In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process.
+In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you'll configure and use later in the LTI deployment process.
 
 ## Create and configure Office 365
 
@@ -182,8 +182,8 @@ Complete the following steps to select the appropriate Office 365 Education lice
 ---
 | Plan | Advantages | Disadvantages |
 | --- | --- | --- |
-| Standard | - Less expensive than Microsoft 365 Apps for enterprise 
              - Can be run from any device 
              - No installation necessary | - Must have an Internet connection to use it
              - Does not support all the features found in Microsoft 365 Apps for enterprise |
-| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
              - Supports full set of Office features | - Requires installation 
              - Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online) |
+| Standard | - Less expensive than Microsoft 365 Apps for enterprise 
              - Can be run from any device 
              - No installation necessary | - Must have an Internet connection to use it
              - Doesn't support all the features found in Microsoft 365 Apps for enterprise |
+| Office ProPlus | - Only requires an Internet connection every 30 days (for activation)
              - Supports full set of Office features | - Requires installation 
              - Can be installed on only five devices per user (there's no limit to the number of devices on which you can run Office apps online) |
 
 ---
 
@@ -207,7 +207,7 @@ The best user experience is to run Microsoft 365 Apps for enterprise or use nati
 
 ---
 
-You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+You'll use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
 
 ### Create a new Office 365 Education subscription
 
@@ -220,20 +220,20 @@ To create a new Office 365 Education subscription for use in the classroom, use
 
 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
 
-    If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options:
+    If you've already used your current sign-in account to create a new Office 365 subscription, you'll be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window. Your options:
 
     - In Microsoft Edge, select Ctrl+Shift+N. Or, select **More actions** > **New InPrivate window**.
     - In Internet Explorer,  select Ctrl+Shift+P. Or, select **Settings** > **Safety** > **InPrivate Browsing**.
 
-2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account.
+2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You'll receive an email in your school email account.
 3. Click the hyperlink in the email in your school email account.
-4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription.
+4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you're automatically signed in as the administrative user you specified when you created the subscription.
 
 ### Add domains and subdomains
 
-Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
+Now that you've created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has `contoso.edu` as the primary domain name but you've subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains.
 
-#### To add additional domains and subdomains
+#### To add more domains and subdomains
 
 1. In the admin center, in the list view, click **DOMAINS**.
 2. In the details pane, above the list of domains, on the menu bar, click **Add domain**.
@@ -252,12 +252,12 @@ To make it easier for faculty and students to join your Office 365 Education sub
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
 - If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant.
-- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
+- If an Office 365 tenant with that domain name (contoso.edu) doesn't exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it.
 
-You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
+You'll always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
 
 > [!NOTE]
-> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+> You can't  merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
 
 All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up#how-can-i-prevent-students-from-joining-my-existing-office-365-tenant).
 
@@ -276,7 +276,7 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by
 
 ### Disable automatic licensing
 
-To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
+To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that don't require administrative approval.
 
 > [!NOTE]
 > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
@@ -299,7 +299,7 @@ When you create your Office 365 subscription, you create an Office 365 tenant th
 
 Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
 
-The Azure AD Premium features that are not in Azure AD Basic include:
+The Azure AD Premium features that aren't in Azure AD Basic include:
 
 - Allow designated users to manage group membership
 - Dynamic group membership based on user metadata
@@ -313,7 +313,7 @@ The Azure AD Premium features that are not in Azure AD Basic include:
 
 You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users.
 
-You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process.
+You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You'll assign Azure AD Premium licenses to users later in the deployment process.
 
 For more information, see:
 
@@ -321,19 +321,19 @@ For more information, see:
 - [Sign up for Azure Active Directory Premium](/azure/active-directory/fundamentals/active-directory-get-started-premium)
 
 ### Summary
-You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
+You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if necessary), you’re ready to select the method you'll use to create user accounts in Office 365.
 
 ## Select an Office 365 user account–creation method
 
 
-Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
+Now that you've an Office 365 subscription, you need to determine how you'll create your Office 365 user accounts. Use the following methods to create Office 365 user accounts:
 
-- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain.
+- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you've an on-premises AD DS domain.
 - **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain.
 
 ### Method 1: Automatic synchronization between AD DS and Azure AD
 
-In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
+In this method, you've an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
 
 > [!NOTE]
 > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [LDAP synchronization with Azure Active Directory](/azure/active-directory/fundamentals/sync-ldap).
@@ -346,7 +346,7 @@ For more information about how to perform this step, see the [Integrate on-premi
 
 ### Method 2: Bulk import into Azure AD from a .csv file
 
-In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Azure AD. The `.csv` file must be in the format that Office 365 specifies.
+In this method, you've no on-premises AD DS domain. As shown in Figure 5, you manually prepare a `.csv` file with the student information from your source, and then manually import the information directly into Azure AD. The `.csv` file must be in the format that Office 365 specifies.
 
 :::image type="content" source="images/deploy-win-10-school-figure5.png" alt-text="Create a csv file with student information, and import the csv file into Azure AD.":::
 
@@ -366,7 +366,7 @@ In this section, you selected the method for creating user accounts in your Offi
 You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
 
 > [!NOTE]
-> If your institution does not have an on-premises AD DS domain, you can skip this section.
+> If your institution doesn't have an on-premises AD DS domain, you can skip this section.
 
 ### Select synchronization model
 
@@ -374,13 +374,13 @@ Before you deploy AD DS and Azure AD synchronization, you need to determine wher
 
 You can deploy the Azure AD Connect tool by using one of the following methods:
 
-- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
+- **On premises**: As shown in Figure 6, Azure AD Connect runs on premises, which have the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
   :::image type="content" source="images/deploy-win-10-school-figure6.png" alt-text="Azure AD Connect runs on-premises and uses a virtual machine.":::
 
   *Figure 6. Azure AD Connect on premises*
 
-- **In Azure**: As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
+- **In Azure**: As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
   :::image type="content" source="images/deploy-win-10-school-figure7.png" alt-text="Azure AD Connect runs on a VM in Azure AD, and uses a VPN gateway on-premises.":::
 
@@ -399,7 +399,7 @@ In this synchronization model (illustrated in Figure 6), you run Azure AD Connec
 3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-select-installation).
 4. Configure Azure AD Connect features based on your institution’s requirements. For more information, see [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
 
-Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
+Now that you've used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
 
 ### Verify synchronization
 
@@ -417,7 +417,7 @@ Azure AD Connect should start synchronization immediately. Depending on the numb
 8. The list of security group members should mirror the group membership for the corresponding security group in AD DS.
 9. Close the browser.
 
-Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
+Now that you've verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium.
 
 ### Summary
 
@@ -447,7 +447,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
 
 ### Create a source file that contains the user and group accounts
 
-After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods.
+After you've selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods.
 
 *Table 6. Source file format for each bulk import method*
 
@@ -475,7 +475,7 @@ For more information about how to import user accounts into AD DS by using:
 
 ### Summary
 
-In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
+In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you've Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide.
 
 ## Bulk-import user accounts into Office 365
 
@@ -483,9 +483,9 @@ You can bulk-import user and group accounts directly into Office 365, reducing t
 
 ### Create user accounts in Office 365
 
-Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
+Now that you've created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
 
-You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
+You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you've many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
 
 The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
 
@@ -517,13 +517,13 @@ Microsoft Exchange Online uses an email distribution group as a single email rec
 You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
 
 > [!NOTE]
-> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. 
+> Office 365 can take some time to complete the Exchange Online creation process. You'll have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. 
 
 For information about how to create security groups, see [Create a group in the Microsoft 365 admin center](/microsoft-365/admin/create-groups/create-groups).
 
 ### Summary
 
-Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
+Now, you've bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium.
 
 ## Assign user licenses for Azure AD Premium
 
@@ -572,17 +572,17 @@ After you create the Microsoft Store for Business portal, configure it by using
 |---|---|
 | Account information  | Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).|
 | Device Guard signing |  Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).  |
-|    LOB publishers    |  Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps).             |
+|    LOB publishers    |  Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps).             |
 |   Management tools   |  Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool).                                                                    |
 |  Offline licensing   |  Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).  |
-|     Permissions      | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business). |
+|     Permissions      | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you've previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business). |
 |    Private store     | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store). |
 
 ---
 
 ### Find, acquire, and distribute apps in the portal
 
-Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business.
+Now that you've created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you'll add to your portal. You do this task by using the Inventory page in Microsoft Store for Business.
 
 > [!NOTE]
 > Your educational institution can now use a credit card to pay for apps in Microsoft Store for Business.
@@ -593,18 +593,18 @@ For more information about how to find, acquire, and distribute apps in the port
 
 ### Summary
 
-At the end of this section, you should have a properly configured Microsoft Store for Business portal. You have also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users.
+At the end of this section, you should have a properly configured Microsoft Store for Business portal. You've also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users.
 
 ## Plan for deployment
 
-You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process.
+You'll use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you'll use, the approach you'll use to create your Windows 10 images, and the method you'll use to initiate the LTI deployment process.
 
 ### Select the operating systems
 
-Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If:
+Later in the process, you'll import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. If:
 
-- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10.
-- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
+- New devices or refreshing existing devices, you'll complete replace the existing operating system on a device with Windows 10.
+- Upgrading existing devices, you'll upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10.
 
 Depending on your school’s requirements, you may need any combination of the following Windows 10 editions:
 
@@ -618,14 +618,14 @@ Depending on your school’s requirements, you may need any combination of the f
 - **Windows 10 Pro Education**. Use this operating system to upgrade existing eligible institution-owned devices running Windows 10 Pro Education, version 1903 or later, to Windows 10 Education using [subscription activation](/windows/deployment/windows-10-subscription-activation).
 
 > [!NOTE]
-> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home.
+> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features aren't available in Windows 10 Home.
 
-One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
+One other consideration is the mix of processor architectures you'll support. If you can, support only 64-bit versions of Windows 10. If you've devices that can run only 32-bit versions of Windows 10, you'll need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
 
 > [!NOTE]
 > On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
 
-Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You cannot standardize personal devices on a specific operating system version or processor architecture.
+Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). You can't  standardize personal devices on a specific operating system version or processor architecture.
 
 ### Select an image approach
 
@@ -645,7 +645,7 @@ The MDT deployment process is highly automated, requiring minimal information to
 | Method | Description and reason to select this method |
 | --- | --- |
 | **Windows Deployment Services** | This method:

              - Uses diskless booting to initiate MDT deployment
              - Works only with devices that support PXE boot. 
              - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. 
              -Deploys images more slowly than when using local media. 
              - Requires that you deploy a Windows Deployment Services server. 

               Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. |
-| **Bootable media** | This method:

              - Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
              - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. 
              - Deploys images more slowly than when using local media. 
              - Requires no additional infrastructure.

              Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. |
+| **Bootable media** | This method:

              - Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
              - Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. 
              - Deploys images more slowly than when using local media. 
              - Requires no extra infrastructure.

              Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. |
 | **MDT deployment media** | This method:

              - Initiates MDT deployment by booting from a local USB hard disk.
              - Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
              - Deploys images more quickly than network-based methods do.
              - Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).

              Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk. |
 
 ---
@@ -668,10 +668,10 @@ The first step in preparation for Windows 10 deployment is to configure—that i
 | Task | Description |
 | --- | --- |
 | **1. Import operating systems** | Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench). |
-| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

               Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). |
-| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

              Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

              If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

              In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

              - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
              - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
-| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

              To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

              If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

               You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

              For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | 
-| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

              - Deploy Windows 10 Education 64-bit to devices.
              - Deploy Windows 10 Education 32-bit to devices.
              - Upgrade existing devices to Windows 10 Education 64-bit.
              - Upgrade existing devices to Windows 10 Education 32-bit.

              Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). |
+| **2. Import device drives** | Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device can't  play sounds; without the proper camera driver, the device can't  take photos or use video chat.

               Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). |
+| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

              Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you'll use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you'll need to obtain the .appx files from the app software vendor directly. If you're unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

              If you've Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This method is the preferred one for deploying and managing Microsoft Store apps.

              In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

              - Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).
              - Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
+| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you've sufficient licenses for them.

              To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).

              If you've Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This method is the preferred one for deploying and managing Windows desktop apps.

               You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

              For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). | 
+| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:

              - Deploy Windows 10 Education 64-bit to devices.
              - Deploy Windows 10 Education 32-bit to devices.
              - Upgrade existing devices to Windows 10 Education 64-bit.
              - Upgrade existing devices to Windows 10 Education 32-bit.

              Again, you'll create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). |
 | **6. Update the deployment share.** | Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

               For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
 
 ---
@@ -692,19 +692,19 @@ You can use Windows Deployment Services with MDT to automatically initiate boot
 
 2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
 
-    The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
+    The LTI boot images (.wim files) that you'll add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
 
 ### Summary
 
-Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution.
+Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You've set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution.
 
 ## Prepare for device management
 
-Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
+Before you deploy Windows 10 in your institution, you must prepare for device management. You'll deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant.
 
 ### Select the management method
 
-If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is difficult as the number of devices in the school increases.
+If you've only one device to configure, manually configuring that one device is tedious but possible. When you've multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is difficult as the number of devices in the school increases.
 
 For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution.
 
@@ -713,23 +713,23 @@ For a school, there are many ways to manage devices. Table 10 lists the methods
 ---
 | Method | Description |
 | --- | --- |
-| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: 

              - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
              - Want more granular control of device and user settings.
              - Have an existing AD DS infrastructure.
              - Typically manage on-premises devices.
              - Can manage a required setting only by using Group Policy.

              The advantages of this method include:

              - No cost beyond the AD DS infrastructure.
              - A larger number of settings.

              The disadvantages of this method are:

              - Can only manage domain-joined (institution-owned devices).
              - Requires an AD DS infrastructure (if the institution does not have AD DS already).
              - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | 
-| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

              Select this method when you:

              - Want to manage institution-owned and personal devices (does not require that the device be domain joined).
              - Don’t require the level of granular control over device and user settings (compared to Group Policy).
              - Don’t have an existing AD DS infrastructure.
              - Need to manage devices regardless of where they are (on or off premises).
              - Can manage a required setting only by using Intune.

              The advantages of this method are:

              - You can manage institution-owned and personal devices.
              - It doesn’t require that devices be domain joined.
              - It doesn’t require any on-premises infrastructure.
              - It can manage devices regardless of their location (on or off premises).

              The disadvantages of this method are:

              - Carries an additional cost for subscription.
              - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | 
+| **Group Policy** | Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: 

              - Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
              - Want more granular control of device and user settings.
              - Have an existing AD DS infrastructure.
              - Typically manage on-premises devices.
              - Can manage a required setting only by using Group Policy.

              The advantages of this method include:

              - No cost beyond the AD DS infrastructure.
              - A larger number of settings.

              The disadvantages of this method are:

              - Can only manage domain-joined (institution-owned devices).
              - Requires an AD DS infrastructure (if the institution doesn't have AD DS already).
              - Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess). | 
+| **Intune** | Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10 and other operating systems, such as iOS/iPadOS, macOS, and Android. Intune is a subscription-based cloud service that integrates with Microsoft 365 and Azure AD.

              Select this method when you:

              - Want to manage institution-owned and personal devices (doesn't require that the device be domain joined).
              - Don’t require the level of granular control over device and user settings (compared to Group Policy).
              - Don’t have an existing AD DS infrastructure.
              - Need to manage devices regardless of where they are (on or off premises).
              - Can manage a required setting only by using Intune.

              The advantages of this method are:

              - You can manage institution-owned and personal devices.
              - It doesn’t require that devices be domain joined.
              - It doesn’t require any on-premises infrastructure.
              - It can manage devices regardless of their location (on or off premises).

              The disadvantages of this method are:

              - Carries an extra cost for subscription.
              - Doesn’t have a granular level control over device and user settings (compared to Group Policy). | 
 
 ---
 
 ### Select Microsoft-recommended settings
 
-Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
+Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you'll use to do so. At the end, you'll have a list of settings that you want to apply to the Windows 10 devices and know which management method you'll use to configure the settings.
 
 *Table 11. Recommended settings for educational institutions*
 
 ---
 | Recommendation | Description |
 | --- | --- |
-| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

              Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

              **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

              **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
+| **Use of Microsoft accounts** | You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, don't use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

              Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

              **Group Policy**: Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)?amp;MSPPError=-2147217396&f=255) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

              **Intune**: Enable or disable Microsoft accounts by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. |
 | **Restrict local administrator accounts on the devices** | Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

              **Group Policy**: Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732525(v=ws.11)).

              **Intune**: Not available |
-| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

              **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

              **Intune**: Not available. |
+| **Manage the built-in administrator account created during device deployment** | When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

              **Group Policy**: Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You'll specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).

              **Intune**: Not available. |
 | **Control Microsoft Store access** | You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

              **Group Policy**: You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP).

              **Intune**: You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. |
 | **Use of Remote Desktop connections to devices** | Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

              **Group Policy**: You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

              **Intune**: Not available. |
 | **Use of camera** | A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

              **Group Policy**: Not available.

              **Intune**: You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. |
@@ -742,7 +742,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
 
 ### Configure settings by using Group Policy
 
-Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you've an AD DS infrastructure. You'll configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
 
 For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)).
 
@@ -754,13 +754,13 @@ For more information about Group Policy, see [Group Policy Planning and Deployme
 
 ### Configure settings by using Intune
 
-Now, you’re ready to configure settings using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
+Now, you’re ready to configure settings using Intune. The steps in this section assume that you've an Office 365 subscription. You'll configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
 
 For more information about Intune, see [Documentation for Microsoft Intune](/mem/intune/).
 
 #### To configure Intune settings
 
-1. Check your Intune licensing. If you have a Microsoft 365 subscription, you may already have Intune. For more information, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses).
+1. Check your Intune licensing. If you've a Microsoft 365 subscription, you may already have Intune. For more information, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses).
 2. Enroll devices in Microsoft Intune. For more information on your enrollment options, see [Intune enrollment methods for Windows devices](/mem/intune/enrollment/windows-enrollment-methods). 
 3. Configure the [compliance settings](/mem/intune/protect/device-compliance-get-started) and [configuration settings](/mem/intune/configuration/device-profiles) that meet your school system's needs.
 4. Use the reporting features in Intune to monitor devices. For more information, see [Intune reports](/mem/intune/fundamentals/reports).
@@ -814,7 +814,7 @@ In most instances, deployments occur without incident. Only in rare occasions do
 
 ### Set up printers
 
-After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
+After you've deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
 
 > [!NOTE]
 > If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
@@ -832,7 +832,7 @@ After you have deployed Windows 10, the devices are almost ready for use. First,
 
 ### Verify deployment
 
-As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following:
+As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following requirements:
 
 - The device can connect to the Internet and view the appropriate web content in Microsoft Edge.
 - Windows Update is active and current with software updates.
@@ -842,7 +842,7 @@ As a final quality control step, verify the device configuration to ensure that
 - All Windows desktop apps are properly installed and updated.
 - Printers are properly configured.
 
-When you have verified that the first device is properly configured, you can move to the next device and perform the same steps.
+When you've verified that the first device is properly configured, you can move to the next device and perform the same steps.
 
 ### Summary
 
@@ -850,7 +850,7 @@ You prepared the devices for deployment by verifying that they have adequate sys
 
 ## Maintain Windows devices and Office 365
 
-After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule:
+After the initial deployment, you'll need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule:
 
 - **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware.
 - **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students.
@@ -866,7 +866,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour
 | Verify that Windows Update is active and current with operating system and software updates.

              For more information about completing this task, see:

              - Intune: See [Keep Windows PCs up to date with software updates in Microsoft Intune](https://www.microsoft.com/en-us/insidetrack/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business)
              - Group Policy: See [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)
              - Windows Server Update Services (WSUS): See [Deploy Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services)
              - Neither Intune, Group Policy, or WSUS: See [Update Windows](https://support.microsoft.com/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a). | ✔️ | ✔️ | ✔️ |
 | Verify that Windows Defender is active and current with malware Security intelligence.

              For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection) and [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)). | ✔️ | ✔️ | ✔️ |
 | Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

              For more information about completing this task, see [Protect my PC from viruses](https://support.microsoft.com/windows/protect-my-pc-from-viruses-b2025ed1-02d5-1e87-ba5f-71999008e026). | ✔️ | ✔️ | ✔️ |
-| Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

               For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). |  | ✔️ | ✔️ |
+| Verify that you're using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

               For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](/windows/deployment/update/). |  | ✔️ | ✔️ |
 | Refresh the operating system and apps on devices.

              For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. |  | ✔️ | ✔️ |
 | Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

              For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. |  | ✔️ | ✔️ |
 | Install new or update existing Microsoft Store apps that are used in the curriculum.

              Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

              You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. |  | ✔️ | ✔️ |
@@ -880,7 +880,7 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour
 
 ### Summary
 
-Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. 
+Now, you've identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By running these maintenance tasks, you help ensure that your school stays secure and is configured as you specified. 
 
 ## Related resources
 
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 03a761c858..fb2c72d34b 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -1,6 +1,6 @@
 ---
 title: Deployment recommendations for school IT administrators
-description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
+description: Provides guidance on ways to customize the OS privacy settings, and some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
 keywords: Windows 10 deployment, recommendations, privacy settings, school
 ms.mktglfcycl: plan
 ms.sitesec: library
@@ -19,9 +19,9 @@ ms.prod: w10
 -   Windows 10
 
 
-Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search.
+Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, and some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. For more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
 
-We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
+We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
 
 ## Deployment best practices
 
@@ -33,7 +33,7 @@ Keep these best practices in mind when deploying any edition of Windows 10 in sc
 
 * IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store.
 
-* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
+* If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
 
 ## Windows 10 Contacts privacy settings
 
@@ -63,7 +63,7 @@ To turn off access to contacts for all apps on individual Windows devices:
 
 3. Turn off **Let apps access my contacts**.
 
-For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To do this:
+For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To turn off the setting:
 
 1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**.
 
@@ -75,7 +75,7 @@ If you want to allow only certain apps to have access to contacts, you can use t
 
 ![Choose apps with access to contacts.](images/win10_settings_privacy_contacts_apps.png)
 
-The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
+The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you've installed and which of these apps access contacts.
 
 To allow only certain apps to have access to contacts, you can:
 
@@ -94,7 +94,7 @@ The Skype app replaces the integration of Skype features into Skype video and Me
 
 With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account.
 
-Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox are not manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories.
+Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox aren't manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories.
 
 If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by:
 
@@ -123,13 +123,13 @@ To manage and edit your profile in the Skype UWP app, follow these steps:
 
 4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch.
 
-5. If you do not wish the name to be included, edit the fields and replace the fields with **XXX**.
+5. If you don't wish the name to be included, edit the fields and replace the fields with **XXX**.
 
 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
 
-   ![Skype profile icon.](images/skype_uwp_manageprofilepic.png)
+   ![The icon for Skype profile.](images/skype_uwp_manageprofilepic.png)
 
-   * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
+   * To take a new picture, click the camera icon in the pop-up window. To upload a new picture, click the three dots (**...**).
 
    * You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**.
 
@@ -148,7 +148,7 @@ If you want to delete either (or both) the Skype and the Xbox accounts, here’s
 
 To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](https://go.microsoft.com/fwlink/?LinkId=816515)
 
-If you need help deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can:
+If you need help with deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can:
 
 1. Select a help topic (**Account and Password**)
 2. Select a related problem (**Deleting an account**)
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index f4ea0cf4ef..7909586e9b 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -151,7 +151,7 @@ For info on how to distribute **Minecraft: Education Edition**, see [For teacher
 
 Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**.
 
-### Purchase additional licenses
+### Purchase more licenses
 Applies to: IT admins and teachers
 
 You can manage current app licenses, or purchase more licenses for apps in **Apps & software**. 
@@ -164,7 +164,7 @@ You'll have a summary of current license availability.
 
 **Minecraft: Education Edition subscriptions**
 
-Similarly, you can purchase additional subscriptions of **Minecraft: Education Edition** through Microsoft Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing additional app licenses. 
+Similarly, you can purchase more subscriptions of **Minecraft: Education Edition** through Microsoft Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing more app licenses. 
 
 ## Manage order history
 Applies to: IT admins and teachers
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index a89e29de02..2ce2c20be3 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -36,7 +36,7 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
 - **Minecraft: Education Edition** requires Windows 10.
 - Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
   - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
-  - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
+  - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office)
   - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
 
  
diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md
index 96f9d8e6e5..cb2e995ef3 100644
--- a/education/windows/s-mode-switch-to-edu.md
+++ b/education/windows/s-mode-switch-to-edu.md
@@ -15,11 +15,11 @@ author: dansimp
 ---
 
 # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
-The S mode switch motion enables users to switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode. This gives users access to the Microsoft Store for Education as well as other Education offers.
+The S mode switch motion enables users to switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode. This gives users access to the Microsoft Store for Education and to other Education offers.
 
 ## Benefits of Windows 10 Pro in S mode for Education
 
-S mode is an enhanced security mode of Windows 10 – streamlined for security and superior performance. With Windows 10 in S mode, everyone can download and install Microsoft-verified apps from the Microsoft Store for Education – this keep devices running fast and secure day in and day out. 
+S mode is an enhanced security mode of Windows 10 – streamlined for security and superior performance. With Windows 10 in S mode, everyone can download and install Microsoft-verified apps from the Microsoft Store for Education – this mode keeps devices running fast and secure day in and day out. 
 
 - **Microsoft-verified security** - It reduces risk of malware and exploitations that harm students and educators, because only Microsoft-verified apps can be installed.
 - **Performance that lasts** - Provides all-day battery life to keep students on task and not tripping over cords. Also, verified apps won’t degrade device performance over time.
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 5fc9b496f6..6ba860cd94 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -73,7 +73,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
 
 Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
 
-If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-additional-licenses).
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-more-licenses).
 
 ### Minecraft: Education Edition - volume licensing
 
@@ -126,7 +126,7 @@ After you've finished the purchase, you can find your invoice by checking **Mine
 
 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
 
-   ![Minecraft: Education Edition app details page with view invoice bills link highlighted.](images/mcee-invoice-bills.png)
+   ![Minecraft: The page displaying details of the Education Edition app with view bills link highlighted.](images/mcee-invoice-bills.png)
 
 The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. 
 
@@ -166,9 +166,10 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro
     ![Minecraft Education Edition product page with auto assign control highlighted.](images/mcee-auto-assign-legacy.png)
 
    -Or-
-
-    ![Minecraft Education Edition product page with auto assign control highlighted-2](images/mcee-auto-assign-bd.png)
-3. Slide the **Auto assign subscription** or click **Turn off auto assign subscription**.
+ 
+    ![The page of the Minecraft Education Edition product with auto assign control highlighted.](images/mcee-auto-assign-bd.png)
+    
+3. Slide the **Auto assign subscription** or select **Turn off auto assign subscription**.     
 
 ### Install for me
 
@@ -248,6 +249,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
 
     ![Microsoft Store app showing the Download.](images/mc-dnld-others-teacher.png)
+
 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
 4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. 
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 02198518ca..f1a4be1df2 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -50,7 +50,7 @@ option, select the teachers and IT staff to allow them to connect to Azure AD.
 
 ![Select the users you want to let join devices to Azure AD.](images/suspc-enable-shared-pc-1807.png)  
 
-You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff.
+You can also create an account that holds the exclusive rights to join devices. When a student PC has to be set up, provide the account credentials to the appropriate teachers or staff.
 
 ## All Device Settings  
 
@@ -59,10 +59,10 @@ The following table describes each setting within **Device Settings**.
 | Setting                                                    | Description                                                                                                                                                                                                                                                                                                            |
 |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Users may join devices to Azure AD                         | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. |  
-| Additional local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant additional local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default.                                                                                                  |
-| Users may register their devices with Azure AD             | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you are enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you.                                     |
+| More local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default.                                                                                                  |
+| Users may register their devices with Azure AD             | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you.                                     |
 | Require Multi-Factor Authentication to join devices                  | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication.                                                                                                             |
-| Maximum number of devices per user                         | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before additional ones are added.                                                                                                                               |
+| Maximum number of devices per user                         | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added.                                                                                                                               |
 | Users may sync settings and enterprise app data            | Allow all or none of your users to sync settings and app data across multiple devices. Tenants with Azure AD Premium are permitted to select specific users to allow.                                                                                                                                                  |
 
 ## Clear Azure AD tokens  
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index adc21bf1b4..328e6c3c68 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -31,17 +31,17 @@ For a more detailed look at the policies, see the Windows article [Set up shared
 
 |Policy name|Default value|Description|  
 |---------|---------|---------|  
-|Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.|  
-|Set education policies    | True      | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md).       |  
+|Enable Shared PC mode|True| Configures the PCs so they're in shared PC mode.|  
+|Set education policies    | True      | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md).       |  
 |Account Model| Only guest, Domain-joined only, or Domain-joined and guest  |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. |  
-|Deletion policy  |   Delete at disk space threshold and inactive threshold     | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy.        |  
+|Deletion policy  |   Delete at disk space threshold and inactive threshold     | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy.        |  
 |Disk level caching  |   50%     | Sets 50% of total disk space to be used as the disk space threshold for account caching.       |  
-|Disk level deletion    |   For shared device setup, 25%; for single device-student setup, 0%.   |  When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and does not delete accounts.   |  
+|Disk level deletion    |   For shared device setup, 25%; for single device-student setup, 0%.   |  When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and doesn't delete accounts.   |  
 |Enable account manager    |  True      |  Enables automatic account management.       |  
-|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account has not signed in, it will be deleted.
+|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted.
 |Kiosk Mode AMUID   | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App  | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser.    |  
 |Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices.     |  
-|Restrict local storage    |   For shared device setup, True; for single device-student setup, False.     |   When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy does not prevent students from saving on the PCs local hard drive.  |  
+|Restrict local storage    |   For shared device setup, True; for single device-student setup, False.     |   When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive.  |  
 |Maintenance start time     | 0 - midnight       | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices.  |  
 |Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.|  
 |Set power policies     |  True      |  Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close.       |  
@@ -67,12 +67,12 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
 |            Update power policy for cart restarts            |                                 1 - Configured                                 |                                            Skips all restart checks to ensure that the reboot will happen at the scheduled install time.                                            |
 | Select when Preview Builds and Feature Updates are received |                                    365 days                                    |                                         Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.                                          |
 |                   Allow all trusted apps                    |                                    Disabled                                    |                                                               Prevents untrusted apps from being installed to device                                                                |
-|                   Allow developer unlock                    |                                    Disabled                                    |                                                             Students cannot unlock the PC and use it in developer mode                                                              |
-|                        Allow Cortana                        |                                    Disabled                                    |                                                                        Cortana is not allowed on the device.                                                                        |
-|                Allow manual MDM unenrollment                |                                    Disabled                                    |                                                         Students cannot remove the mobile device manager from their device.                                                         |
-|                  Settings page visibility                   |                                    Enabled                                     |                                                Specific pages in the System Settings app are not visible or accessible to students.                                                 |
-|               Allow add provisioning package                |                                    Disabled                                    |                                                      Students cannot add and upload new provisioning packages to their device.                                                      |
-|              Allow remove provisioning package              |                                    Disabled                                    |                                      Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app                                      |
+|                   Allow developer unlock                    |                                    Disabled                                    |                                                             Students can't unlock the PC and use it in developer mode                                                              |
+|                        Allow Cortana                        |                                    Disabled                                    |                                                                        Cortana isn't allowed on the device.                                                                        |
+|                Allow manual MDM unenrollment                |                                    Disabled                                    |                                                         Students can't remove the mobile device manager from their device.                                                         |
+|                  Settings page visibility                   |                                    Enabled                                     |                                                Specific pages in the System Settings app aren't visible or accessible to students.                                                 |
+|               Allow add provisioning package                |                                    Disabled                                    |                                                      Students can't add and upload new provisioning packages to their device.                                                      |
+|              Allow remove provisioning package              |                                    Disabled                                    |                                      Students can't remove packages that you've uploaded to their device, including the Set up School PCs app                                      |
 |                        Start Layout                         |                                    Enabled                                     |                                           Lets you specify the Start layout for users and prevents them from changing the configuration.                                            |
 |                     Import Edge Assets                      |                                    Enabled                                     | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. |
 |                Allow pinned folder downloads                |    1 - The shortcut is visible and disables the setting in the Settings app    |                                                         Makes the Downloads shortcut on the Start menu visible to students.                                                         |
@@ -84,7 +84,7 @@ For a more detailed look of each policy listed, see [Policy CSP](/windows/client
 |                       Updates Windows                       |                                    Nightly                                     |                                                                     Sets Windows to update on a nightly basis.                                                                      |
 
 ## Apps uninstalled from Windows 10 devices
-Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device.  ALl apps uninstalled from Windows 10 devices include:  
+Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device.  ALl apps uninstalled from Windows 10 devices include:  
 
 
 * Mixed Reality Viewer 
@@ -111,7 +111,7 @@ The time it takes to install a package on a device depends on the:
 
 * Strength of network connection 
 * Number of policies and apps within the package
-* Additional configurations made to the device  
+* Other configurations made to the device  
 
 Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision.
 
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 328b2f80a1..cbad40867b 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -1,6 +1,6 @@
 ---
 title: Set up student PCs to join domain
-description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
+description: Learn how to use Configuration Designer to provision student devices to join Active Directory.
 keywords: school, student PC setup, Windows Configuration Designer
 ms.prod: w10
 ms.mktglfcycl: plan
@@ -29,12 +29,12 @@ Follow the steps in [Provision PCs with common settings for initial deployment (
 1. In the **Account Management** step:
 
     > [!WARNING] 
-    > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
+    > If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you'll have to reimage the device and start over. As a best practice, we recommend:
     >   - Use a least-privileged domain account to join the device to the domain.
     >   - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
     >   - [Use Group Policy to delete the temporary administrator account](/archive/blogs/canitpro/group-policy-creating-a-standard-local-admin-account) after the device is enrolled in Active Directory.
 
-2. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+2. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
 3. Find the **SharedPC** settings group.
     - Set **EnableSharedPCMode** to **TRUE** to configure the PC for shared use.
 4. (Optional) To configure the PC for secure testing, follow these steps.
@@ -58,7 +58,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment (
 5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer.
 
 6. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package). 
-   - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). 
+   - You'll see the file path for your provisioning package. By default, this path is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). 
    - Copy the provisioning package to a USB drive.
 
      > [!IMPORTANT]
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index f0bb65fa78..30b657f9b6 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -223,5 +223,5 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
 
 -   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
 
--   Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+-   Watch the video: [Windows 10 for Mobile Devices: Provisioning Isn't Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
  
\ No newline at end of file
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index d1af5ba608..3e83e12653 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -23,13 +23,13 @@ manager: dansimp
 
 Take a Test is an app that locks down the PC and displays an online assessment web page.   
 
-Whether you are a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments
+Whether you're a teacher or IT administrator, you can easily configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment for more secure online assessments. This environment means that students taking the tests that don’t have copy/paste privileges, can’t access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher’s preferred assessment website to deliver digital assessments
 
 Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api).
 
 ## PC lockdown for assessment
 
- When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app will not be above lock and won't have any of the policies applied.  
+ When the assessment page initiates lock down, the student’s desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app . After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lockdown. The lockdown process is atomic, which means that if any part of the lockdown operation fails, the app won't be above lock and won't have any of the policies applied.  
 
 When running above the lock screen:
 - The app runs full screen with no chrome 
@@ -49,19 +49,19 @@ When Take a Test is running, the following MDM policies are applied to lock down
 | AllowToasts | Disables toast notifications from being shown | 0 |
 | AllowAppStoreAutoUpdate | Disables automatic updates for Microsoft Store apps that are installed on the PC | 0 |
 | AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
-| AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 |
+| AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 |
 | AllowCortana | Disables Cortana functionality | 0 |
 | AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
 
 ## Group Policy
 
-To ensure Take a Test activates correctly, make sure the following Group Policy are not configured on the PC.
+To ensure Take a Test activates correctly, make sure the following Group Policy aren't configured on the PC.
 
 | Functionality | Group Policy path | Policy |
 | --- | --- | --- |
-| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Do not Require CTRL+ALT+DEL |
+| Require Ctrl+Alt+Del | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | Interactive logon: Don't Require CTRL+ALT+DEL |
 | Disable lock screen notifications | Computer Configuration\Administrative Templates\System\Logon | Turn off app notifications on the lock screen |
-| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Do not display the lock screen |
+| Disable lock screen | Computer Configuration\Administrative Templates\Control Panel\Personalization | Don't display the lock screen |
 | Disable UAC | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | User Account Control: Run all administrators in Admin Approval Mode |
 | Disable local workstation | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options | Remove Lock Computer |
 
@@ -75,7 +75,7 @@ When Take a Test is running, the following functionality is available to student
 
     - Full screen mode is compatible  
 
-- The student can press Alt+Tab when locked down. This results in the student being able to switch between the following:
+- The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements:
 
     - Take a Test 
     - Assistive technology that may be running 
@@ -101,8 +101,8 @@ Starting with Windows 10, version 1709 (Fall Creators Update), assessments can n
 
 When permissive mode is triggered in lockdown mode, Take a Test transitions from lockdown mode to running windows mode on the user's desktop. The student can then run allowed apps during the test.
 
-When running tests in this mode, keep the following in mind:
-- Permissive mode is not supported in kiosk mode (dedicated test account).
+When running tests in this mode, keep the following points in mind:
+- Permissive mode isn't supported in kiosk mode (dedicated test account).
 - Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode.
 
 ## Learn more
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index b32de08fcb..fe484ddf82 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -30,12 +30,12 @@ To configure a dedicated test account on multiple PCs, select any of the followi
 - [Configuration in Intune for Education](#set-up-a-test-account-in-intune-for-education)
 - [Mobile device management (MDM) or Microsoft Endpoint Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
 - [Provisioning package created through Windows Configuration Designer](#set-up-a-test-account-through-windows-configuration-designer)
-- [Group Policy to deploy a scheduled task that runs a Powershell script](#create-a-scheduled-task-in-group-policy) 
+- [Group Policy to deploy a scheduled task that runs a PowerShell script](#create-a-scheduled-task-in-group-policy) 
 
 ### Set up a test account in the Set up School PCs app 
 If you want to set up a test account using the Set up School PCs app, configure the settings in the **Set up the Take a Test app** page in the Set up School PCs app. Follow the instructions in [Use the Set up School PCs app](use-set-up-school-pcs-app.md) to configure the test-taking account and create a provisioning package. 
 
-If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
+If you set up Take a Test, the **Take a Test** button is added on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
 
 **Figure 1** - Configure Take a Test in the Set up School PCs app
 
@@ -62,7 +62,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
       ![Add information about the test profile.](images/i4e_takeatestprofile_newtestaccount.png)
 
-      After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
+      After you save the test profile, you'll see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
     
 4. In the test account page, click **Groups**.
 
@@ -130,7 +130,7 @@ To set up a test account through Windows Configuration Designer, follow these st
 
 1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
 2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
-   1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
+   1. After you're done with the wizard, don't click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtime settings**.
    2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
    3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
 
@@ -150,13 +150,13 @@ To set up a test account through Windows Configuration Designer, follow these st
 
 3. Follow the steps to [build a package](/windows/configuration/provisioning-packages/provisioning-create-package#build-package). 
 
-   - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). 
+   - You'll see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). 
    - Copy the provisioning package to a USB drive.
 
 4. Follow the steps in [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) to apply the package that you created.
 
 ### Set up a tester account in Group Policy
-To set up a tester account using Group Policy, first create a Powershell script that configures the tester account and assessment URL, and then create a scheduled task to run the script.
+To set up a tester account using Group Policy, first create a PowerShell script that configures the tester account and assessment URL, and then create a scheduled task to run the script.
 
 #### Create a PowerShell script
 This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to:
@@ -209,9 +209,9 @@ Anything hosted on the web can be presented in a locked down manner, not just as
 1. Create the link to the test using schema activation.
    - Create a link using a web UI
 
-     For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
+     For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this option for teachers.
 
-     To get started, go here: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
+     To get started, navigate to: [Create a link using a web UI](https://aka.ms/create-a-take-a-test-link).
 
    - Create a link using schema activation
 
@@ -245,17 +245,17 @@ One of the ways you can present content in a locked down manner is by embedding
 
    If you exclude these parameters, the default behavior is disabled.
 
-   For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+   For tests that utilize the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that aren't allowed to run during lockdown. The test web application may lock down the device once you've closed the apps.
 
     > [!NOTE] 
     > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
 
-3. To enable permissive mode, do not include `enforceLockdown` in the schema parameters.
+3. To enable permissive mode, don't include `enforceLockdown` in the schema parameters.
 
    For more information, see [Permissive mode](take-a-test-app-technical.md#permissive-mode).
 
 ### Create a shortcut for the test link
-You can also distribute the test link by creating a shortcut. To do this, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
+You can also distribute the test link by creating a shortcut. To create the shortcut, create the link to the test by either using the [web UI](https://aka.ms/create-a-take-a-test-link) or using [schema activation](#create-a-link-using-schema-activation). After you have the link, follow these steps:
 
 1. On a device running Windows, right-click on the desktop and then select **New > Shortcut**.
 2. In the **Create Shortcut** window, paste the assessment URL in the field under **Type the location of the item**.
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 6f0d1d4341..8d9850ce64 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -29,7 +29,7 @@ To get started, go to https://education.minecraft.net/ and select **GET STARTED*
 
 ## Try Minecraft: Education Edition for Free 
 
-Minecraft: Education Edition is available for anyone to try for free! The free trial is fully-functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
+Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing.
 
 To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**.
 
@@ -47,7 +47,7 @@ As a teacher, you may purchase subscription licenses for you and your students d
 
 You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education.
 
-To purchase individual Minecraft: Education Edition subscriptions (i.e. direct purchase):
+To purchase individual Minecraft: Education Edition subscriptions (that is, direct purchase):
 
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account.
 2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it)
@@ -109,14 +109,14 @@ Students will receive an email with a link that will install the app on their PC
 
       After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
 
-    ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 
+    ![Microsoft Store app directing the navigation to My Library.](images/minecraft-private-store.png) 
 
       When students click **My Library** they'll find apps assigned to them.
 
     ![My Library for example student.](images/minecraft-my-library.png)  
 
 ### Download for others
-Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
+Download for others allows teachers or IT admins to download packages that they can install on student PCs. This option will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
 - You have administrative permissions to install apps on the PC. 
 - You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. 
 - Your students share Windows 10 computers, but sign in with their own Windows account. 
@@ -126,17 +126,17 @@ Download for others allows teachers or IT admins to download a packages that the
 - Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
 
 #### Check for updates
-Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. 
+Minecraft: Education Edition won't install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. 
 
 **To check for app updates**
 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
 2. Click the account button, and then click **Downloads and updates**.
 
-      ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png)
+      ![Microsoft Store app displaying the navigation to the My Library option.](images/minecraft-private-store.png)
       
 3. Click **Check for updates**, and install all available updates. 
 
-      ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png)
+      ![Microsoft Store app directing the navigation to the My Library submenu item.](images/mc-check-for-updates.png)
       
 4. Restart the computer before installing Minecraft: Education Edition. 
    
@@ -145,9 +145,9 @@ You'll download a .zip file, extract the files, and then use one of the files to
 
 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
 
-    ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png)
+    ![Microsoft Store app depicting the navigation path to the My Library option.](images/mc-dnld-others-teacher.png)
  
-2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
+2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
 4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. 
 5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install.
@@ -163,10 +163,10 @@ If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edi
 | App won't install. | AppLocker is configured and preventing app installs.  |      Contact IT Admin.  | 
 | App won't install. | Policy prevents users from installing apps on the PC. |  Contact IT Admin. | 
 | Script starts, but stops quickly. | Policy prevents scripts from running on the PC.  | Contact IT Admin. |
-| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app will not be available.| Restart PC. 
               Run **InstallMinecraftEducationEdition.bat** again. 
               If a restart doesn't work, contact your IT Admin.  | 
+| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app won't be available.| Restart PC. 
               Run **InstallMinecraftEducationEdition.bat** again. 
               If a restart doesn't work, contact your IT Admin.  | 
 
 
-If you are still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). 
+If you're still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). 
 
 ## Related topics
 
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index e81f1a2194..87443100ce 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -19,23 +19,23 @@ manager: dansimp
 **Applies to:**
 - Devices running Windows 10, version 1709: Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, Windows 10 Enterprise
 
-The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on a variety of individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Please test Windows 10 in S mode on a variety of devices in your school and share your feedback with us.
+The Windows 10 in S mode self-installer will allow you to test Windows 10 in S mode on various individual Windows 10 devices (except Windows 10 Home) with a genuine, activated license[1](#footnote1). Test Windows 10 in S mode on various devices in your school and share your feedback with us.
 
 Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2).
 
-Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted and you will only be able to install apps from the Microsoft Store.
+Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps can't be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted and you'll only be able to install apps from the Microsoft Store.
 
-**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). 
+**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these configurations, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). 
 
 **Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store. 
 
-As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 in S mode](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
+As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they're installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 in S mode](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
 
 ## Before you install Windows 10 in S mode
 
 ### Important information
 
-Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode:
+Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps won't work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode:
 * Is intended for education customers to test compatibility with existing hardware
 * May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality
 * May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
@@ -44,7 +44,7 @@ Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps
     > [!WARNING]
     > You can install Windows 10 in S mode on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 in S mode on Windows 10 Home devices as you won't be able to activate it.
 
-* Will not run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
+* Won't run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
 
 Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
 
@@ -55,11 +55,11 @@ Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows
 
 * Install the latest Windows Update.
 
-    To do this, go to **Settings > Update & security > Windows Update**.
+    To do this task, go to **Settings > Update & security > Windows Update**.
 
 * Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode.
 
-    See [Create a recovery drive](#create-a-recovery-drive) for information on how to do this.
+  For more information on how to create the system backup, see [Create a recovery drive](#create-a-recovery-drive).
 
 ## Supported devices
 
@@ -69,7 +69,7 @@ The Windows 10 in S mode install will install and activate on the following edit
 * Windows 10 Education
 * Windows 10 Enterprise
 
-Other Windows 10 editions cannot be activated and are not supported. If your device is not running one of these supported Windows 10 editions, do not proceed with using the Windows 10 in S mode installer. Windows 10 N editions and running in virtual machines are not supported by the Windows 10 in S mode installer. 
+Other Windows 10 editions can't be activated and aren't supported. If your device isn't running one of these supported Windows 10 editions, don't proceed with using the Windows 10 in S mode installer. Windows 10-N editions and running in virtual machines aren't supported by the Windows 10 in S mode installer. 
 
 ### Preparing your device to install drivers
 
@@ -109,23 +109,23 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
 
 ## Domain join
 
-Windows 10 in S mode does not support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
+Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
 - Local administrator
 - Microsoft Account (MSA) administrator
 - Azure Active Directory administrator 
 
 > [!WARNING]
-> If you don't have one of these administrator accounts accessible before migration, you will not be able to log in to your device after migrating to Windows 10 in S mode. 
+> If you don't have one of these administrator accounts accessible before migration, you'll not be able to log in to your device after migrating to Windows 10 in S mode. 
 
 We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 in S mode in case you run into this issue.
 
 ## Installing Office applications
 
-After installing Windows 10 in S mode, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 in S mode (Education preview). You must have an Office license to activate the applications once they are installed.
+After installing Windows 10 in S mode, use the free [Set up School PCs app](use-set-up-school-pcs-app.md) to install Office 365 for Windows 10 in S mode (Education preview). You must have an Office license to activate the applications once they're installed.
 
 ## Switch to previously installed Windows 10 editions
 
-If Windows 10 in S mode is not right for you, you can switch to the Windows 10 edition previously installed on your device(s).
+If Windows 10 in S mode isn't right for you, you can switch to the Windows 10 edition previously installed on your device(s).
 * Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md).
 * If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
 
@@ -140,21 +140,21 @@ To create a recovery drive, follow these steps.
 2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**.
 3. Connect a USB drive to your PC, select it, and then select **Next > Create**. 
 
-    A lot of files need to be copied to the recovery drive so this might take a while.
+    Many files need to be copied to the recovery drive; so this process might take a while.
 
 4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**.
 
 ### Go back to your previous edition of Windows 10
 
-Alternatively, for a period of 10 days after you install Windows 10 in S mode, you have the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This will keep your personal files, but it will remove installed apps as well as any changes you made to **Settings**.
+Alternatively, for 10 days after you install Windows 10 in S mode, you've the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This revert operation will keep your personal files, but it will remove installed apps and any changes you made to **Settings**.
 
 To go back, you need to:
 * Keep everything in the windows.old and $windows.~bt folders after the upgrade.
 * Remove any user accounts you added after the upgrade.
 
-If going back is not available:
-* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
-* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
+If going back isn't available:
+* Check if you can restore your PC to factory settings. This restoration will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
+* If you've a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
 
 After going back to your previous edition of Windows 10, you may receive the following message when launching Win32 apps:
 
@@ -162,7 +162,7 @@ After going back to your previous edition of Windows 10, you may receive the fol
 
 If you see this message, follow these steps to stop receiving the message:
 
-1. If you have BitLocker enabled, disable it first in the Control Panel. Go to **Manage BitLocker** and select **Turn off BitLocker**.
+1. If you've BitLocker enabled, disable it first in the Control Panel. Go to **Manage BitLocker** and select **Turn off BitLocker**.
 2. Open Windows **Settings** and go to **Update & security > Recovery**.
 3. In the **Recovery** page, find **Advanced startup** and select **Restart now** to start your PC.
 4. After restarting, in the **Choose an option** page, select **Troubleshoot**.
@@ -171,7 +171,7 @@ If you see this message, follow these steps to stop receiving the message:
 7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings** and navigate to it.
 8. Look for an option called **Secure boot configuration**, **Secure boot**, or **UEFI Boot**. If you can't find one of these options, check the **Boot** menu.
 9. Disable the secure boot/UEFI boot option.
-10. Save your settings and then exit UEFI. This will restart your PC.
+10. Save your settings and then exit UEFI. This exit action will restart your PC.
 11. After Windows is done booting up, confirm that you no longer see the message. 
 
     > [!NOTE]
@@ -195,7 +195,7 @@ To use an installation media to reinstall Windows 10, follow these steps.
     If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
 
 8. Select **Install now**.
-9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/help/12440/windows-10-activation).
+9. On the **Enter the product key to active Windows** page, enter a product key if you've one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/help/12440/windows-10-activation).
 10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
 11. On the **Which type of installation do you want?** page, select **Custom**.
 12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
@@ -213,16 +213,16 @@ When you're ready, you can download the Windows 10 in S mode installer by clicki
 After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default.
 
 ## Terms and Conditions
-Because you’re installing Windows 10 in S mode on a running version of Windows 10, you have already accepted the Windows 10 Terms and Conditions. You are not required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation.
+Because you’re installing Windows 10 in S mode on a running version of Windows 10, you've already accepted the Windows 10 Terms and Conditions. you'ren't required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation.
 
 ## Support 
-Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you are having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This is the best way to help improve Windows 10 in S mode with your feedback. 
+Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you're having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This feedback is the best way to help improve Windows 10 in S mode with your feedback. 
 
 Common support questions for the Windows 10 in S mode test program:
 
 * **How do I activate if I don't have a Windows 10 in S mode product key?**
 
-    As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home is not recommended and supported at this time.
+    As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home isn't recommended and supported at this time.
 
 * **Will my OEM help me run Windows 10 in S mode?**
 
@@ -234,11 +234,11 @@ Common support questions for the Windows 10 in S mode test program:
 
 * **What if I want to move from Windows 10 in S mode to Windows 10 Pro?**
 
-    If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
+    If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you're testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
 
 For help with activation issues, click on the appropriate link below for support options.
-* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team.
-* If you do not have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.
+* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you're seeking commercial support to contact our commercial support team.
+* If you don't have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.
 
 
              
 1 Internet access fees may apply.
              
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 6f271715c9..759d485046 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -22,7 +22,7 @@ manager: dansimp
 
 Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
 
-Beginning with version 1607, Windows 10 offers a variety of new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster log in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
+Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
 
 Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
 
@@ -35,7 +35,7 @@ For Cortana[1](#footnote1):
 - If you're using new devices with version 1703 or later, Cortana is turned on by default.
 - If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
 
-You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
 
 Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
 
@@ -54,9 +54,9 @@ For Cortana1:
 - If you're using new devices with version 1703 or later, Cortana is turned on by default.
 - If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
 
-You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
+You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
 
-Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you do not have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
+Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you don't have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
 
 Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment.
 
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index 9f73223f1d..725ba3bd9f 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -110,7 +110,7 @@ At the bottom of the invoice, there are instructions for paying your bill. You c
 If you have third-party services in your bill, the name and address of each publisher is listed at the bottom of your invoice.
 
 ## Next steps
-If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](/azure/cost-management-billing/understand/download-azure-invoice#invoices-for-mca-and-mpa-billing-accounts).
+If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](/azure/cost-management-billing/understand/mca-understand-your-invoice).
 
 ## Need help? Contact us.
 
diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
index 9baef1a798..0249a8b606 100644
--- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
+++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
@@ -45,7 +45,7 @@ After your management tool is added to your Azure AD directory, you can configur
 3. From the list of MDM tools, select the one you want to synchronize with Microsoft Store, and then click **Activate.**
 
 Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics:
-- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/intune-classic/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
+- [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
 - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
 
 For third-party MDM providers or management servers, check your product documentation.
\ No newline at end of file
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 3e744d9281..38c26e9d99 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -29,7 +29,7 @@ You can configure a mobile device management (MDM) tool to synchronize your Micr
 
 Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store.
 
-In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
+In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business).
 
 Microsoft Store services provide:
 
@@ -61,4 +61,5 @@ This diagram shows how you can use a management tool to distribute an online-lic
 ## Related topics
 
 [Configure MDM Provider](configure-mdm-provider-microsoft-store-for-business.md)
-[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](/intune-classic/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
\ No newline at end of file
+
+[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](/mem/intune/apps/windows-store-for-business)
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
index d14bc10108..5555b333e4 100644
--- a/store-for-business/includes/store-for-business-content-updates.md
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -2,21 +2,10 @@
 

 
 
-## Week of December 13, 2021
+## Week of April 25, 2022
 
 
 | Published On |Topic title | Change |
 |------|------------|--------|
-| 12/13/2021 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
-| 12/13/2021 | [Change history for Microsoft Store for Business and Education](/microsoft-store/sfb-change-history) | modified |
-| 12/14/2021 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified |
-| 12/14/2021 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified |
-
-
-## Week of November 15, 2021
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 11/16/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
-| 11/19/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
+| 4/28/2022 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
+| 4/28/2022 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
index 717074d334..5253b14c06 100644
--- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
+++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
@@ -41,7 +41,7 @@ For more information on Azure AD, see [About Office 365 and Azure Active Directo
 ## Add user accounts to your Azure AD directory
 If you created a new Azure AD directory when you signed up for Store for Business, you'll have a directory set up with one user account - the global administrator. That global administrator can add user accounts to your Azure AD directory. However, adding user accounts to your Azure AD directory will not give those employees access to Store for Business. You'll need to assign Store for Business roles to your employees. For more information, see [Roles and permissions in the Store for Business.](roles-and-permissions-microsoft-store-for-business.md)
 
-You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
+You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://portal.azure.com/) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
 
 For more information, see:
 - [Add user accounts using Office 365 admin dashboard](/microsoft-365/admin/add-users)
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index 3bdd7d61bc..fd4d4e8c20 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -46,7 +46,7 @@ All of the **Microsoft Store for Business and Education** PowerShell cmdlets fol
 
 ## Install Microsoft Store for Business and Education PowerShell module
 > [!NOTE]
-> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](https://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default).
+> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](https://www.microsoft.com/download/details.aspx?id=54616). The framework is included with Windows 10 by default).
 
 To install **Microsoft Store for Business and Education PowerShell** with PowerShellGet, run this command:
 
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 187abb5bb8..2b8ea7784d 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -59,17 +59,17 @@ While not required, you can use a management tool to distribute and manage apps.
 
 If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
 
-- login.live.com
-- login.windows.net
-- account.live.com
-- clientconfig.passport.net
-- windowsphone.com
-- \*.wns.windows.com
-- \*.microsoft.com
-- \*.s-microsoft.com
-- www.msftncsi.com (prior to Windows 10, version 1607)
-- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com
+- `login.live.com`
+- `login.windows.net`
+- `account.live.com`
+- `clientconfig.passport.net`
+- `windowsphone.com`
+- `\*.wns.windows.com`
+- `\*.microsoft.com`
+- `\*.s-microsoft.com`
+- `www.msftncsi.com` (prior to Windows 10, version 1607)
+- `www.msftconnecttest.com/connecttest.txt` (replaces `www.msftncsi.com`
   starting with Windows 10, version 1607)
  
 Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps.
-For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients).
+
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index b7490960fc..290b271595 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -27,8 +27,8 @@ Previous versions of the App-V Sequencer required manual sequencing and updating
 Using the automatic sequencer to package your apps gives you the following benefits:
 
 * **Automatic virtual machine (VM) sequencing environment provisioning**. To learn more, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md).
-* **Package batch-sequencing**. This means that multiple apps can be sequenced at the same time, in a single group. To learn more, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md).
-* **Package batch-updating**. This means that multiple apps can be updated at the same time, in a single group. To learn more, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md).
+* **Package batch-sequencing**. This benefit denotes that multiple apps can be sequenced at the same time, in a single group. To learn more, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md).
+* **Package batch-updating**. This benefit denotes that multiple apps can be updated at the same time, in a single group. To learn more, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md).
 
 ### Updates to the App-V project template
 
@@ -36,7 +36,7 @@ Starting with Windows 10, version 1703, you can now save an App-V project templa
 
 ### Automatically clean up unpublished App-V packages from the App-V client
 
-Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. To learn more, see [Automatically clean up unpublished packages on the App-V client](../app-v/appv-auto-clean-unpublished-packages.md).
+Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up more storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. To learn more, see [Automatically clean up unpublished packages on the App-V client](../app-v/appv-auto-clean-unpublished-packages.md).
 
 ## What's new in App-V in Windows 10, version 1607
 
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index cbda9f3cbe..6e37203bad 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -67,9 +67,9 @@ The App-V Client performs tasks to keep virtual applications running properly an
 | Copy on Write (COW) Local | %LocalAppData%\Microsoft\AppV\Client\VFS| Writeable non-roaming location for package modification.|
 | Machine Registry | HKLM\Software\Microsoft\AppV| Contains package state information, including VReg for machine or globally published packages (Machine hive).|
 | User Registry | HKCU\Software\Microsoft\AppV| Contains user package state information including VReg.|
-| User Registry Classes | HKCU\Software\Classes\AppV| Contains additional user package state information.|
+| User Registry Classes | HKCU\Software\Classes\AppV| Contains more user package state information.|
 
-Additional details for the table are provided in the section below and throughout the document.
+More details for the table are provided in the section below and throughout the document.
 
 ### Package store
 
@@ -92,10 +92,10 @@ If the App-V Client is configured in Shared Content Store mode, no data is writt
 
 ### Package catalogs
 
-The App-V Client manages the following two file-based locations:
+The App-V Client manages the following file-based locations:
 
 - **Catalogs (user and machine).**
-- **Registry locations**—depends on how the package is targeted for publishing. There is a Catalog (data store) for the computer, and a catalog for each individual user. The Machine catalog stores global information applicable to all users or any specific user, and the User catalog stores information applicable to a specific user. The catalog is a collection of Dynamic Configurations and manifest files; there is discrete data for both file and registry per package version.
+- **Registry locations**—depends on how the package is targeted for publishing. There's  a Catalog (data store) for the computer, and a catalog for each individual user. The Machine catalog stores global information applicable to all users or any specific user, and the User catalog stores information applicable to a specific user. The catalog is a collection of Dynamic Configurations and manifest files; there's  discrete data for both file and registry per package version.
 
 ### Machine catalog
 
@@ -103,8 +103,8 @@ The locations described in this table can be found in the %programdata%\Microsof
 
 |    | Location |
 |:---|:---|
-|**Description**|Stores package documents that are available to users on the machine when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.

              If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (such as when the package directory is in a shared disk location).

              If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there is a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there is a policy file (UserDeploymentConfiguration file) in the Machine Catalog.|
-|**Default storage location**|%programdata%\Microsoft\AppV\Client\Catalog\

              This location is not the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.|
+|**Description**|Stores package documents that are available to users on the machine when packages are added and published. However, if a package is “global” at publishing time, the integrations are available to all users.

              If a package is non-global, the integrations are published only for specific users, but there are still global resources that are modified and visible to anyone on the client computer (such as when the package directory is in a shared disk location).

              If a package is available to a user on the computer (global or non-global), the manifest is stored in the Machine Catalog. When a package is published globally, there's  a Dynamic Configuration file, stored in the Machine Catalog; therefore, the determination of whether a package is global is defined according to whether there's  a policy file (UserDeploymentConfiguration file) in the Machine Catalog.|
+|**Default storage location**|%programdata%\Microsoft\AppV\Client\Catalog\

              This location isn't the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.|
 |**Files in the machine catalog**|- Manifest.xml
              - DeploymentConfiguration.xml
              - UserManifest.xml (Globally Published Package)
              - UserDeploymentConfiguration.xml (Globally Published Package)|
 |**Additional machine catalog location, used when the package is part of a connection group**|The following location is in addition to the specific package location mentioned previously as the default storage location:

              %programdata%\Microsoft\AppV\Client\Catalog\PackageGroups\ConGroupGUID\ConGroupVerGUID|
 |**Additional files in the machine catalog when the package is part of a connection group**|- PackageGroupDescriptor.xml
              - UserPackageGroupDescriptor.xml (globally published Connection Group)|
@@ -115,7 +115,7 @@ The locations described in this table can be found in the appdata\roaming\Micros
 
 || Location |
 |:---|:---|
-|**Description**|Created during the publishing process. Contains information used for publishing the package, and for making sure that a package is provisioned to a specific user at launch. Created in a roaming location and includes user-specific publishing information.

              When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.

              For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they are provisioned.|
+|**Description**|Created during the publishing process. Contains information used for publishing the package, and for making sure that a package is provisioned to a specific user at launch. Created in a roaming location and includes user-specific publishing information.

              When a package is published for a user, the policy file is stored in the User Catalog. At the same time, a copy of the manifest is also stored in the User Catalog. When a package entitlement is removed for a user, the relevant package files are removed from the User Catalog. Looking at the user catalog, an administrator can view the presence of a Dynamic Configuration file, which indicates that the package is entitled for that user.

              For roaming users, the User Catalog needs to be in a roaming or shared location to preserve the legacy App-V behavior of targeting users by default. Entitlement and policy are tied to a user, not a computer, so they should roam with the user once they're provisioned.|
 |**Default storage location**|appdata\roaming\Microsoft\AppV\Client\Catalog\Packages\PkgGUID\VerGUID|
 |**Files in the user catalog**|- UserManifest.xml
              - DynamicConfiguration.xml or UserDeploymentConfiguration.xml|
 |**Additional user catalog location, used when the package is part of a connection group**|The following location is in addition to the specific package location mentioned above:

              appdata\roaming\Microsoft\AppV\Client\Catalog\PackageGroups\PkgGroupGUID\PkgGroupVerGUID|
@@ -135,7 +135,7 @@ The COW Roaming location described above stores changes to files and directories
 
 ### COW local
 
-The COW Local location is similar to the roaming location, but the directories and files are not roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (for example, Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the signed-in users. The non-**S** location stores user-based changes.
+The COW Local location is similar to the roaming location, but the directories and files aren't roamed to other computers, even if roaming support has been configured. The COW Local location described above stores changes applicable to typical windows and not the %AppData% location. The directories listed will vary but there will be two locations for any typical Windows locations (for example, Common AppData and Common AppDataS). The **S** signifies the restricted location when the virtual service requests the change as a different elevated user from the signed-in users. The non-**S** location stores user-based changes.
 
 ## Package registry
 
@@ -151,15 +151,15 @@ When the first application from the package is launched on the client, the clien
 
 When connection groups are present, the previous process of staging the registry holds true, but instead of having one hive file to process, there are more than one. The files are processed in the order in which they appear in the connection group XML, with the first writer winning any conflicts.
 
-The staged registry persists the same way as in the single package case. Staged user registry data remains for the connection group until it is disabled; staged machine registry data is removed on connection group removal.
+The staged registry persists the same way as in the single package case. Staged user registry data remains for the connection group until it's disabled; staged machine registry data is removed on connection group removal.
 
 ### Virtual registry
 
-The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality—that is, any changes made to the registry from the context of a virtual process are made to a separate COW location. This means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the **registry COW** > **package** > **native**. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there is a value stored in a COW location it will not proceed to other locations, however, if there is no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data.
+The purpose of the virtual registry (VREG) is to provide a single merged view of the package registry and the native registry to applications. It also provides copy-on-write (COW) functionality—that is, any changes made to the registry from the context of a virtual process are made to a separate COW location. This functionality means that the VREG must combine up to three separate registry locations into a single view based on the populated locations in the **registry COW** > **package** > **native**. When a request is made for a registry data it will locate in order until it finds the data it was requesting. Meaning if there's  a value stored in a COW location it will not proceed to other locations, however, if there's  no data in the COW location it will proceed to the Package and then Native location until it finds the appropriate data.
 
 ### Registry locations
 
-There are two package registry locations and two connection group locations where the App-V Client stores registry information, depending on whether the Package is published individually or as part of a connection group. There are three COW locations for packages and three for connection groups, which are created and managed by the VREG. Settings for packages and connection groups are not shared:
+There are two package registry locations and two connection group locations where the App-V Client stores registry information, depending on whether the Package is published individually or as part of a connection group. There are three COW locations for packages and three for connection groups, which are created and managed by the VREG. Settings for packages and connection groups aren't shared:
 
 #### Single Package VReg
 
@@ -207,7 +207,7 @@ The following locations are configured as pass-through locations by default:
 
 - HKEY\_CURRENT\_USER\\SOFTWARE\\Policies
 
-The purpose of pass-through keys is to ensure that a virtual application does not write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy-based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI-based applications. Administers ideally should not modify any of the default pass-through keys, but in some instances, the admin may need to add additional pass-through keys to adjust application behavior.
+The purpose of pass-through keys is to ensure that a virtual application doesn't write registry data in the VReg that is required for non-virtual applications for successful operation or integration. The Policies key ensures that Group Policy-based settings set by the administrator are utilized and not per package settings. The AppModel key is required for integration with Windows Modern UI-based applications. Administers ideally shouldn't modify any of the default pass-through keys, but in some instances, the admin may need to add more pass-through keys to adjust application behavior.
 
 ## App-V package store behavior
 
@@ -233,7 +233,7 @@ The App-V Client can be configured to change the default behavior of streaming.
 |PackageSourceRoot|The root override where packages should be streamed from|
 |SharedContentStoreMode|Enables the use of Shared Content Store for VDI scenarios|
 
-These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that it's particularly important to understand:
+These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that is important to understand:
 
 - Background Streaming
 - Optimized Streaming
@@ -241,7 +241,7 @@ These settings affect the behavior of streaming App-V package assets to the clie
 
 ### Background streaming
 
-The Windows PowerShell cmdlet **Get-AppvClientConfiguration** can be used to determine the current mode for background streaming with the AutoLoad setting and modified with either the **Set-AppvClientConfiguration** cmdlet or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can either be disabled altogether (value=0) or enabled for all packages (value=2), regardless of whether they have been launched.
+The Windows PowerShell cmdlet **Get-AppvClientConfiguration** can be used to determine the current mode for background streaming with the AutoLoad setting and modified with either the **Set-AppvClientConfiguration** cmdlet or from the registry (HKLM\\SOFTWARE\\Microsoft\\AppV\\ClientStreaming key). Background streaming is a default setting where the Autoload setting is set to download previously used packages. The behavior based on default setting (value=1) downloads App-V data blocks in the background after the application has been launched. This setting can either be disabled altogether (value=0) or enabled for all packages (value=2), regardless of whether they've been launched.
 
 ### Optimized streaming
 
@@ -249,7 +249,7 @@ App-V packages can be configured with a primary feature block during sequencing.
 
 ### Stream faults
 
-After the initial stream of any publishing data and the primary feature block, requests for additional files perform stream faults. These blocks of data are downloaded to the package store on an as-needed basis. This allows a user to download only a small part of the package, typically enough to launch the package and run normal tasks. All other blocks are downloaded when a user initiates an operation that requires data not currently in the package store.
+After the initial stream of any publishing data and the primary feature block, requests for more files perform stream faults. These blocks of data are downloaded to the package store on an as-needed basis. This flexibility allows a user to download only a small part of the package, typically enough to launch the package and run normal tasks. All other blocks are downloaded when a user initiates an operation that requires data not currently in the package store.
 
 ### Package upgrades
 
@@ -257,11 +257,11 @@ App-V Packages require updating throughout the lifecycle of the application. App
 
 ### Package removal
 
-The App-V Client's behavior when packages are removed depends on the package removal method. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but the package store location and COW locations remain. When the **Remove-AppVClientPackge** Windows PowerShell cmdlet is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server does not perform a Remove operation. Neither operation will remove the Package Store package files.
+The App-V Client's behavior when packages are removed depends on the package removal method. Using an App-V full infrastructure to unpublish the application, the user catalog files (machine catalog for globally published applications) are removed, but the package store location and COW locations remain. When the **Remove-AppVClientPackge** Windows PowerShell cmdlet is used to remove an App-V Package, the package store location is cleaned. Remember that unpublishing an App-V Package from the Management Server doesn't  perform a Remove operation. Neither operation will remove the Package Store package files.
 
 ## Roaming registry and data
 
-App-V is able to provide a near-native experience when roaming, depending on how the application being used is written. By default, App-V roams AppData that is stored in the roaming location, based on the roaming configuration of the operating system. Other locations for storage of file-based data do not roam from computer to computer, since they are in locations that are not roamed.
+App-V is able to provide a near-native experience when roaming, depending on how the application being used is written. By default, App-V roams AppData that is stored in the roaming location, based on the roaming configuration of the operating system. Other locations for storage of file-based data don't roam from computer to computer, since they're in locations that aren't roamed.
 
 ### Roaming requirements and user catalog data storage
 
@@ -270,7 +270,7 @@ App-V stores data, which represents the state of the user’s catalog, in the fo
 - Files under %appdata%\\Microsoft\\AppV\\Client\\Catalog
 - Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages
 
-Together, these files and registry settings represent the user’s catalog, so either both must be roamed, or neither must be roamed for a given user. App-V does not support roaming %AppData%, but not roaming the user’s profile (registry), or vice versa.
+Together, these files and registry settings represent the user’s catalog, so either both must be roamed, or neither must be roamed for a given user. App-V doesn't support roaming %AppData%, but not roaming the user’s profile (registry), or vice versa.
 
 >[!NOTE]
 >The **Repair-AppvClientPackage** cmdlet doesn't repair the publishing state of packages where the user’s App-V state under HKEY_CURRENT_USER is missing or mismatched with the data in %appdata%.
@@ -281,8 +281,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table
 
 |Scenario|Description|
 |---|---|
-|Applications that are run as standard users|When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:

              - HKLM's location is  HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
              - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

              The locations are enabled for roaming based on the operating system settings.|
-|Applications that are run with elevation|When an application is launched with elevation:

              - HKLM data is stored in the HKLM hive on the local computer
              - HKCU data is stored in the User Registry location

              In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following locations:

              - HKLM's location is HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE
              - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE|
+|Applications that are run as standard users|When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This scenario presents two distinct paths:

              - HKLM's location is  HKCU\SOFTWARE\Classes\AppV\Client\Packages\\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
              - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\REGISTRY\USER\\{UserSID}\SOFTWARE

              The locations are enabled for roaming based on the operating system settings.|
+|Applications that are run with elevation|When an application is launched with elevation:

              - HKLM data is stored in the HKLM hive on the local computer
              - HKCU data is stored in the User Registry location

              In this scenario, these settings aren't roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following locations:

              - HKLM's location is HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\{UserSID}\REGISTRY\MACHINE\SOFTWARE
              - HKCU's location is HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\\{PkgGUID}\\Registry\User\\{UserSID}\SOFTWARE|
 
 ### App-V and folder redirection
 
@@ -290,7 +290,7 @@ App-V supports folder redirection of the roaming AppData folder (%AppData%). Whe
 
 A typical package has several locations mapped in the user’s backing store for settings in both AppData\\Local and AppData\\Roaming. These locations are the Copy on Write locations that are stored per user in the user’s profile, and that are used to store changes made to the package VFS directories and to protect the default package VFS.
 
-The following table shows local and roaming locations when folder redirection has not been implemented.
+The following table shows local and roaming locations when folder redirection hasn't been implemented.
 
 | VFS directory in package | Mapped location of backing store |
 |---|---|
@@ -310,13 +310,13 @@ The following table shows local and roaming locations when folder redirection ha
 | appv_ROOT | C:\Users\Local\AppData\Local\Microsoft\AppV\Client\VFS\\<GUID>\appv\_ROOT |
 | AppData | \\Fileserver\users\Local\roaming\Microsoft\AppV\Client\VFS\\<GUID>\AppData |
 
-The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. Here's what happens during the process:
+The current App-V Client VFS driver can't write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to more machines, where the process will be repeated. Here's what happens during the process:
 
 1. During publishing or virtual environment startup, the App-V Client detects the location of the AppData directory.
 2. If the roaming AppData path is local or no AppData\\Roaming location is mapped, nothing happens.
-3. If the roaming AppData path is not local, the VFS AppData directory is mapped to the local AppData directory.
+3. If the roaming AppData path isn't local, the VFS AppData directory is mapped to the local AppData directory.
 
-This process solves the problem of a non-local %AppData% that is not supported by the App-V Client VFS driver. However, the data stored in this new location is not roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things:
+This process solves the problem of a non-local %AppData% that isn't supported by the App-V Client VFS driver. However, the data stored in this new location isn't roamed with folder redirection. All changes during the running of the application happen to the local AppData location and must be copied to the redirected location. The process does the following things:
 
 1. Shuts down the App-V application, which also shuts down the virtual environment.
 2. Compresses the local cache of the roaming AppData location and store it in a .zip file.
@@ -324,7 +324,7 @@ This process solves the problem of a non-local %AppData% that is not supported b
 4. Records the time stamp in the HKEY\_CURRENT\_USER\\Software\\Microsoft\\AppV\\Client\\Packages\\<GUID>\\AppDataTime registry as the last known AppData time stamp.
 5. Calls the folder redirection process to evaluate and initiate the .zip file uploaded to the roaming AppData directory.
 
-The time stamp is used to determine a “last writer wins” scenario if there is a conflict and is used to optimize the download of the data when the App-V application is published, or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. Here's what happens during the process:
+The time stamp is used to determine a “last writer wins” scenario if there's  a conflict and is used to optimize the download of the data when the App-V application is published, or the virtual environment is started. Folder redirection will make the data available from any other clients covered by the supporting policy and will initiate the process of storing the AppData\\Roaming data to the local AppData location on the client. Here's what happens during the process:
 
 1. The user starts an application, which also starts the virtual environment.
 2. The application’s virtual environment checks for the most recent time stamped .zip file, if present.
@@ -334,7 +334,7 @@ The time stamp is used to determine a “last writer wins” scenario if there i
 6. After the .zip file is successfully extracted, the local cache of the roaming AppData directory is renamed and the new data moved into place.
 7. The renamed directory is deleted and the application opens with the most recently saved roaming AppData data.
 
-This completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The process does the following things:
+This process completes the successful roaming of application settings that are present in AppData\\Roaming locations. The only other condition that must be addressed is a package repair operation. The process does the following things:
 
 1. During repair, detects if the path to the user’s roaming AppData directory isn't local.
 2. Maps the non-local roaming AppData path targets, recreating the expected roaming and local AppData locations.
@@ -344,7 +344,7 @@ This process will recreate both the local and network locations for AppData and
 
 ## App-V Client application lifecycle management
 
-In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client.
+In an App-V Full Infrastructure, after applications are sequenced, they're managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client.
 
 This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Endpoint Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications).
 
@@ -357,7 +357,7 @@ The publishing refresh process comprises several smaller operations that are per
 - **Add-AppVPublishingServer** configures the client with an App-V Publishing Server that provides App-V packages.
 - **Set-AppVPublishingServer** modifies the current settings for the App-V Publishing Server.
 - **Set-AppVClientConfiguration** modifies the currents settings for the App-V Client.
-- **Sync-AppVPublishingServer** initiates an App-V Publishing Refresh process manually. This is also utilized in the scheduled tasks created during configuration of the publishing server.
+- **Sync-AppVPublishingServer** initiates an App-V Publishing Refresh process manually. This process is also utilized in the scheduled tasks created during configuration of the publishing server.
 
 The following sections will elaborate what goes on during the publishing refresh process.
 
@@ -365,7 +365,7 @@ The following sections will elaborate what goes on during the publishing refresh
 
 Adding an App-V package to the client is the first step of the publishing refresh process. The end result is the same as the **Add-AppVClientPackage** cmdlet in Windows PowerShell, except the publishing refresh add process contacts the configured publishing server and passes a high-level list of applications back to the client to pull more detailed information, rather than just doing a single package add operation.
 
-The process then configures the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following is a detailed workflow of the process, assuming the package is configured for Fault Streaming.
+The process then configures the client for package or connection group additions or updates, then accesses the appv file. Next, the contents of the appv file are expanded and placed on the local operating system in the appropriate locations. The following steps are a detailed workflow of the process, assuming the package is configured for Fault Streaming.
 
 #### How to add an App-V package
 
@@ -373,9 +373,9 @@ The process then configures the client for package or connection group additions
 
     1. The App-V Client makes an HTTP connection and requests a list of applications based on the target. The Publishing refresh process supports targeting machines or users.
 
-    2. The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send additional requests to the server for more information on a per-package basis.
+    2. The App-V Publishing Server uses the identity of the initiating target, user or machine, and queries the database for a list of entitled applications. The list of applications is provided as an XML response, which the client uses to send more requests to the server for more information on a per-package basis.
 
-2. The Publishing Agent on the App-V Client will evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group cannot be processed.
+2. The Publishing Agent on the App-V Client will evaluate any connection groups that are unpublished or disabled, since package version updates that are part of the connection group can't be processed.
 
 3. Configure the packages by identifying the **Add** or **Update** operations.
 
@@ -389,7 +389,7 @@ The process then configures the client for package or connection group additions
        - Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, accessed directly or through file types.
        - Scripts: Download scripts directory for use throughout the publishing process.
 
-   4. Populate the Package store by doing the following:
+   4. Populate the Package store by performing the following sub-steps:
 
       1. Create sparse files on disk that represent the extracted package for any directories listed.
 
@@ -409,7 +409,7 @@ The process then configures the client for package or connection group additions
 
 4. Configure Connection Groups by adding and enabling or disabling.
 
-5. Remove objects that are not published to the target (user or machine).
+5. Remove objects that aren't published to the target (user or machine).
 
    > [!NOTE]
     >This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published).
@@ -421,7 +421,7 @@ The process then configures the client for package or connection group additions
    > [!NOTE]
     >This condition occurs as a product of removal without unpublishing with background addition of the package.
 
-This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
+This process completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
 
 ![Package add file and registry data.](images/packageaddfileandregistrydata.png)
 
@@ -452,7 +452,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu
 
     3. Run scripts targeted for publishing timing.
 
-Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details.
+Publishing an App-V Package that is part of a Connection Group is similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details.
 
 ![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png)
 
@@ -460,7 +460,7 @@ Publishing an App-V Package that is part of a Connection Group is very similar t
 
 ### Application launch
 
-After the Publishing Refresh process, the user launches and then relaunches an App-V application. The App-V Client checks the path to the user catalog for files created during publishing. After establishing rights to launch the package, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. Once the virtual environment created and configured for the specific package and application, the application starts. This might seem like a lot, but the process in action is actually quite fast, and is optimized to minimize network traffic.
+After the Publishing Refresh process, the user launches and then relaunches an App-V application. The App-V Client checks the path to the user catalog for files created during publishing. After establishing rights to launch the package, the App-V Client creates a virtual environment, begins streaming any necessary data, and applies the appropriate manifest and deployment configuration files during virtual environment creation. Once the virtual environment created and configured for the specific package and application, the application starts. This might seem like a lot, but the process in action is fast, and is optimized to minimize network traffic.
 
 #### How to launch App-V applications
 
@@ -471,11 +471,13 @@ After the Publishing Refresh process, the user launches and then relaunches an A
     - **UserDeploymentConfiguration.xml**
     - **UserManifest.xml**
 
-3. If the files are present, the application is entitled for that specific user and the application will start the process for launch. There is no network traffic at this point.
+3. If the files are present, the application is entitled for that specific user and the application will start the process for launch. There's  no network traffic at this point.
 
 4. Next, the App-V Client checks that the path for the package registered for the App-V Client service is found in the registry.
 
-5. Upon finding the path to the package store, the virtual environment is created. If this is the first launch, the Primary Feature Block downloads if present.
+5. Upon finding the path to the package store, the virtual environment is created.
+
+   If this process execution is the first launch, the Primary Feature Block downloads if present.
 
 6. After downloading, the App-V Client service consumes the manifest and deployment configuration files to configure the virtual environment and all App-V subsystems are loaded.
 
@@ -487,7 +489,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A
 
 ### Upgrading an App-V package
 
-The current version of App-V's package upgrade process differs from the older versions in its storage optimization. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time, as the package store and catalogs are updated with the new resources. During an upgrade in the new version, only new files are added to the new version store location, and hard links are created for unchanged files. This reduces overall storage by only presenting the file on one disk location, then projecting it into all folders with a file location entry on the disk.
+The current version of App-V's package upgrade process differs from the older versions in its storage optimization. App-V supports multiple versions of the same package on a machine entitled to different users. Package versions can be added at any time, as the package store and catalogs are updated with the new resources. During an upgrade in the new version, only new files are added to the new version store location, and hard links are created for unchanged files. Such results reduce overall storage by only presenting the file on one disk location, then projecting it into all folders with a file location entry on the disk.
 
 #### How to upgrade an App-V package
 
@@ -521,7 +523,7 @@ If you try to upgrade a package that is currently in use, the upgrade task is pl
 
 | Task type | Applicable rule |
 |---|---|
-| User-based tasks, such as publishing a package to a user | The pending task will be performed after the user logs off and then logs back on. |
+| User-based tasks, such as publishing a package to a user | The pending task will be performed after the user signs out and then signs back in. |
 | Globally based tasks, such as enabling a connection group globally | The pending task will be performed when the computer is shut down and then restarted. |
 
 When a task is placed in a pending state, the App-V Client also generates a registry key for the pending task, as follows:
@@ -542,19 +544,19 @@ Use the following example scenarios as a guide for updating packages.
 
 | Scenario | Requirements |
 |---|---|
-| App-V package is not in use when you try to upgrade | None of the following components of the package can be in use: virtual application, COM server, or shell extensions.

              The administrator publishes a newer version of the package and the upgrade works the next time a component or application inside the package is launched. The new version of the package is streamed and ran. |
-| App-V package is in use when the administrator publishes a newer version of the package | The App-V Client sets the operation to "pending," which means that it is queued and will be carried out later when the package is not in use.

              If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.

              If the package has shell extensions, which are permanently loaded by Windows Explorer, the user won't be able to sign in. Users must sign off and then sign back in to initiate the App-V package upgrade.|
+| App-V package isn't in use when you try to upgrade | None of the following components of the package can be in use: virtual application, COM server, or shell extensions.

              The administrator publishes a newer version of the package and the upgrade works the next time a component or application inside the package is launched. The new version of the package is streamed and ran. |
+| App-V package is in use when the administrator publishes a newer version of the package | The App-V Client sets the operation to "pending," which means that it's queued and will be carried out later when the package isn't in use.

              If the package application is in use, the user shuts down the virtual application, after which the upgrade can occur.

              If the package has shell extensions, which are permanently loaded by Windows Explorer, the user won't be able to sign in. Users must sign off and then sign back in to initiate the App-V package upgrade.|
 
 ### Global vs. user publishing
 
-App-V Packages can be published in one of two ways; as user, which entitles an App-V package to a specific user or group of users, or as global, which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package is not in use, consider the two types of publishing:
+App-V Packages can be published in one of two ways; as user, which entitles an App-V package to a specific user or group of users, or as global, which entitles the App-V package to the entire machine for all users of the machine. Once a package upgrade has been pended and the App-V package isn't in use, consider the two types of publishing:
 
 - Global publishing is when the application is published to a machine; all users on that machine can use it. The upgrade will happen when the App-V Client Service starts, which effectively means a machine restart.
-- User publishing is when the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user signs in or when it is published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly through Windows PowerShell commands).
+- User publishing is when the application is published to a user. If there are multiple users on the machine, the application can be published to a subset of the users. The upgrade will happen when the user signs in or when it's published again (periodically, ConfigMgr Policy refresh and evaluation, or an App-V periodic publishing/refresh, or explicitly through Windows PowerShell commands).
 
 ### Removing an App-V package
 
-Removing App-V applications in a Full Infrastructure is an unpublish operation and does not perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages.
+Removing App-V applications in a Full Infrastructure is an unpublish operation and doesn't  perform a package removal. The process is the same as the publish process above, but instead of adding the removal process reverses the changes that have been made for App-V Packages.
 
 ### Repairing an App-V package
 
@@ -577,12 +579,12 @@ When App-V applications are published to a computer with the App-V Client, some
 - Backup and Restore: Existing native application data and registry (such as FTA registrations) are backed up during publishing.
 
     1. App-V packages are given ownership based on the last integrated package where the ownership is passed to the newest published App-V application.
-    2. Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This will not initiate a restore of the data or registry.
+    2. Ownership transfers from one App-V package to another when the owning App-V package is unpublished. This transfer won't initiate a restore of the data or registry.
     3. Restore the backed-up data when the last package is unpublished or removed on a per-extension point basis.
 
 ### Extension points
 
-The App-V publishing files (manifest and dynamic configuration) provide several extension points to integrate the application with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that are not installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section:
+The App-V publishing files (manifest and dynamic configuration) provide several extension points to integrate the application with the local operating system. These extension points perform typical application installation tasks, such as placing shortcuts, creating file type associations, and registering components. As these are virtualized applications that aren't installed in the same manner a traditional application, there are some differences. The following is a list of extension points covered in this section:
 
 - Shortcuts
 - File type associations
@@ -598,7 +600,7 @@ The App-V publishing files (manifest and dynamic configuration) provide several
 
 The shortcut is one of the basic elements of integration with the OS and is the interface for direct user launch of an App-V application. During the publishing and unpublishing of App-V applications.
 
-From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section like the following:
+From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section as shown in the following example:
 
 ```XML
 
@@ -618,7 +620,7 @@ As mentioned previously, the App-V shortcuts are placed by default in the user
 
 ### File type associations
 
-Users can use file type invocations or open a file with a specifically registered extension (.docx) to start an App-V application because the App-V Client manages the local operating system File Type Associations during publishing. File type associations are present in the manifest and dynamic configuration files, as shown in the following example:
+Users can use file type invocations or open a file with a registered extension (.docx) to start an App-V application because the App-V Client manages the local operating system File Type Associations during publishing. File type associations are present in the manifest and dynamic configuration files, as shown in the following example:
 
 ```XML
 
@@ -665,7 +667,7 @@ Users can use file type invocations or open a file with a specifically registere
 
 ### Shell extensions
 
-Shell extensions are embedded in the package automatically during the sequencing process. When the package is published globally, the shell extension gives users the same functionality as if the application were locally installed. The application requires no additional setup or configuration on the client to enable the shell extension functionality.
+Shell extensions are embedded in the package automatically during the sequencing process. When the package is published globally, the shell extension gives users the same functionality as if the application were locally installed. The application requires no extra setup or configuration on the client to enable the shell extension functionality.
 
 #### Requirements for using shell extensions
 
@@ -679,10 +681,10 @@ The following table displays the supported shell extensions.
 
 | Handler | Description |
 |---|---|
-| Context menu handler | Adds menu items to the context menu. It is called before the context menu is displayed. |
+| Context menu handler | Adds menu items to the context menu. it's called before the context menu is displayed. |
 | Drag-and-drop handler | Controls the action upon right-click drag-and-drop and modifies the context menu that appears. |
 | Drop target handler | Controls the action after a data object is dragged-and-dropped over a drop target, such as a file.|
-| Data object handler| Controls the action after a file is copied to the clipboard or dragged-and-dropped over a drop target. It can provide additional clipboard formats to the drop target.|
+| Data object handler| Controls the action after a file is copied to the clipboard or dragged-and-dropped over a drop target. It can provide more clipboard formats to the drop target.|
 | Property sheet handler| Replaces or adds pages to the property sheet dialog box of an object.|
 | Infotip handler| Allows retrieving flags and infotip information for an item and displaying it inside a popup tooltip upon mouse-hover.|
 | Column handler| Allows creating and displaying custom columns in Windows Explorer *Details view*. It can be used to extend sorting and grouping.|
@@ -690,7 +692,7 @@ The following table displays the supported shell extensions.
 
 ### COM
 
-The App-V Client supports publishing applications with support for COM integration and virtualization. COM integration allows the App-V Client to register COM objects on the local operating system and virtualization of the objects. For the purposes of this document, the integration of COM objects requires additional detail.
+The App-V Client supports publishing applications with support for COM integration and virtualization. COM integration allows the App-V Client to register COM objects on the local operating system and virtualization of the objects. For the purposes of this document, the integration of COM objects requires more details.
 
 App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and In-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes Off, Isolated, and Integrated. Integrated mode is configured for either the Out-of-process or In-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml).
 
@@ -698,9 +700,9 @@ For details on App-V integration, see [Microsoft Application Virtualization 5.0
 
 ### Software clients and application capabilities
 
-App-V supports specific software clients and application capabilities extension points to register virtualized applications with the operating system's software client. This means users can select default programs for operations like email, instant messaging, and using the media player. This operation is performed in the control panel with **Set Program Access** and **Computer Defaults**, and is configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally.
+App-V supports specific software clients and application capabilities extension points to register virtualized applications with the operating system's software client. This specific support means users can select default programs for operations like email, instant messaging, and using the media player. This operation is performed in the control panel with **Set Program Access** and **Computer Defaults**, and is configured during sequencing in the manifest or dynamic configuration files. Application capabilities are only supported when the App-V applications are published globally.
 
-The following is an example of software client registration of an App-V-based mail client.
+The following example illustrates a software client registration of an App-V-based mail client.
 
 ```XML
     
@@ -752,23 +754,23 @@ The following is an example of software client registration of an App-V-based ma
 
 Virtual applications don't always specifically utilize file type invocation. For, example, in an application that supports embedding a mailto: link inside a document or web page, the user selects the link expecting to access their registered mail client. App-V supports URL Protocol handlers that can be registered on a per-package basis with the local operating system. During sequencing, the URL Protocol handlers are automatically added to the package.
 
-For situations where there is more than one application that could register the specific URL Protocol handler, the dynamic configuration files can be utilized to modify the behavior and suppress or disable this feature for an application that should not be the primary application launched.
+For situations where there's  more than one application that could register the specific URL Protocol handler, the dynamic configuration files can be utilized to modify the behavior and suppress or disable this feature for an application that shouldn't be the primary application launched.
 
 ### AppPath
 
-The AppPath extension point supports calling App-V applications directly from the operating system. Administrators can provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable from either the Run or Start Screen, depending on the operating system. It therefore avoids modifying the system path environment variable on all systems, as it is accomplished during publishing.
+The AppPath extension point supports calling App-V applications directly from the operating system. Administrators can provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable from either the Run or Start Screen, depending on the operating system. It therefore avoids modifying the system path environment variable on all systems, as it's accomplished during publishing.
 
-The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](/archive/blogs/virtualworld/app-paths-a-virtual-application-extension-in-app-v-5-0).
+The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For more information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](/archive/blogs/virtualworld/app-paths-a-virtual-application-extension-in-app-v-5-0).
 
 ### Virtual application
 
-This subsystem provides a list of applications captured during sequencing which is usually consumed by other App-V components. Integration of extension points belonging to a specific application can be disabled using dynamic configuration files. For example, if a package contains two applications, you can disable all extension points belonging to one application to only allow integration of extension points for the other application.
+This subsystem provides a list of applications captured during sequencing which is consumed by other App-V components. Integration of extension points belonging to a specific application can be disabled using dynamic configuration files. For example, if a package contains two applications, you can disable all extension points belonging to one application to only allow integration of extension points for the other application.
 
 ### Extension point rules
 
-The previously described extension points are integrated into the operating system based on how the packages has been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example, a shortcut created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes).
+The previously described extension points are integrated into the operating system based on how the packages have been published. Global publishing places extension points in public machine locations, where user publishing places extension points in user locations. For example, a shortcut created on the desktop and published globally will result in the file data for the shortcut (%Public%\\Desktop) and the registry data (HKLM\\Software\\Classes). The same shortcut would have file data (%UserProfile%\\Desktop) and registry data (HKCU\\Software\\Classes).
 
-Extension points are not all published the same way, where some extension points will require global publishing and others require sequencing on the specific operating system and architecture where they are delivered. Below is a table that describes these two key rules.
+Extension points aren't all published the same way, where some extension points will require global publishing and others require sequencing on the specific operating system and architecture where they're delivered. Below is a table that describes these two key rules.
 
 |Virtual Extension|Requires target OS sequencing|Requires global publishing|
 |---|:---:|:---:|
@@ -791,7 +793,7 @@ Extension points are not all published the same way, where some extension points
 
 ## Dynamic configuration processing
 
-Deploying App-V packages to a single machine or user is very simple. However, as organizations deploy App-V applications across business lines and geographic and political boundaries, it becomes impossible to sequence all applications with the same settings. App-V was designed to overcome this problem by capturing specific settings and configurations during sequencing in the Manifest file while also supporting modification with Dynamic Configuration files.
+Deploying App-V packages to a single machine or user is simple. However, as organizations deploy App-V applications across business lines and geographic and political boundaries, it becomes impossible to sequence all applications with the same settings. App-V was designed to overcome this problem by capturing specific settings and configurations during sequencing in the Manifest file while also supporting modification with Dynamic Configuration files.
 
 App-V dynamic configuration lets you specify a package policy at either the machine or user levels. Sequencing engineers can use Dynamic Configuration files to modify the configuration of a package post-sequencing to address the needs of individual groups of users or machines. In some instances, it may be necessary to modify the application to provide proper functionality within the App-V environment. For example, you may need to modify the \_\*config.xml files to allow certain actions to be performed at a specified time while executing the application, like disabling a mailto extension to prevent a virtualized application from overwriting that extension from another application.
 
@@ -799,7 +801,7 @@ App-V packages contain the Manifest file inside of the App-V Package file, which
 
 ### Examples of dynamic configuration files
 
-The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760).
+The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is to show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760).
 
 #### Manifest
 
@@ -871,7 +873,7 @@ The following example shows the combination of the Manifest, Deployment Configur
 
 App-V supports automatic packaging of side-by-side assemblies during sequencing and deployment on the client during virtual application publishing. App-V also supports capturing side-by-side assemblies during sequencing for assemblies not present on the sequencing machine. For assemblies consisting of Visual C++ (Version 8 and newer) or MSXML run-time, the Sequencer will automatically detect and capture these dependencies even if they weren't installed during monitoring.
 
-The side-by-side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer did not capture assemblies already present on the sequencing workstation, and privatized the assemblies, which limited it to one bit version per package. This behavior resulted in App-V applications being deployed to clients missing the required side-by-side assemblies, which led to application launch failures. This forced the packaging process to document and ensure that all assemblies required for packages were locally installed on the user’s client operating system. This task was both a management and implementation challenge due to the number of assemblies and the lack of application documentation for the required dependencies.
+The side-by-side assemblies feature removes the limitations of previous versions of App-V, where the App-V Sequencer didn't capture assemblies already present on the sequencing workstation, and privatized the assemblies, which limited it to a bit version per package. This behavior resulted in App-V applications being deployed to clients missing the required side-by-side assemblies, which led to application launch failures. This failure forced the packaging process to document and ensure that all assemblies required for packages were locally installed on the user’s client operating system. This task was both a management and implementation challenge due to the number of assemblies and the lack of application documentation for the required dependencies.
 
 Side-by-side assembly support in App-V has the following features:
 
@@ -885,13 +887,13 @@ Side-by-side assembly support in App-V has the following features:
 During publishing of an App-V package with side-by-side assemblies, the App-V Client will check for the presence of the assembly on the machine. If it doesn't detect an assembly, the client will deploy the assembly to the machine. Packages that are part of connection groups will rely on the side-by-side assembly installations in the base packages, as the connection groups don't contain any information about assembly installation.
 
 >[!NOTE]
->Unpublishing or removing a package with an assembly does not remove the assemblies for that package.
+>Unpublishing or removing a package with an assembly doesn't remove the assemblies for that package.
 
 ## Client logging
 
 The App-V Client logs information to the Windows Event log in standard ETW format. The specific App-V events can be found in the event viewer under **Applications and Services Logs\\Microsoft\\AppV\\Client**.
 
-There are three specific categories of events recorded:
+There're three specific categories of events recorded:
 
 - **Admin** logs events for configurations applied to the App-V Client and also contains the primary warnings and errors.
 - **Operational** logs the general App-V execution and usage of individual components, creating an audit log of the App-V Client's completed App-V operations.
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index 4af43ec60c..30dccb2ed4 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -18,7 +18,7 @@ ms.topic: article
 
 Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package.
 
-Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios:
+Starting with Windows 10 version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This automatic customization load is applicable to all of the sequencing scenarios:
 
 - Using the **New-BatchAppVSequencerPackages** cmdlet
 - Using the App-V Sequencer interface
@@ -39,7 +39,7 @@ Sequencing multiple apps at the same time requires that you create a **ConfigFil
 
     - ``````. The name of the app you're adding to the package.
     - ``````. The file path to the folder with the app installer.
-    - ``````. The file name for the app executable. This will typically be an .exe or .msi file.
+    - ``````. The file name for the app executable. This file will typically be an .exe or .msi file.
     - ``````. The command-line options required for the app installation.
     - ``````. The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
     - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
@@ -83,11 +83,11 @@ New-BatchAppVSequencerPackages –ConfigFile  –VMName ``` is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and `````` is the full path to where the sequenced packages should be copied.
 
-The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
+The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After the sequencing and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer, specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
 
 ### Review the log files
 
-There are 3 types of log files that occur when you sequence multiple apps at the same time:
+There are three types of log files that occur when you sequence multiple apps at the same time:
 
 - **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the sequencing activities for each app, such as "Copying installer to VM," "Scheduling sequencing task," and so on. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem.
 - **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps.
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index c93a23bfe3..9273525175 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -35,7 +35,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
 
     - ``````. The name of the app you're adding to the package.
     - ``````. The file path to the folder with the app installer.
-    - ``````. The file name for the app executable. This will typically be an .exe or .msi file.
+    - ``````. The file name for the app executable. This file will typically be an .exe or .msi file.
     - ``````. The command-line options required for the app installation.
     - ``````. The file path to the location of your App-V packages. These packages were created when you sequenced your apps.
     - ``````. The maximum amount of time, in minutes, that the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
@@ -80,7 +80,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
     ```
     Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed that you'll run the batch updating on, and `````` is the full path to where the updated packages should be copied.
 
-    The cmdlet creates a "clean" checkpoint on the VM. After making the checkpoint, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This opens a new session of the VM (through VMConnect), allowing app updates to begin from the command-line. After completing the update and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
+    The cmdlet creates a "clean" checkpoint on the VM. After the checkpoint is created, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This copy-operation opens a new session of the VM (through VMConnect), allowing app updates to begin from the command-line. After the update and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off.
 
 ## Update multiple apps with the App-V Sequencer interface
 
@@ -94,7 +94,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
 
     - ``````. The name of the app you're adding to the package.
     - ``````. The file path to the folder with the app installer.
-    - ``````. The file name for the app executable. This will typically be an .exe or .msi file.
+    - ``````. The file name for the app executable. This file will typically be an .exe or .msi file.
     - ``````. The file path to the location of your App-V packages. These packages were created when you sequenced your apps.
     - ``````. The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself.
     - ``````. Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps.
@@ -137,7 +137,7 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
     ```
     Where `````` is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and `````` is the full path to where the updated packages should be copied.
 
-    This cmdlet creates a "clean" checkpoint on the VM. After making the checkpoint, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This opens a new session of the VM (through VMConnect) and app updating begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted to a "clean" checkpoint and turned off.
+    This cmdlet creates a "clean" checkpoint on the VM. After the checkpoint is created, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM. This opens a new session of the VM (through VMConnect) and app updating begins from the command-line. After the updating and package creation for the first app on the VM is completed, the package is copied from the VM to the Host computer specified in the *OutputPath* parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted to a "clean" checkpoint and turned off.
 
 ### Review the log files
 
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index 707c5493a2..a8a277b8de 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -20,7 +20,7 @@ Previous versions of the App-V Sequencer have required you to manually create yo
 
 ## Automatic VM provisioning of the sequencing environment
 
-You have two options for provisioning an VM for auto-sequencing:
+You have two options for provisioning a VM for auto-sequencing:
 
 1. Using a Virtual Hard Disk (VHD)
 2. Updating an existing VM
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index d3d6e021c5..8757a55bb9 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -23,18 +23,18 @@ The following recommendations can be used as a baseline to help determine capaci
 
 ## Determine the project scope
 
-Before you design the App-V infrastructure, determining which applications will be available virtually, and also identify the target users and their locations. This information will determine what type of App-V infrastructure your project should implement. Your should base your decisions about your project's scope on your organization's specific needs.
+Before you design the App-V infrastructure, determining which applications will be available virtually, and also identify the target users and their locations. This information will determine what type of App-V infrastructure your project should implement. You should base your decisions about your project's scope on your organization's specific needs.
 
 |Task|More information|
 |----|----------------|
-|Determine application scope|The App-V infrastructure can be set up in different ways depending on which applications you want to virtualize. This means your first task is to define which applications you want to virtualize.|
+|Determine application scope|The App-V infrastructure can be set up in different ways depending on which applications you want to virtualize. This customization in set up means your first task is to define which applications you want to virtualize.|
 |Determine location scope|"Location scope" refers to the physical locations where you plan to run the virtualized applications (for example, enterprise-wide or a specific geographic location). It can also refer to the user population that will run the virtual applications (for example, a single department). You should obtain a network map that includes the connection paths, the available bandwidth for each location, the number of users using virtualized applications, and the WAN link speed.|
 
 ## Determine which App-V infrastructure is required
 
-You can also manage your App-V environment using an electronic software distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md).
+You can also manage your App-V environment using an electronic software distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information, see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md).
 
-* **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no additional components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios:
+* **Standalone model**—The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone mode only needs the sequencer and the client; no extra components are required. Applications are prepared for virtualization using a process called sequencing. For more information, see [Planning for the App-V Sequencer and Client deployment](appv-planning-for-sequencer-and-client-deployment.md). The standalone model is recommended for the following scenarios:
 
     * When there are disconnected remote users who can't connect to the App-V infrastructure.
     * When you're running a software management system, such as System Center 2012 Configuration Manager.
@@ -79,8 +79,8 @@ The following table describes each factor that impacts round-trip time in more d
 |Factors impacting round-trip response time|Description|
 |------------------------------------------|-----------|
 |The number of publishing servers simultaneously requesting package metadata refreshes.|A single management server can respond to up to 320 publishing servers simultaneously requesting publishing metadata. For example, in a case with 30 publishing servers simultaneously requesting publishing metadata, the round-trip response time is about 40 seconds, while for less than 50 servers it's less than 5 seconds. From 50 to 320 publishing servers, response team increases linearly (approximately 2×).|
-|The number of connection groups configured on the management server.|For up to 100 connection groups, there is no significant change in the round-trip response time on the publishing server. For 100–400 connection groups, there is a minor linear increase in the round-trip response time.|
-|The number of access groups configured on the management server.|For up to 40 access groups, there is a linear (approximately 3×) increase in the round-trip response time on the publishing server.|
+|The number of connection groups configured on the management server.|For up to 100 connection groups, there's no significant change in the round-trip response time on the publishing server. For 100–400 connection groups, there's a minor linear increase in the round-trip response time.|
+|The number of access groups configured on the management server.|For up to 40 access groups, there's a linear (approximately 3×) increase in the round-trip response time on the publishing server.|
 
 The following table displays sample values for each of the previous factors. In each variation, 120 packages are refreshed from the App-V management server.
 
@@ -92,7 +92,7 @@ The following table displays sample values for each of the previous factors. In
 
 The CPU utilization of the computer running the management server is around 25% irrespective of the number of publishing servers targeting it. The Microsoft SQL Server database transactions/sec, batch requests/sec and user connections are identical irrespective of the number of publishing servers. For example, transactions/sec is approximately 30, batch requests approximately 200, and user connects approximately six.
 
-Using a geographically distributed deployment, where the management server and publishing servers utilize a slow link network between them, the round-trip response time on the publishing servers is within acceptable time limits (<5 seconds), even for 100 simultaneous requests on a single management server.
+Through a geographically distributed deployment, where the management server and publishing servers utilize a slow link network between them, the round-trip response time on the publishing servers is within acceptable time limits (<5 seconds), even for 100 simultaneous requests on a single management server.
 
 |Scenario|Variation|Number of connection groups|Number of access groups|Number of publishing servers|Network connection type|Round-trip response time (seconds)|Management server CPU utilization (in %)|
 |---|---|---|---|---|---|---|---|
@@ -103,7 +103,7 @@ Whether the management server and publishing servers are connected over a slow l
 
 ## App-V Reporting Server capacity planning recommendations
 
-App-V clients send reporting data to the reporting server. The reporting server then records the information in the Microsoft SQL Server database and returns a successful notification back to the computer running App-V client. For more information about the App-V Reporting Server's supported configurations see [App-V supported configurations](appv-supported-configurations.md).
+App-V clients send reporting data to the reporting server. The reporting server then records the information in the Microsoft SQL Server database and returns a successful notification back to the computer running App-V client. For more information about the App-V Reporting Server's supported configurations, see [App-V supported configurations](appv-supported-configurations.md).
 
 >[!NOTE]
 >Round-trip response time is the time taken by the computer running the App-V client to send the reporting information to the reporting server and receive a successful notification from the reporting server.
@@ -111,7 +111,7 @@ App-V clients send reporting data to the reporting server. The reporting server
 |Scenario|Summary|
 |---|---|
 |Multiple App-V clients send reporting information to the reporting server simultaneously.|Round-trip response time from the reporting server is 2.6 seconds for 500 clients. Round-trip response time from the reporting server is 5.65 seconds for 1000 clients. Round-trip response time increases linearly depending on number of clients.|
-|Requests per second processed by the reporting server.|A single reporting server and a single database, can process a maximum of 139 requests per second. The average is 121 requests/second. Using two reporting servers reporting to the same Microsoft SQL Server database, the average requests/second, like a single reporting server, is about 127, with a max of 278 requests/second. A single reporting server can process 500 concurrent/active connections. A single reporting server can process a maximum 1,500 concurrent connections.|
+|Requests per second processed by the reporting server.|A single reporting server and a single database can process a maximum of 139 requests per second. The average is 121 requests/second. With the help of two reporting servers that report to the same Microsoft SQL Server database, the average requests/second, like a single reporting server, is about 127, with a max of 278 requests/second. A single reporting server can process 500 concurrent/active connections. A single reporting server can process a maximum 1,500 concurrent connections.|
 |Reporting database.|Lock contention on the computer running Microsoft SQL Server is the limiting factor for requests/second. Throughput and response time are independent of database size.|
 
 ### Calculating random delay
@@ -136,7 +136,7 @@ Computers running the App-V client connect to the App-V publishing server to sen
 |---|---|
 |Multiple App-V clients connect to a single publishing server simultaneously.|A publishing server running dual core processors can respond to at most 5000 clients requesting a refresh simultaneously. For 5,000–10,000 clients, the publishing server requires a minimum quad core. For 10,000–20,000 clients, the publishing server should have dual quad cores for more efficient response times. A publishing server with a quad core can refresh up to 10,000 packages within three seconds. (Supports 10,000 simultaneous clients.)|
 |Number of packages in each refresh.|Increasing number of packages will increase response time by about 40% (up to 1,000 packages).|
-|Network between the App-V client and the publishing server.|Across a slow network (1.5 Mbps bandwidth), there is a 97% increase in response time compared to LAN (up to 1,000 users).|
+|Network between the App-V client and the publishing server.|Across a slow network (1.5-Mbps bandwidth), there's a 97% increase in response time compared to LAN (up to 1,000 users).|
 
 >[!NOTE]
 >The publishing server CPU usage is always high during the time interval when it must process simultaneous requests (>90% in most cases). The publishing server can handle about 1,500 client requests in one second.
@@ -145,7 +145,7 @@ Computers running the App-V client connect to the App-V publishing server to sen
 |---|---|---|---|---|---|---|---|
 |App-V client sends publishing refresh request and receives response, each request containing 120 packages|Number of clients|100
              1,000
              5,000
              10,000|120
              120
              120
              120|Dual Core
              Dual Core
              Quad Core
              Quad Core|LAN|1
              2
              2
              3|100
              99
              89
              77|
 |Multiple packages in each refresh.|Number of packages|1,000
              1,000|500
              1,000|Quad Core|LAN|2
              3|92
              91|
-|Network between client and publishing server.|1.5 Mbps Slow link network|100
              500
              1,000|120
              120
              120|Quad Core|1.5 Mbps intra-continental network|3
              10 (0.2% failure rate)
              7 (1% failure rate)||
+|Network between client and publishing server.|1.5 Mbps Slow link network|100
              500
              1,000|120
              120
              120|Quad Core|1.5-Mbps intra-continental network|3
              10 (0.2% failure rate)
              7 (1% failure rate)||
 
 ## App-V streaming capacity planning recommendations
 
@@ -159,9 +159,9 @@ Computers running the App-V client stream the virtual application package from t
 
 |Scenario|Summary|
 |---|---|
-|Multiple App-V clients stream applications from a single streaming server simultaneously.|If the number of clients simultaneously streaming from the same server increases, there is a linear relationship with the package download/streaming time.|
+|Multiple App-V clients stream applications from a single streaming server simultaneously.|If the number of clients simultaneously streaming from the same server increases, there's a linear relationship with the package download/streaming time.|
 |Size of the package being streamed.|The package size has a significant impact on the streaming/download time only for larger packages with a size of about 1 GB. For package sizes ranging from 3 MB to 100 MB, the streaming time ranges from 20 seconds to 100 seconds, with 100 simultaneous clients.|
-|Network between the App-V client and the streaming server.|Across a slow network (1.5 Mbps bandwidth), there is a 70–80% increase in response time compared to LAN (up to 100 users).|
+|Network between the App-V client and the streaming server.|Across a slow network (1.5-Mbps bandwidth), there's a 70–80% increase in response time compared to LAN (up to 100 users).|
 
 The following table displays sample values for each of the factors in the previous list:
 
@@ -169,22 +169,22 @@ The following table displays sample values for each of the factors in the previo
 |---|---|---|---|---|---|
 |Multiple App-V clients streaming virtual application packages from a streaming server.|Number of clients.|100
              200
              1,000
              100
              200
              1,000|3.5 MB
              3.5 MB
              3.5 MB
              5 MB
              5 MB
              5 MB|LAN|29
              39
              391
              35
              68
              461|
 |Size of each package being streamed.|Size of each package.|100
              200
              100
              200|21 MB
              21 MB
              109 MB
              109 MB|LAN|33
              83
              100
              160|
-|Network connection between client and App-V streaming server.|1.5 Mbps Slow link network.|100
              100|3.5 MB
              5 MB|1.5 Mbps intra-continental network|102
              121|
+|Network connection between client and App-V streaming server.|1.5 Mbps Slow link network.|100
              100|3.5 MB
              5 MB|1.5-Mbps intra-continental network|102
              121|
 
 Each App-V streaming server should be able to handle a minimum of 200 clients concurrently streaming virtualized applications.
 
 >[!NOTE]
 >The actual time to it will take to stream is determined primarily by the number of clients streaming simultaneously, number of packages, package size, the server’s network activity, and network conditions.
 
-For example, an average user can stream a 100 MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real-world environments, streaming demand is not uniformly distributed, you will need to understand the approximate peak streaming requirements present in your environment to properly size the number of required streaming servers.
+For example, an average user can stream a 100-MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real-world environments, streaming demand isn't uniformly distributed, you'll need to understand the approximate peak streaming requirements present in your environment to properly size the number of required streaming servers.
 
-The number of clients a streaming server can support can be significantly increased and the peak streaming requirements reduced if you pre-cache your applications. You can also increase the number of clients a streaming server can support by using on-demand streaming delivery and stream optimized packages.
+The number of clients a streaming server can support can be increased and the peak streaming requirements reduced if you pre-cache your applications. You can also increase the number of clients a streaming server can support by using on-demand streaming delivery and stream optimized packages.
 
 ## Combining App-V server roles
 
-Discounting scaling and fault-tolerance requirements, the minimum number of servers that a location with Active Directory connectivity needs to function is one. This server will host the management server, management server service, and Microsoft SQL Server roles. This means that you can arrange server roles in any combination you like, as they don't conflict with one another.
+Discounting scaling and fault-tolerance requirements, the minimum number of servers that a location with Active Directory connectivity needs to function is 1. This server will host the management server, management server service, and Microsoft SQL Server roles. This coverage means that you can arrange server roles in any combination you like, as they don't conflict with one another.
 
-Ignoring scaling requirements, the minimum number of servers that a fault-tolerant implementation needs to function is four. The management server and Microsoft SQL Server roles support placement in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure.
+Notwithstanding scaling requirements, the minimum number of servers that a fault-tolerant implementation needs to function is four. The management server and Microsoft SQL Server roles support placement in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure.
 
 Although there are many fault-tolerance strategies and technologies you can use, not all are applicable to a given service. Additionally, if App-V roles are combined, the resulting incompatibilities could cause certain fault-tolerance options to stop working.
 
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 46288270d4..25ab412507 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -16,7 +16,7 @@ ms.topic: article
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).
+The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. Understanding how the register's format for data works can help you better understand the client, as you can configure many client actions by changing registry entries. This topic lists the App-V client configuration settings and explains their uses. You can use Windows PowerShell to modify the client configuration settings. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).
 
 You can use Group Policy to configure App-V client settings by navigating to the **Group Policy management console** at **Computer Configuration** > **Administrative Templates** > **System** > **App-V**.
 
@@ -35,7 +35,7 @@ The following table provides information about App-V client configuration settin
 |                        Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-LocationProvider**
              String                         |                                                                                                                                                                                                                                                                                                                            Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.                                                                                                                                                                                                                                                                                                                             | Policy value not written (same as Not Configured) |
 |                     Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-CertFilterForClientSsl**
              String                      |                                                                                                                                                                                                                                                                                                                                            Specifies the path to a valid certificate in the certificate store.                                                                                                                                                                                                                                                                                                                                            | Policy value not written (same as Not Configured) |
 | Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-VerifyCertificateRevocationList**
              True (enabled); False (Disabled state) |                                                                                                                                                                                                                                                                                                                                        Verifies Server certificate revocation status before streaming with HTTPS.                                                                                                                                                                                                                                                                                                                                         |                         0                         |
-|     Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-SharedContentStoreMode**
              True (enabled); False (Disabled state)      |                                                                                                                                                                                                                                                                                                                                   Specifies that streamed package contents will be not be saved to the local hard disk.                                                                                                                                                                                                                                                                                                                                   |                         0                         |
+|     Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-SharedContentStoreMode**
              True (enabled); False (Disabled state)      |                                                                                                                                                                                                                                                                                                                                   Specifies that streamed package contents will not be saved to the local hard disk.                                                                                                                                                                                                                                                                                                                                   |                         0                         |
 |                                              Set-AppvPublishingServer

              **-Name**
              String                                               |                                                                                                                                                                                                                                                                                                                                                          Displays the name of publishing server.                                                                                                                                                                                                                                                                                                                                                          | Policy value not written (same as Not Configured) |
 |                                               Set-AppvPublishingServer

              **-URL**
              String                                               |                                                                                                                                                                                                                                                                                                                                                          Displays the URL of publishing server.                                                                                                                                                                                                                                                                                                                                                           | Policy value not written (same as Not Configured) |
 |                      Set-AppvPublishingServer

              **-GlobalRefreshEnabled**
              True (enabled); False (Disabled state)                       |                                                                                                                                                                                                                                                                                                                                                        Enables global publishing refresh (Boolean)                                                                                                                                                                                                                                                                                                                                                        |                       False                       |
@@ -46,20 +46,20 @@ The following table provides information about App-V client configuration settin
 |                       Set-AppvPublishingServer

              **-UserRefreshOnLogon**
              True (enabled); False (Disabled state)                        |                                                                                                                                                                                                                                                                                                                                   Triggers a user publishing refresh on sign in. (Boolean) Word count (with spaces): 60                                                                                                                                                                                                                                                                                                                                   |                       False                       |
 |               Set-AppvPublishingServer

              **-UserRefreshInterval**
              Word count (with spaces): 85
              Integer (0–744 Hours)                |                                                                                                                                                                                                                                                                                                                    Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.                                                                                                                                                                                                                                                                                                                     |                         0                         |
 |                             Set-AppvPublishingServer

              **-UserRefreshIntervalUnit**
              0 for hour, 1 for day                              |                                                                                                                                                                                                                                                                                                                                                    Specifies the interval unit (Hour 0–23, Day 0–31).                                                                                                                                                                                                                                                                                                                                                     |                         1                         |
-|       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-MigrationMode**
              True (enabled state); False (Disabled state)       |                                                                                                                                                                                                                                                                                                                 Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created by a previous version of App-V.                                                                                                                                                                                                                                                                                                                 |                                                   |
+|       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-MigrationMode**
              True (enabled state); False (Disabled state)       |                                                                                                                                                                                                                                                                                                                 Migration mode allows the App-V client to modify shortcuts and FTAs for packages created by a previous version of App-V.                                                                                                                                                                                                                                                                                                                 |                                                   |
 |      Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-EnablePackageScripts**
              True (enabled); False (Disabled state)       |                                                                                                                                                                                                                                                                                                                                  Enables scripts defined in the package manifest of configuration files that should run.                                                                                                                                                                                                                                                                                                                                  |                                                   |
-|                                    Set-AppvClientConfiguration

              **-RoamingFileExclusions**
              String                                     |                                                                                                                                                                                                                                                                                                Specifies the file paths relative to %userprofile% that do not roam with a user's profile. For example, ```/ROAMINGFILEEXCLUSIONS='desktop;my pictures'```                                                                                                                                                                                                                                                                                                 |                                                   |
-|                    Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-RoamingRegistryExclusions**
              String                    |                                                                                                                                                                                                                                                                                                   Specifies the registry paths that do not roam with a user profile. For example, ```/ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients```                                                                                                                                                                                                                                                                                                    | Policy value not written (same as Not Configured) |
-|                       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-IntegrationRootUser**
              String                       |                                                                                                                                                                            Specifies the location to create symbolic links associated with the current version of a per-user published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%localappdata%\\Microsoft\\AppV\\Client\\Integration```.                                                                                                                                                                            | Policy value not written (same as Not Configured) |
-|                      Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-IntegrationRootGlobal**
              String                      |                                                                                                                                                                          Specifies the location to create symbolic links associated with the current version of a globally published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%allusersprofile%\\Microsoft\\AppV\\Client\\Integration```.                                                                                                                                                                           | Policy value not written (same as Not Configured) |
+|                                    Set-AppvClientConfiguration

              **-RoamingFileExclusions**
              String                                     |                                                                                                                                                                                                                                                                                                Specifies the file paths relative to %userprofile% that don't roam with a user's profile. For example, ```/ROAMINGFILEEXCLUSIONS='desktop;my pictures'```                                                                                                                                                                                                                                                                                                 |                                                   |
+|                    Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-RoamingRegistryExclusions**
              String                    |                                                                                                                                                                                                                                                                                                   Specifies the registry paths that don't roam with a user profile. For example, ```/ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients```                                                                                                                                                                                                                                                                                                    | Policy value not written (same as Not Configured) |
+|                       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-IntegrationRootUser**
              String                       |                                                                                                                                                                            Specifies the location to create symbolic links associated with the current version of a per-user published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links won't be used when you publish the package. For example, ```%localappdata%\\Microsoft\\AppV\\Client\\Integration```.                                                                                                                                                                            | Policy value not written (same as Not Configured) |
+|                      Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-IntegrationRootGlobal**
              String                      |                                                                                                                                                                          Specifies the location to create symbolic links associated with the current version of a globally published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links won't be used when you publish the package. For example, ```%allusersprofile%\\Microsoft\\AppV\\Client\\Integration```.                                                                                                                                                                           | Policy value not written (same as Not Configured) |
 |                     Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-VirtualizableExtensions**
              String                     | A comma-delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command-line parameter will be added, and the application will run virtually. For more information about the **RunVirtual** parameter, see [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md). |             Policy value not written              |
 |        Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingEnabled**
              True (enabled); False (Disabled state)         |                                                                                                                                                                                                                                                                                                                                                        Returns information to a reporting server.                                                                                                                                                                                                                                                                                                                                                         |                       False                       |
 |                       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingServerURL**
              String                        |                                                                                                                                                                                                                                                                                                                                     Specifies the location on the reporting server where client information is saved.                                                                                                                                                                                                                                                                                                                                     | Policy value not written (same as Not Configured) |
 |               Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingDataCacheLimit**
              Integer \[0–1024\]               |                                                                                                                                                                                                                                                                 Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024.                                                                                                                                                                                                                                                                 | Policy value not written (same as Not Configured) |
-|          Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingDataBlockSize**
              Integer \[1024 - Unlimited\]           |                                                                                                                                                                                                                                                               Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited.                                                                                                                                                                                                                                                               | Policy value not written (same as Not Configured) |
+|          Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingDataBlockSize**
              Integer \[1024 - Unlimited\]           |                                                                                                                                                                                                                                                               Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This limit can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited.                                                                                                                                                                                                                                                               | Policy value not written (same as Not Configured) |
 |                   Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingStartTime**
              Integer (0–23)                    |                                                                                                                                                                                 Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0–23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.
              **Note** You should configure this setting to a time when computers running the App-V client are least likely to be offline.                                                                                                                                                                                  | Policy value not written (same as Not Configured) |
 |                       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingInterval**
              Integer                        |                                                                                                                                                                                                                                                                                                                               Specifies the retry interval that the client will use to resend data to the reporting server.                                                                                                                                                                                                                                                                                                                               | Policy value not written (same as Not Configured) |
-|       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingRandomDelay**
              Integer \[0 - ReportingRandomDelay\]        |                                                                                                                                                                                                                     Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server.                                                                                                                                                                                                                     | Policy value not written (same as Not Configured) |
+|       Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-ReportingRandomDelay**
              Integer \[0 - ReportingRandomDelay\]        |                                                                                                                                                                                                                     Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This method can help to prevent collisions on the server.                                                                                                                                                                                                                     | Policy value not written (same as Not Configured) |
 |   Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              -EnableDynamicVirtualization
              1 (Enabled), 0 (Disabled)   |                                                                                                                                                                                                                                                                                                          Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications.                                                                                                                                                                                                                                                                                                           |                                                   |
 |          Set-AppvClientConfiguration,
              Set-AppvPublishingServer

              **-EnablePublishingRefreshUI**
              1 (Enabled), 0 (Disabled)           |                                                                                                                                                                                                                                                                                                                                  Enables the publishing refresh progress bar for the computer running the App-V Client.                                                                                                                                                                                                                                                                                                                                   |                                                   |
 |                           Sync-AppvPublishingServer

              **-HidePublishingRefreshUI**
              1 (Enabled), 0 (Disabled)                           |                                                                                                                                                                                                                                                                                                                                                        Hides the publishing refresh progress bar.                                                                                                                                                                                                                                                                                                                                                         |                                                   |
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index 7abccf3fec..1329a1cb1a 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -18,9 +18,9 @@ ms.topic: article
 
 ## How package priority is determined
 
-The virtual environment and its current state are associated with the connection group, not with the individual packages. If you remove an App-V package from the connection group, the state that existed as part of the connection group will not migrate with the package.
+The virtual environment and its current state are associated with the connection group, not with the individual packages. If you remove an App-V package from the connection group, the state that existed as part of the connection group won't migrate with the package.
 
-If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group that each define the same registry DWORD value.
+If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group wherein each defines the same registry DWORD value.
 
 The connection group that is used is based on the order in which a package appears inside the **AppConnectionGroup** XML document:
 
@@ -48,12 +48,12 @@ Consider the following example section:
 
 Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package.
 
-For this example, the DWORD value definition would be the following:
+For this example, the DWORD value definition would be as shown below:
 
 - Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5
 - Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10
 
-Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region.
+Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This result means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region.
 
 Other virtual environment resources are resolved in a similar way, but usually collisions occur in the registry.
 
@@ -72,7 +72,7 @@ The following example shows the order and relationship of a file name lookup in
 |C:\Windows\System32|C:\Windows\System32|
 |C:\AppTest|C:\AppTest|
 
-When a virtualized application tries to find a specific file, App-V will first for a matching file path in Package A. If it doesn't find a matching path in Package A, it will then search Package B using the following mapping rules:
+When a virtualized application tries to find a specific file, App-V will search for a matching file path in Package A. If it doesn't find a matching path in Package A, it will then search Package B using the following mapping rules:
 
 - If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, App-V will use the first matching file.
 - If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, App-V will use the first matching file.
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 07b82ff103..9f0ed57692 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -38,7 +38,7 @@ The App-V package converter will save the App-V 4.6 installation root folder and
 
 2. You can enter the following cmdlets to check or convert packages:
 
-   - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet:
+   - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet won't parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet:
 
      ```PowerShell
      Test-AppvLegacyPackage -?
@@ -50,9 +50,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and
      ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages
      ```
 
-     In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used.
+     In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows client virtual application package file will be saved. By default, if you don't specify a new name, the old package name will be used.
 
-     Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
+     Additionally, the package converter optimizes performance of packages in App-V for Windows client by setting the package to stream fault the App-V package.  This definition of setting is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
 
      > [!NOTE]
      > Before you specify the output directory, you must create the output directory.
@@ -71,9 +71,9 @@ The App-V package converter will save the App-V 4.6 installation root folder and
     dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages
     ```
       
-    This piped example command tests packages, then passes the objects on for conversion. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client.
+    This piped example command tests packages, then passes the objects on for conversion. You can also apply a filter on packages without errors or only specify a directory that contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client.
 
-- Batching—The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the *-Source* parameter that represents a list of directory paths. This allows you to enter the following cmdlets together:
+- Batching—The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the *-Source* parameter that represents a list of directory paths. This feature allows you to enter the following cmdlets together:
 
   ```PowerShell
   $packages = dir C:\contentStore
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 74d2dbc8fb..4a69807fe8 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -22,17 +22,17 @@ App-V Package Accelerators automatically sequence large, complex applications. A
 
 1. Install the App-V sequencer. For more information about installing the sequencer, see [How to install the sequencer](appv-install-the-sequencer.md).
 2. To open a Windows PowerShell console, select **Start** and enter **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
-3. Make sure that you have the .appv package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference.
+3. Ensure there's the App-V package to create an accelerator from the installation media or installation files. You can also optionally use a readme file for the accelerator's users to reference.
 4. Enter the **New-AppvPackageAccelerator** cmdlet.
 
     The following parameters are required to use the package accelerator cmdlet:
 
    - *InstalledFilesPath* specifies the application installation path.
    - *Installer* specifies the path to the application installer media.
-   - *InputPackagePath* specifies the path to the .appv package.
+   - *InputPackagePath* specifies the path to the App-V package.
    - *Path* specifies the output directory for the package.
 
-     The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media:
+     The following example cmdlet shows how you can create a package accelerator with the App-V package and the installation media:
 
      ```PowerShell
      New-AppvPackageAccelerator -InputPackagePath  -Installer  -Path 
@@ -46,6 +46,6 @@ App-V Package Accelerators automatically sequence large, complex applications. A
 
 
 
-## Related topics
+## Related articles
 
 - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index 6b94caf636..c424df0536 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -51,7 +51,7 @@ Use the following procedure to create a package accelerator.
 
 5. If the application is already installed on the computer running the sequencer, then select **Files installed on local system** to specify the installation file. To use this option, the application must already be installed in the default installation location.
 
-6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed are not required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page.
+6. On the **Gathering Information** page, review the files that you couldn't find in the location specified by the **Installation Files** page. If the files displayed aren't required, select **Remove these files**, then select **Next**. If the files are required, select **Previous** and copy the required files to the directory specified on the **Installation Files** page.
 
    > [!NOTE]
     >You must either remove the unrequired files or select **Previous** and locate the required files to advance to the next page of this wizard.
@@ -60,7 +60,7 @@ Use the following procedure to create a package accelerator.
 
 8. Confirm that the **Verify Applications** page displays all installation files required to build the package. The package accelerator requires all installation files displayed in the **Applications** pane in order to create the package.
 
-    If you need to add additional Installer files, select **Add**. To remove unnecessary installation files, select the **Installer file**, then select **Delete**. To edit the properties associated with an installer, select **Edit**. The package accelerator requires the installation files specified in this step to create a new virtual application package. After you have confirmed the information displayed, select **Next**.
+    If you need to add more Installer files, select **Add**. To remove unnecessary installation files, select the **Installer file**, then select **Delete**. To edit the properties associated with an installer, select **Edit**. The package accelerator requires the installation files specified in this step to create a new virtual application package. After you've confirmed the information displayed, select **Next**.
 
 9. On the **Select Guidance** page, select **Browse** to specify the file that will provide the package accelerator with application instructions. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for successful package accelerator application. The file you select must be in rich text (.rtf) or text file (.txt) format. After specifying the file, select **Next**.
 
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 87b4fa1a5c..b4a7f6d068 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -16,7 +16,7 @@ ms.topic: article
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
+After you've properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
 
 For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx).
 
@@ -42,7 +42,7 @@ When you use the sequencer to create a new virtual application, the following li
 
 - **.msi file**. This Windows Installer (.msi) file is created by the sequencer and is used to install the virtual package on target computers.
 - **Report.xml file**. In this file, the sequencer saves all issues, warnings, and errors that were discovered during sequencing. It displays the information after the package has been created. You can us this report for diagnosing and troubleshooting.
-- **.appv file**. This is the virtual application file.
+- **.appv file**. This file is the virtual application file.
 - **Deployment configuration file**. The deployment configuration file determines how the virtual application will be deployed to target computers.
 - **User configuration file**. The user configuration file determines how the virtual application will run on target computers.
 
@@ -57,7 +57,7 @@ The **Options** dialog box in the sequencer console contains the following tabs:
     >Package Accelerators created using App-V 4.6 are not supported by App-V.
 
 - **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**.
-- **Exclusion Items**. Use this tab to specify which folders and directories should not be monitored during sequencing. To add local application data that is saved in the Local App Data folder in the package, click **New** and specify the location and the associated **Mapping Type**. This option is required for some packages.
+- **Exclusion Items**. Use this tab to specify which folders and directories shouldn't be monitored during sequencing. To add local application data that is saved in the Local App Data folder in the package, click **New** and specify the location and the associated **Mapping Type**. This option is required for some packages.
 
 App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the service will be included in the sequenced virtual package as long as it's installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then after installation, the application must be run while the sequencer is monitoring for the Windows Service to be included in the package. Only services running under the Local System account are supported. Services configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the package’s Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call.
 
@@ -73,7 +73,7 @@ Shell extensions are automatically embedded in the package during the sequencing
 
 ### Requirements for using shell extensions
 
-- Packages that contain embedded shell extensions must be published globally. The application requires no additional setup or configuration on the client to enable the shell extension functionality.
+- Packages that contain embedded shell extensions must be published globally. The application requires no extra setup or configuration on the client to enable the shell extension functionality.
 - The “bitness” of the application, Sequencer, and App-V client must match, or the shell extensions won’t work. For example:
     - The version of the application is 64-bit.
     - The Sequencer is running on a 64-bit computer.
@@ -86,7 +86,7 @@ The following table lists the supported shell extensions:
 |Context menu handler|Adds menu items to the context menu. It's called before the context menu is displayed.|
 |Drag-and-drop handler|Controls the action where right-click, drag and drop, and modifies the context menu that appears.|
 |Drop target handler|Controls the action after a data object is dragged and dropped over a drop target such as a file.|
-|Data object handler|Controls the action after a file is copied to the clipboard or dragged and dropped over a drop target. It can provide additional clipboard formats to the drop target.|
+|Data object handler|Controls the action after a file is copied to the clipboard or dragged and dropped over a drop target. It can provide more clipboard formats to the drop target.|
 |Property sheet handler|Replaces or adds pages to the property sheet dialog box of an object.|
 |Infotip handler|Allows retrieving flags and infotip information for an item and displaying it inside a pop-up tooltip upon mouse hover.|
 |Column handler|Allows creating and displaying custom columns in **Windows Explorer Details view**. It can be used to extend sorting and grouping.|
@@ -94,9 +94,9 @@ The following table lists the supported shell extensions:
 
 ## Copy on Write (CoW) file extension support
 
-Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used.
+Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it's being used.
 
-The following list shows the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which cannot be updated on the computer running the App-V client. All other files and directories can be modified.
+The following list shows the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which can't be updated on the computer running the App-V client. All other files and directories can be modified.
 
 - .com
 - .exe
@@ -105,13 +105,13 @@ The following list shows the file types that can exist in a virtual package unde
 
 ## Modifying an existing virtual application package
 
-You can use the sequencer to modify an existing package. The computer on which you do this should match the chip architecture of the computer you used to create the application. For example, if you initially sequenced a package using a computer running a 64-bit operating system, you should modify the package using a computer running a 64-bit operating system.
+You can use the sequencer to modify an existing package. The computer on which you do this modification should match the chip architecture of the computer you used to create the application. For example, if you initially sequenced a package using a computer running a 64-bit operating system, you should modify the package using a computer running a 64-bit operating system.
 
 For more information, see [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md).
 
 ## Creating a project template
 
-An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template:
+An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you can't use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template:
 
 A template can specify and store multiple settings as follows:
 
@@ -131,11 +131,11 @@ For more information, see [How to Create and Use a Project Template](appv-create
 >[!NOTE]
 >Package accelerators created using a previous version of App-V must be recreated using App-V.
 
-You can use App-V package accelerators to automatically generate a new virtual application packages. After you have successfully created a package accelerator, you can reuse and share the package accelerator.
+You can use App-V package accelerators to automatically generate a new virtual application package. After you've successfully created a package accelerator, you can reuse and share the package accelerator.
 
 In some situations, to create the package accelerator, you might have to install the application locally on the computer that runs the sequencer. In such cases, you should first try to create the package accelerator with the installation media. If multiple missing files are required, you should install the application locally to the computer that runs the sequencer, and then create the package accelerator.
 
-After you have successfully created a Package Accelerator, you can reuse and share the Package Accelerator. Creating App-V Package Accelerators is an advanced task. Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied.
+After you've successfully created a Package Accelerator, you can reuse and share the Package Accelerator. Creating App-V Package Accelerators is an advanced task. Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied.
 
 For more information, see the following articles:
 
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 7282d390f2..d15ea0bd7c 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -59,7 +59,7 @@ Complete the following steps to create an Office 2013 package for App-V or later
 
 ### Review prerequisites for using the Office Deployment Tool
 
-Before you start, make sure that the computer on which you are installing the Office Deployment Tool has the following:
+Before you start, ensure that the computer on which you're installing the Office Deployment Tool has the following prerequisites fulfilled:
 
 |Prerequisite|Description|
 |---|---|
@@ -95,7 +95,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
 
     1. Open the sample XML file in Notepad or your favorite text editor.
 
-    2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file:
+    2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following example denotes a configuration.xml file:
 
         ```XML
         
@@ -113,30 +113,30 @@ The XML file included in the Office Deployment Tool specifies the product detail
        > [!NOTE]
         >The configuration XML is a sample XML file. This file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
 
-        The previous example of an XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications by specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
+        The previous example of an XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. The Product ID of the applications won't affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications by specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
 
-        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
-2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2013 applications that will later be converted into an App-V package. The following is an example command:
+        After editing the configuration.xml file to specify the desired product, languages, and also the location that the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2013 applications that will later be converted into an App-V package. An example command is:
 
     ```PowerShell
     \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml
     ```
 
-    The following is a table that describes each element of the command:
+    The following table describes each element of the command:
 
     |Element|Description|
     |---|---|
-    |```\\server\Office2013```|This is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, **Customconfig.xml**.|
-    |```setup.exe```|This is the Office Deployment Tool.|
-    |```/download```|This downloads the Office 2013 applications that you specify in the **Customconfig.xml** file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.|
-    |```\\server\Office2013\Customconfig.xml```|This passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After using the download command, Office applications should be found in the location specified in the XML configuration file, which in this example is ```\\Server\Office2013```.|
+    |```\\server\Office2013```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, **Customconfig.xml**.|
+    |```setup.exe```|This element is the Office Deployment Tool.|
+    |```/download```|This element downloads the Office 2013 applications that you specify in the **Customconfig.xml** file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.|
+    |```\\server\Office2013\Customconfig.xml```|This element passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After the download command is used, Office applications should be found in the location specified in the XML configuration file, which in this example is ```\\Server\Office2013```.|
 
 #### Customizable attributes and elements of the XML file
 
 |Input and description|Example|
 |---|---|
 |Add element:
              Specifies the products and languages to include in the package.|N/A|
-|OfficeClientEdition (attribute of Add element):
              Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** is not set to a valid value.|```OfficeClientEdition="32"```
              ```OfficeClientEdition="64"```|
+|OfficeClientEdition (attribute of Add element):
              Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if **OfficeClientEdition** isn't set to a valid value.|```OfficeClientEdition="32"```
              ```OfficeClientEdition="64"```|
 |Product element:
              Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.|```Product ID="O365ProPlusRetail"```
              ```Product ID="VisioProRetail"```
              ```Product ID="ProjectProRetail"```
              ```Product ID="ProPlusVolume"```
              ```Product ID="ProjectProVolume"```|
 |Language element:
              Specifies the language supported in the applications.|```Language ID="en-us"```|
 |Version (attribute of Add element):
              Optional. Specifies a build to use for the package. Defaults to latest advertised build (as defined in v32.CAB at the Office source).|```15.1.2.3```|
@@ -220,11 +220,11 @@ After you download the Office 2013 applications through the Office Deployment To
 
     |Element|Description|
     |---|---|
-    |```\\server\Office2013```|This is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is named **Customconfig.xml**.|
-    |```setup.exe```|This is the Office Deployment Tool.|
-    |```/packager```|This creates the Office 2013 App-V package with Volume Licensing as specified in the **Customconfig.xml** file.|
-    |```\\server\Office2013\Customconfig.xml```|This passes the configuration XML file, which in this example is named "Customconfig," that has been prepared for the packaging stage.|
-    |```\\server\share\Office2013AppV```|This specifies the location of the newly created Office App-V package.|
+    |```\\server\Office2013```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is named **Customconfig.xml**.|
+    |```setup.exe```|This element is the Office Deployment Tool.|
+    |```/packager```|This element creates the Office 2013 App-V package with Volume Licensing as specified in the **Customconfig.xml** file.|
+    |```\\server\Office2013\Customconfig.xml```|This element passes the configuration XML file, which in this example is named "Customconfig," that has been prepared for the packaging stage.|
+    |```\\server\share\Office2013AppV```|This element specifies the location of the newly created Office App-V package.|
 
     After you run the **/packager** command, the following folders will appear in the directory where you specified the package should be saved:
 
@@ -303,7 +303,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 ### Disabling Office 2013 applications
 
-You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
+You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You don't have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you'll save the changes, add the Office 2013 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
 
 >[!NOTE]
 >To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool#excludeapp-element).
@@ -371,7 +371,7 @@ You may want to disable shortcuts for certain Office applications instead of unp
 3. Save the Deployment Configuration File.
 4. Republish Office 2013 App-V Package with new Deployment Configuration File.
 
-Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
+Many more settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
 
 ### Managing Office 2013 package upgrades
 
@@ -423,7 +423,7 @@ This section describes the requirements and options for deploying Visio 2013 and
 ### Additional resources for Connection Groups
 
 * [Managing Connection Groups](appv-managing-connection-groups.md)
-* [Connection groups on the App-V team blog](https://blogs.msdn.microsoft.com/gladiator/tag/connection-groups/)
+* [Connection groups on the App-V team blog](/archive/blogs/gladiator/app-v-5-more-on-connection-groups)
 
 ### Additional resources for Dynamic Configuration
 
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index b8a5d91571..f00ec718f9 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -55,11 +55,11 @@ The following table describes the recommended methods for excluding specific Off
 Complete the following steps to create an Office 2016 package for App-V.
 
 >[!IMPORTANT]
->In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
+>In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You can't use the Sequencer to create packages.
 
 ### Review prerequisites for using the Office Deployment Tool
 
-The computer on which you are installing the Office Deployment Tool must have the following:
+The computer on which you're installing the Office Deployment Tool must have the following:
 
 | Prerequisite     | Description    |
 |----------------------|--------------------|
@@ -77,7 +77,7 @@ Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the
 
 ### Download the Office Deployment Tool
 
-Office 2016 App-V packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation, follow these steps:
+Office 2016 App-V packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package can't be created or modified through the App-V sequencer. To begin package creation, follow these steps:
 
 1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
 
@@ -114,7 +114,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
      > [!NOTE]
       >The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To uncomment these lines, remove the `````` from the end of the line.
 
-      The previous example of an XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016 location where Office applications will be saved. Note that the Product ID of the applications will not affect Office's final licensing. You can create Office 2016 App-V packages with various licensing from the same applications by specifying licensing in a later stage. The following table summarizes the XML file's customizable attributes and elements:
+      The previous example of an XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016 location where Office applications will be saved. The Product ID of the applications won't affect Office's final licensing. You can create Office 2016 App-V packages with various licensing from the same applications by specifying licensing in a later stage. The following table summarizes the XML file's customizable attributes and elements:
 
       | Input    | Description            | Example    |
       |--------------|----------------------------|----------------|
@@ -127,7 +127,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
       | Channel (part of **Add** element)       | Optional. Defines which channel will be used to update Office after installation.
              The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client. 
              For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
              `Channel="Deferred"`
              `Channel="FirstReleaseDeferred"`
              `Channel="FirstReleaseCurrent"`  |
 
 After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml."
-2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command:
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. An example command is:
 
    `\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml`
 
@@ -135,10 +135,10 @@ After editing the **configuration.xml** file to specify the desired product, lan
 
    | Element | Description |
    |-------------------------------|--------------------------------------|
-   | ```\\server\Office2016```    | This is the network share location that contains the Office Deployment Tool and the custom **Configuration.xml** file, which in this example is **Customconfig.xml**.    |
-   | ``Setup.exe``   | This is the Office Deployment Tool.     |
+   | ```\\server\Office2016```    | This network share location is the one that contains the Office Deployment Tool and the custom **Configuration.xml** file, which in this example is **Customconfig.xml**.    |
+   | ``Setup.exe``   | This element is the Office Deployment Tool.     |
    | ```/download```  | Downloads the Office 2016 applications that you specify in the **Customconfig.xml** file.  |
-   | ```\\server\Office2016\Customconfig.xml```| This passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After using the download command, Office applications should be found in the location specified in the configuration file, which in this example is ```\\Server\Office2016```. |
+   | ```\\server\Office2016\Customconfig.xml```| This element passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After the download command is used, Office applications should be found in the location specified in the configuration file, which in this example is ```\\Server\Office2016```. |
 
 ### Convert the Office applications into an App-V package
 
@@ -194,7 +194,7 @@ After you download the Office 2016 applications through the Office Deployment To
        >Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
 2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
 
-    The following is an example packager command:
+    An example packager command is:
 
     ```syntax
     \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml  \\server\share\Office2016AppV
@@ -204,11 +204,11 @@ After you download the Office 2016 applications through the Office Deployment To
 
     | Element | Description |
     |-------------------------------|--------------------------------------|
-    |```\\server\Office2016```|This is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is Customconfig.xml.|
-    |```Setup.exe```|This is the Office Deployment Tool.|
+    |```\\server\Office2016```|This network share location is the one that contains the Office Deployment Tool and the custom Configuration.xml file, which in this example is Customconfig.xml.|
+    |```Setup.exe```|This element is the Office Deployment Tool.|
     |```/packager```|This command creates the Office 2016 App-V package with the license type specified in the Customconfig.xml file.|
-    |```\\server\Office2016\Customconfig.xml```|This passes the configuration XML file that has been prepared for the packaging stage. In this example, the file is Customconfig.xml.|
-    |```\\server\share\Office2016AppV```|This specifies the location of the newly created Office App-V package.|
+    |```\\server\Office2016\Customconfig.xml```|This element passes the configuration XML file that has been prepared for the packaging stage. In this example, the file is Customconfig.xml.|
+    |```\\server\share\Office2016AppV```|This element specifies the location of the newly created Office App-V package.|
 
     After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
     
@@ -249,7 +249,7 @@ Run the following command to publish an Office package globally:
 Add-AppvClientPackage  | Publish-AppvClientPackage -global
 ```
 
-* You can add permissions to a group of computers instead of just a user group through the Web Management Console on the App-V Server. This lets packages be published globally to the computers in the corresponding group.
+* You can add permissions to a group of computers instead of just a user group through the Web Management Console on the App-V Server. This feature lets packages be published globally to the computers in the corresponding group.
 
 ## Customizing and managing Office App-V packages
 
@@ -286,7 +286,7 @@ The following steps will tell you how to enable Office plug-ins with your Office
 
 ### Disabling Office 2016 applications
 
-You can also disable specific applications in your Office App-V package. For example, if you don't want to use Access, you can disable Access while leaving all other Office applications available. When you disable an application, the user will no longer see its shortcut icon. You don't need to re-sequence the application to do this. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, just save the changes and add the Office 2016 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
+You can also disable specific applications in your Office App-V package. For example, if you don't want to use Access, you can disable Access while leaving all other Office applications available. When you disable an application, the user will no longer see its shortcut icon. You don't need to re-sequence the application to disable it. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, just save the changes and add the Office 2016 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
 
 >[!NOTE]
 >To exclude specific Office applications when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
@@ -349,7 +349,7 @@ You may want to disable shortcuts for certain Office applications instead of unp
 3. Save the Deployment Configuration File.
 4. Republish the Office 2016 App-V Package with the new Deployment Configuration File.
 
-Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
+Many more settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
 
 ### Managing Office 2016 package upgrades
 
@@ -372,7 +372,7 @@ The following table describes the requirements and options for deploying Visio 2
 
 | Task                | Details       |
 |---------------------|---------------|
-| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
              If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.  |
+| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
              If you're not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.  |
 | How can I deploy Visio 2016 and Project 2016 to specific users?       | Use one of the following methods:
              **To create two different packages and deploy each one to a different group of users**:
              Create and deploy the following packages:
              - A package that contains only Office—deploy to computers whose users need only Office.
              - A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.

              **To create only one package for the whole organization, or to create a package intended for users who share computers**:
              1. Create a package that contains Office, Visio, and Project.
              2. Deploy the package to all users.
              3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. |
 
 ## Related topics
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index f4a34b1bfc..0336c74412 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -16,7 +16,7 @@ ms.topic: article
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-The App-V Sequencer and client let administrators to virtualize and run virtual applications.
+The App-V Sequencer and client let administrators  virtualize and run virtual applications.
 
 ## Enable the client
 
@@ -35,12 +35,12 @@ The App-V client stores its configuration in the registry. Understanding the for
 
 You can use Group Policy to configure the client settings for the App-V client and the Remote Desktop Services client.
 
-To manage the ADMX template, perform the following steps on the computer that you will use to manage Group Policy. This is typically the Domain Controller.
+To manage the ADMX template, perform the following steps on the computer that you'll use to manage Group Policy. This computer is typically the Domain Controller.
 
 1. Save the **.admx** file to the following directory: ```Windows\PolicyDefinitions```
 2. Save the **.adml** file to the following directory: ```Windows\PolicyDefinitions\```
 
-After you have completed the preceding steps, you can use Group Policy to configure the client settings by using the Group Policy Management Console under **Computer Configuration** > **Administrative Templates** > **System** > **App-V**.
+After you've completed the preceding steps, you can use Group Policy to configure the client settings by using the Group Policy Management Console under **Computer Configuration** > **Administrative Templates** > **System** > **App-V**.
 
 ## Understanding Shared Content Store mode for App-V clients
 
@@ -49,16 +49,16 @@ App-V Shared Content Store (SCS) mode lets SCS App-V clients run virtualized app
 >[!IMPORTANT]
 >If the App-V client is configured to run in the SCS mode, the location where the App-V packages are streamed from must be available, otherwise, the virtualized package will fail. Additionally, we do not recommend deployment of virtualized applications to computers that run the App-V client in the SCS mode across the internet.
 
-Additionally, the SCS is not a physical location that contains virtualized packages. It is a mode that allows the App-V client to stream the required virtualized package data across the network.
+Additionally, the SCS isn't a physical location that contains virtualized packages. It's a mode that allows the App-V client to stream the required virtualized package data across the network.
 
 The SCS mode is helpful in the following scenarios:
 
 * Virtual desktop infrastructure (VDI) deployments
 * Remote Desktop Services deployments
 
-To use SCS in your environment, you must configure the App-V client to run in SCS mode, as it does not use SCS mode by default.
+To use SCS in your environment, you must configure the App-V client to run in SCS mode, as it doesn't use SCS mode by default.
 
-There might be cases when the administrator pre-loads some virtual applications on the computer that runs the App-V client in SCS mode. This can be accomplished with Windows PowerShell commands to add, publish, and mount the package. For example, if a package is pre-loaded on all computers, the administrator could add, publish, and mount the package by using Windows PowerShell commands. The package would not stream across the network because it would be locally stored.
+There might be cases when the administrator pre-loads some virtual applications on the computer that runs the App-V client in SCS mode. This pre-load operation can be rendered a successful one with Windows PowerShell commands to add, publish, and mount the package. For example, if a package is pre-loaded on all computers, the administrator could add, publish, and mount the package by using Windows PowerShell commands. The package wouldn't stream across the network because it would be locally stored.
 
 ### Configure the Group Policy setting for the SCS Mode for App-V clients
 
@@ -77,7 +77,7 @@ Set-AppvClientConfiguration -SharedContentStoreMode 1
 
 ## Deploy the Sequencer
 
-The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a simple and predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.
+The Sequencer is a tool that is used to convert standard applications into virtual packages for deployment to computers that run the App-V client. The Sequencer helps provide a predictable conversion process with minimal changes to prior sequencing workflows. In addition, the Sequencer allows users to more easily configure applications to enable connections of virtualized applications.
 
 For a list of changes in the App-V Sequencer, see [What's new in App-V](appv-about-appv.md).
 
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 53ce9fbf85..43866694ff 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -18,16 +18,16 @@ ms.topic: article
 
 You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file.
 
-When you edit the Dynamic Configuration file, it customizes how an App-V package will run for a user or group. This makes package customization more convenient by removing the need to resequence packages using the desired settings and provides a way to keep package content and custom settings independent.
+When you edit the Dynamic Configuration file, it customizes how an App-V package will run for a user or group. Therefore, package customization is made more convenient by removing the need to resequence packages using the desired settings and provides a way to keep package content and custom settings independent.
 
 ## Advanced: dynamic configuration
 
-Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files:
+Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no further customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files:
 
 - User Configuration file
 - Deployment Configuration file
 
-These .xml files specify package settings let you customize packages without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. These automatically generated configuration files reflect the package's default settings that were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed.
+These .xml files specify package settings let you customize packages without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. These automatically generated configuration files reflect the package's default settings that were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This result provides you with a package-specific template to get started if any of the defaults must be changed.
 
 >[!NOTE]
 >The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements.
@@ -40,7 +40,7 @@ All of the additions, deletions, and updates in the configuration files need to
 - Deployment Configuration .xml file
 - Package Manifest
 
-The first item represents what will be read last. Therefore, its content takes precedence. All packages inherently contain and provide default settings from the Package Manifest, but it also has the least precedence. If you apply a Deployment Configuration .xml file with customized settings, it will override the Package Manifest's defaults. If you apply a User Configuration .xml file with customized settings prior to that, it will override both the deployment configuration and the Package Manifest's defaults.
+The first item represents what will be read last. Therefore, its content takes precedence. All packages inherently contain and provide default settings from the Package Manifest, but it also has the least precedence. If you apply a Deployment Configuration .xml file with customized settings, it will override the Package Manifest's defaults. If you apply a User Configuration .xml file with customized settings prior to the override of the Package Manifest's defaults, it will override both the deployment configuration and the Package Manifest's defaults.
 
 There are two types of configuration files:
 
@@ -72,7 +72,7 @@ The structure of the App-V Dynamic Configuration file is explained in the follow
 
 ### Header
 
-The following is an example of a Dynamic User Configuration file's header:
+An example of a Dynamic User Configuration file's header is:
 
 ```xml
 
@@ -83,7 +83,7 @@ The **PackageId** is the same value that exists in the Manifest file.
 
 ### Dynamic User Configuration file body
 
-The Dynamic User Configuration file's body can include all app extension points defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body:
+The Dynamic User Configuration file's body can include all app extension points defined in the Manifest file, and the information to configure virtual applications. There are four subsections allowed in the body:
 
 **Applications**: All app-extensions contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
 
@@ -121,7 +121,7 @@ Extension Subsystems can be enabled and disabled independently of the content. 
 
 #### Example 1
 
-Content will be ignored if the user defined the following in either the dynamic or deployment config file:
+Content will be ignored if the user defined the following syntaxes in either the dynamic or deployment config file:
 
 ```xml
                                      
@@ -133,7 +133,7 @@ Content will be ignored if the user defined the following in either the dynamic
 
 #### Example 2
 
-Content in the manifest will be integrated during publishing if the user defined only the following:
+Content in the manifest will be integrated during publishing if the user defined only the following syntax:
 
 ```xml
 
@@ -142,7 +142,7 @@ Content in the manifest will be integrated during publishing if the user defined
 
 #### Example 3
 
-All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following:
+All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following syntaxes:
 
 ```xml
                            
@@ -152,7 +152,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate
 
 ### Supported Extension Subsystems
 
-**Shortcuts**: This controls shortcuts that will be integrated into the local system. The following example has two shortcuts:
+**Shortcuts**: This subsystem controls shortcuts that will be integrated into the local system. The following example has two shortcuts:
 
 ```xml
     
@@ -190,7 +190,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate
     
 ```
 
-**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this subsystem). The following is an example of a FileType association:
+**File Type Associations**: Associates file types with programs to open by default and to set up the context menu. (MIME types can also be set up with this subsystem.) An example of a FileType association is:
 
 ```xml
     
@@ -256,7 +256,7 @@ All shortcuts in the manifest will be ignored and no shortcuts will be integrate
       
 ```
 
-**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” protocol.
+**URL Protocols**: This subsystem controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” protocol.
 
 ```xml
     
@@ -394,7 +394,7 @@ In addition to Extensions, the following other subsystems can be enabled/disable
 
 #### UserScripts
 
-Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Please refer to a sample User Configuration file output by the sequencer to see a sample script. See the [Scripts](appv-dynamic-configuration.md#scripts) section for more information about the various triggers you can use to set up scripts.
+Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Refer to a sample User Configuration file output by the sequencer to see a sample script. For more information about the various triggers you can use to set up scripts, see the [Scripts](appv-dynamic-configuration.md#scripts) section.
 
 ## Dynamic Deployment Configuration file
 
@@ -428,7 +428,7 @@ The body of the deployment configuration file includes two sections:
 
 ```
 
-User Configuration: see [Dynamic User Configuration](#dynamic-user-configuration-file) for more information about this section.
+User Configuration: For more information about this section, see [Dynamic User Configuration](#dynamic-user-configuration-file).
 
 Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections.
 
@@ -449,11 +449,11 @@ The following section describes the various subsystems and usage samples.
 
 #### Extensions
 
-Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration.
+Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this subsystem can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration.
 
 #### Application Capabilities
 
-Used by default programs in the Windows OS interface, the Application Capabilities extension allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI.
+Application Capabilities extension is used by default programs in the Windows OS interface; it allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI.
 
 ```xml
     
@@ -495,7 +495,7 @@ Used by default programs in the Windows OS interface, the Application Capabiliti
 
 You can edit other subsystems in addition to extensions:
 
-- Machine-wide Virtual Registry: use this when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine.
+- Machine-wide Virtual Registry: Use this subsystem when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine.
 
 ```xml
     
@@ -529,9 +529,9 @@ You can edit other subsystems in addition to extensions:
     
 ```
 
-- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, please see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts.
+- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts.
 
-- TerminateChildProcess: you can use this to specify that an application executable's child processes will be terminated when the application.exe process is terminated.
+- TerminateChildProcess: You can use this subsystem to specify that an application executable's child processes will be terminated when the application.exe process is terminated.
 
 ```xml
     
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index fa04ff2980..91b326948f 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -1,22 +1,21 @@
 ---
-title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10/11)
+title: How to enable only administrators to publish packages by using an ESD
 description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD).
 author: aczechowski
-ms.pagetype: mdop, appcompat, virtualization
-ms.mktglfcycl: deploy
-ms.sitesec: library
 ms.prod: w10
-ms.date: 04/19/2017
+ms.technology: windows
+ms.date: 05/02/2022
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
-ms.topic: article
+ms.topic: how-to
 ---
+
 # How to enable only administrators to publish packages by using an ESD
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks.
+Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you couldn't prevent end users from performing these tasks.
 
 Here's how to enable only administrators to publish or unpublish packages:
 
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 23cc8bff3e..7fd466e9c5 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -38,7 +38,7 @@ To start using App-V to deliver virtual applications to users, you’ll need to
 
 | Component  | What it does     | Where to find it     |
 |------------|--|------|
-| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

              If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

               If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

               If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

              See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.|
+| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more information, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

              If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

               If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

               If you're using [Windows client for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).

              For more information about installing and using the server components, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).|
 | App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | Starting with Windows 10 version 1607, the App-V client is automatically installed. 

              To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).           |
 | App-V sequencer      | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications.    | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows client](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).  |
 
@@ -48,7 +48,7 @@ If you're new to App-V, it's a good idea to read the documentation thoroughly. B
 
 ## Getting started with App-V
 
-[What's new in App-V](appv-about-appv.md) provides a high-level overview of App-V and how it can be used in your organization.
+[What's new in App-V](appv-about-appv.md) provides a high-level overview of App-V and how it can be used in your organization?
 
 [Evaluating App-V](appv-evaluating-appv.md) provides information about how you can best evaluate App-V for use in your organization.
 
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index 2871a6ae7b..e9865ae8bb 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -24,9 +24,9 @@ A typical App-V implementation consists of the following elements.
 
 |Element|Description|
 |---|---|
-|App-V Management server|The App-V Management server provides overall management functionality for the App-V infrastructure. Additionally, you can install more than one instance of the management server in your environment which provides the following benefits:
              **Fault tolerance and high availability**—installing and configuring the App-V Management server on two separate computers can help in situations when one of the servers is unavailable or offline. You can also help increase App-V availability by installing the Management server on multiple computers. In this scenario, consider using a network load balancer to keep server requests balanced.
              **Scalability**—you can add additional management servers as necessary to support a high load. For example, you can install multiple servers behind a load balancer.|
-|App-V Publishing Server|The App-V publishing server provides functionality for virtual application hosting and streaming. The publishing server does not require a database connection and supports HTTP and HTTPS protocols.
              You can also help increase App-V availability by installing the Publishing server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.|
-|App-V Reporting Server|The App-V Reporting server lets authorized users run and view existing App-V reports and ad hoc reports for managing App-V infrastructure. The Reporting server requires a connection to the App-V reporting database. You can also help increase App-V availability by installing the Reporting server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.|
+|App-V Management server|The App-V Management server provides overall management functionality for the App-V infrastructure. Additionally, you can install more than one instance of the management server in your environment, which provides the following benefits:
              **Fault tolerance and high availability**—installing and configuring the App-V Management server on two separate computers can help in situations when one of the servers is unavailable or offline. You can also help increase App-V availability by installing the Management server on multiple computers. In this scenario, consider using a network load balancer to keep server requests balanced.
              **Scalability**—you can add more management servers as necessary to support a high load. For example, you can install multiple servers behind a load balancer.|
+|App-V Publishing Server|The App-V publishing server provides functionality for virtual application hosting and streaming. The publishing server doesn't require a database connection and supports HTTP and HTTPS protocols.
              You can also help increase App-V availability by installing the Publishing server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.|
+|App-V Reporting Server|The App-V Reporting server lets authorized users run and view existing App-V reports and unplanned reports for managing App-V infrastructure. The Reporting server requires a connection to the App-V reporting database. You can also help increase App-V availability by installing the Reporting server on multiple computers. You should also consider having a network load balancer to keep server requests balanced.|
 |App-V Client|The App-V client enables packages created using App-V to run on target computers.|
 
 >[!NOTE]
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index 71e2b8fe63..ad8668ac96 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -22,7 +22,7 @@ Use the following Windows PowerShell procedure to convert any number of Active D
 
 Before attempting this procedure, you should read and understand the information and examples displayed in the following list:
 
--   **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names.
+-   **.INPUTS** – The account or accounts used to convert to SID format. This item can be a single account name or an array of account names.
 
 -   **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats.
 
@@ -129,7 +129,7 @@ Before attempting this procedure, you should read and understand the information
     }
     ```
 
-3.  Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
+3.  Run the script you saved in Step 1 of this procedure passing the accounts to convert as arguments.
 
     For example,
 
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 1a78d968d1..7a32f99f96 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -49,7 +49,7 @@ This topic explains the following procedures:
 
     Enable-AppvClientConnectionGroup –name "Financial Applications"
 
-    When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
+    When any virtual applications that are in the member packages are run on the target computer, they'll run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group.
 
 ## To enable or disable a connection group for a specific user
 
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index f0417294aa..45669bd33e 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -28,7 +28,7 @@ You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom
 
 |New in App-V for Windows client|Prior to App-V for Windows 10|
 |--- |--- |
-|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
            • environment variables
            • shortcuts
            • file type associations
            • registry information
            • scripts
               
              You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.
               
              The package converter would populate the new package with information from all of the .osd files in the source directory.|
+|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
            • environment variables
            • shortcuts
            • file type associations
            • registry information
            • scripts
               
              You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package weren't included in package converter output.
               
              The package converter would populate the new package with information from all of the .osd files in the source directory.|
 
 ### Example conversion statement
 
@@ -79,7 +79,7 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\
 |These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description|
 |--- |--- |--- |--- |
 |
            • X.osd
            • Y.osd
            • Z.osd|
            • X_Config.xml
            • Y_Config.xml
            • Z_Config.xml|
            • Environment variables:
            • Shortcuts
            • File type associations
            • Registry information
            • Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
              In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.|
-|
            • X.osd
            • Y.osd|
            • ContosoApp.appv 
            • ContosoApp_DeploymentConfig.xml  
            • ContosoApp_UserConfig.xml|
            • Environment variables
            • Shortcuts
            • File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
              In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.|
+|
            • X.osd
            • Y.osd|
            • ContosoApp.appv 
            • ContosoApp_DeploymentConfig.xml  
            • ContosoApp_UserConfig.xml|
            • Environment variables
            • Shortcuts
            • File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter is converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
              In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it wasn't included as one of these arguments.|
 
 ## Converting packages created using a prior version of App-V
 
@@ -96,23 +96,23 @@ After you convert an existing package you should test the package prior to deplo
 
 |Issue|Workaround|
 |--- |--- |
-|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).|
+|Virtual packages using DSC aren't linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).|
 |Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.|
-|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.|
+|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it's recommended to re-sequence the package.|
 
 When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
 
 **Note**  
-It is recommended that you use the App-V sequencer for converting critical applications or applications that need to take advantage of features. See [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md).
+It's recommended that you use the App-V sequencer for converting critical applications or applications that need to take advantage of features. See [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md).
 
-If a converted package does not open after you convert it, it is also recommended that you re-sequence the application using the App-V sequencer.
+If a converted package doesn't open after you convert it, it's also recommended that you resequence the application using the App-V sequencer.
 
 [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md)
 
 ## Migrating the App-V Server Full Infrastructure
 
 
-There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
+There's no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
 
 |Task|More Information|
 |--- |--- |
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index 6f8fa8364b..86dd8a2e20 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -48,11 +48,11 @@ This topic explains how to:
 5.  On the **Prepare Computer** page, review the issues that could cause the application update to fail or cause the updated application to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**.
 
     **Important**  
-    If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
+    If you're required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
 
-6.  On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+6.  On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update doesn't have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you're finished with the installation, select **I am finished installing**. Click **Next**.
 
     >**Note**  The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
 
@@ -62,7 +62,7 @@ This topic explains how to:
 
     >**Note**  You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
 
-10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
+10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it's saved. Click **Next**.
 
     To save the package immediately, select the default **Save the package now**. Add optional **Comments** to associate with the package. Comments are useful to identify the application version and provide other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. Click **Create**.
 
@@ -97,7 +97,7 @@ This topic explains how to:
 
     -   Edit registry settings.
 
-    -   Review additional package settings (except operating system file properties).
+    -   Review the extra package settings (except operating system file properties).
 
     -   Set virtualized registry key state (override or merge).
 
@@ -117,15 +117,15 @@ This topic explains how to:
 
 3.  On the **Select Task** page, click **Add New Application** > **Next**.
 
-4.  On the **Select Package** page, click **Browse** to locate the virtual application package to which you will add the application, and then click **Next**.
+4.  On the **Select Package** page, click **Browse** to locate the virtual application package to which you'll add the application, and then click **Next**.
 
 5.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** > **Next**.
 
-    >**Important**  If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
+    >**Important**  If you're required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
 
-6.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+6.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application doesn't have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-7.  On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you don’t overwrite the existing version of the virtual application package.
+7.  On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If more installation files must be run as part of the installation, click **Run**, and locate and run those installation files. When you finish the installation, select **I am finished installing** > **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this directory is a new location so that you don’t overwrite the existing version of the virtual application package.
 
     >**Note**  The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
 
@@ -133,9 +133,9 @@ This topic explains how to:
 
 9.  On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information, and then click **Next** to open the **Customize** page.
 
-10. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 13 of this procedure. If you want to perform the following described customization, click **Customize**.
+10. If you're finished installing and configuring the virtual application, select **Stop now** and skip to step 13 of this procedure. If you want to perform the following described customization, click **Customize**.
 
-    If you are customizing, prepare the virtual package for streaming, and then click **Next**. Streaming improves the experience when the virtual application package is run on target computers.
+    If you're customizing, prepare the virtual package for streaming, and then click **Next**. Streaming improves the experience when the virtual application package is run on target computers.
 
 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
 
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index cf90a40aa9..011db77850 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -25,9 +25,9 @@ Use the following information to create a new management server console in your
 
 Follow these steps to create a new management server console:
 
-1.  Install the management server on a computer in your environment. For more information about installing the management server see [Deploying the App-V server](appv-deploying-the-appv-server.md).
+1.  Install the management server on a computer in your environment. For more information about installing the management server, see [Deploying the App-V server](appv-deploying-the-appv-server.md).
 
-2.  After you have completed the installation, use the following link to connect it to the App-V database - [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md).
+2.  After you've completed the installation, use the following link to connect it to the App-V database - [How to install the Management Server on a Standalone Computer and Connect it to the Database](appv-install-the-management-server-on-a-standalone-computer.md).
 
 
 
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index 88041be96f..80ba2f4fbd 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -34,7 +34,7 @@ This section of the Microsoft Application Virtualization (App-V) Administrator
     Describes how to deploy App-V packages by using an ESD.
 - [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
 
-    Describes how perform client configuration tasks using the client management console.
+    Describes how to perform client configuration tasks using the client management console.
 - [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
 
     Provides instructions for migrating to App-V from a previous version.
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index c071b97a75..ee185b6c84 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -44,15 +44,15 @@ To help determine what information is relevant to your environment, you should r
 
 ##  App-V in stateful\* non-persistent deployments
 
-This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This is achieved by uniquely addressing the often long-running App-V publishing refresh. As you will discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
+This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This access is achieved by uniquely addressing the often long-running App-V publishing refresh. As you'll discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
 
 Use the information in the following section for more information:
 
-[Usage Scenarios](#bkmk-us) - As you review the two scenarios, keep in mind that these are the approach extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users and/or virtual applications packages.
+[Usage Scenarios](#bkmk-us) - As you review the two scenarios, keep in mind that these scenarios are the approach extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users and/or virtual applications packages.
 
 -   Optimized for Performance – To provide the optimal experience, you can expect the base image to include some of the App-V virtual application package. This and other requirements are discussed.
 
--   Optimized for Storage – If you are concerned with the storage impact, following this scenario will help address those concerns.
+-   Optimized for Storage – If you're concerned with the storage impact, following this scenario will help address those concerns.
 
 [Preparing your Environment](#bkmk-pe)
 
@@ -62,9 +62,9 @@ Use the information in the following section for more information:
 
 [User Experience Walk-through](#bkmk-uewt)
 
--   Walk-through – This is a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have.
+-   Walk-through – It's a step-by-step walk-through of the App-V and UE-V operations and the expectations users should have.
 
--   Outcome – This describes the expected results.
+-   Outcome – It describes the expected results.
 
 [Impact to Package Lifecycle](#bkmk-plc)
 
@@ -89,13 +89,13 @@ Use the information in the following section for more information:
 
 ### Usage Scenarios
 
-As you review the two scenarios, keep in mind that these approach the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both.
+As you review the two scenarios, keep in mind that these scenarios represent the extremes. Based on your usage requirements, you may choose to apply these steps to a subset of users, virtual application packages, or both.
 
 - **Performance**: To provide the most optimal user experience, this approach uses the capabilities of a UPM solution and requires extra image preparation and can incur some more image management overhead.
 
-  The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article).
+  The following section describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) (in this article).
 
-- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
+- **Storage**: The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in costly arrays; a slight alteration has been made to the approach. Don't pre-configure user-targeted virtual application packages in the base image.
 
   The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) (in this article).
 
@@ -137,14 +137,14 @@ The following information displays the required steps to prepare the base image
 
 For critical App-V Client configurations and for a little more context and how-to, review the following configuration settings:
 
-- **Shared Content Store (SCS) Mode**: When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). This helps to conserve local storage and minimize disk I/O per second (IOPS).
+- **Shared Content Store (SCS) Mode**: When running the shared content store, only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM). Such a result helps to conserve local storage and minimize disk I/O per second (IOPS).
 
   This setting is recommended when low-latency connections are available between the App-V Client endpoint and the SCS content server, SAN.
 
   - Configurable in Windows PowerShell: `Set-AppvClientConfiguration -SharedContentStoreMode 1`
   - Configurable with Group Policy: See [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
 
-- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting is not configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*.
+- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting isn't configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*.
 
   For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
   
@@ -156,13 +156,13 @@ For critical App-V Client configurations and for a little more context and how-t
 
 - **MaxConcurrentPublishingRefresh**: This setting determines the number of users that can perform a publishing refresh/sync at the same time. The default setting is no limit.
 
-  Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.
+  Limiting the number of concurrent publishing refreshes prevents excessive CPU usage that could impact computer performance. This limit is  recommended in an RDS environment, where multiple users can log in to the same computer at the same time and perform a publishing refresh sync.
 
-  If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they log in could take an indeterminate amount of time.
+  If the concurrent publishing refresh threshold is reached, the time required to publish new applications and make them available to end users after they sign in could take an indeterminate amount of time.
 
   - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Publishing`.
   - Create the DWORD value **MaxConcurrentPublishingrefresh** with the desired maximum number of concurrent publishing refreshes.
-  - The App-V client service and computer do not need to be restarted.
+  - The App-V client service and computer don't need to be restarted.
 
 ### Configure UE-V solution for App-V Approach
 
@@ -177,9 +177,9 @@ For more information, see:
 In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows).
 
 > [!Note]
-> Without performing an additional configuration step, User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
+> Without performing an additional configuration step, User Environment Virtualization (UE-V) won't be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
 
-UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V would not currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
+UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
 
 -   If a user has an application installed on one device with .lnk files enabled and the same native application installed on another device to a different installation root with .lnk files enabled.
 
@@ -196,11 +196,11 @@ The expectation in a stateful environment is that a UPM solution is implemented
 
 The requirements for the UPM solution are as follows.
 
-To enable an optimized login experience, for example the App-V approach for the user, the solution must be capable of:
+To enable an optimized sign-in experience, for example the App-V approach for the user, the solution must be capable of:
 
 -   Persisting the below user integrations as part of the user profile/persona.
 
--   Triggering a user profile sync on login (or application start), which can guarantee that all user integrations are applied before publishing/refresh begin, or,
+-   Triggering a user profile sync on sign in (or application start), which can guarantee that all user integrations are applied before publishing/refresh begin, or,
 
 -   Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
 
@@ -208,13 +208,13 @@ To enable an optimized login experience, for example the App-V approach for the
   > 
   > App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
   > 
-  > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.     
+  > App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver doesn't handle UPD selected folders.     
 
--   Capturing changes to the locations, which constitute the user integrations, prior to session logoff.
+-   Capturing changes to the locations, which constitute the user integrations, prior to session sign out.
 
-With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during log on and/or after a specified refresh interval. In both cases a scheduled task is created.
+With App-V when you add a publishing server (**Add-AppvPublishingServer**) you can configure synchronization, for example refresh during a sign in and/or after a specified refresh interval. In both cases, a scheduled task is created.
 
-In previous versions of App-V, both scheduled tasks were configured using a VBScript that would initiate the user and global refresh. Starting with Hotfix Package 4 for Application Virtualization 5.0 SP2 the user refresh on log on was initiated by **SyncAppvPublishingServer.exe**. This change was introduced to provide UPM solutions a trigger process. This process delays the publish /refresh to allow the UPM solution to apply the user integrations. It will exit once the publishing/refresh is complete.
+In previous versions of App-V, both scheduled tasks were configured using a VBScript that would initiate the user and global refresh. Starting with Hotfix Package 4 for Application Virtualization 5.0 SP2, the user refresh on a sign in was initiated by **SyncAppvPublishingServer.exe**. This change was introduced to provide UPM solutions a trigger process. This process delays the publish /refresh to allow the UPM solution to apply the user integrations. It will exit once the publishing/refresh is complete.
 
 ### User Integrations
 
@@ -248,37 +248,37 @@ Registry – HKEY\_CURRENT\_USER
 
 ### User Experience Walk-through
 
-This following is a step-by-step walk-through of the App-V and UPM operations and the expectations users should expect.
+This following process is a step-by-step walk-through of the App-V and UPM operations, and the users' expectations.
 
 - **Performance**: After implementing this approach in the VDI/RDSH environment, on first login,
   - (Operation) A user-publishing/refresh is initiated. 
 
-    (Expectation) If this is the first time a user has published virtual applications (e.g. non-persistent), this will take the usual duration of a publishing/refresh.
+    (Expectation) If it's the first time that a user has published virtual applications (for example, non-persistent), this operation will take the usual duration of a publishing/refresh.
 
 - (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
 
-    (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state.
+    (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-out process. This result will incur the same/similar overhead as persisting the user state.
  
   **On subsequent logins**:
 
   - (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
 
-    (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (i.e., package entitlements change), some may go away.
+    (Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (that is, package entitlements change), some may go away.
 
-  - (Operation) Publishing/refresh will process un-publish and publish operations for changes in user package entitlements. 
+  - (Operation) Publishing/refresh will process unpublish and publish operations for changes in user package entitlements. 
  
     (Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications
 
     The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.  
   
-  - (Operation) UPM solution will capture user integrations again at logoff.
+  - (Operation) UPM solution will capture user integrations again at sign off.
  
      (Expectation) Same as previous.
 
   **Outcome**: 
 
-  - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of login.
-  - The publishing/refresh will process changes to the users entitled virtual applications which impacts the experience.
+  - Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of sign in.
+  - The publishing/refresh will process changes to the users-entitled virtual applications, which impacts the experience.
 
 - **Storage**: After implementing this approach in the VDI/RDSH environment, on first login
 
@@ -286,12 +286,12 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
 
     (Expectation):
 
-    - If this is the first time a user has published virtual applications (e.g., non-persistent), this will take the usual duration of a publishing/refresh.
+    - If this instance is the first time a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh.
     - First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
  
   - (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
 
-    (Expectation) Depending on how the UPM solution is configured, this may occur as part of the logoff process. This will incur the same/similar overhead as persisting the user state. 
+    (Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-off process. This result will incur the same/similar overhead as persisting the user state. 
  
   **On subsequent logins**:
  
@@ -299,24 +299,24 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
   - (Operation) Add/refresh must pre-configure all user targeted applications.
 
     - (Expectation):
-      - This may increase the time to application availability significantly (on the order of 10’s of seconds).
+      - This may increase the time to application availability significantly (on the order of 10s of seconds).
       - This will increase the publishing refresh time relative to the number and complexity* of virtual applications.
 
-   - (Operation) Publishing/refresh will process un-publish and publish operations for changes to user package entitlements.
+   - (Operation) Publishing/refresh will process unpublish and publish operations for changes to user package entitlements.
 
-  **Outcome**: Because the add/refresh must re-configure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
+  **Outcome**: Because the add/refresh must reconfigure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
  
 ### Impact to Package Life Cycle
 
-Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section:
+Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (unpublished) virtual application packages, it's recommended you update the base image to reflect these changes. To understand why review the following section:
 
 App-V 5.0 SP2 introduced the concept of pending states. In the past,
 
--   If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the un-publish or publish operation, respectively, would fail.
+-   If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the unpublish or publish operation, respectively, would fail.
 
--   Now, if a package is in-use the operation will be pended. The un-publish and publish-pend operations will be processed on service restart or if another publish or un-publish command is issued. In the latter case, if the virtual application is in-use otherwise, the virtual application will remain in a pending state. For globally published packages, a restart (or service restart) often needed.
+-   Now, if a package is in use, the operation will be pended. The unpublish and publish-pend operations will be processed on service restart or if another publish or unpublish command is issued. In the latter case, if the virtual application is in-use otherwise, the virtual application will remain in a pending state. For globally published packages, a restart (or service restart) often needed.
 
-In a non-persistent environment, it is unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it is not applied to the environment prior to log on, it will not be processed.
+In a non-persistent environment, it's unlikely these pended operations will be processed. The pended operations, for example tasks are captured under **HKEY\_CURRENT\_USER** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Client** \\ **PendingTasks**. Although this location is persisted by the UPM solution, if it isn't applied to the environment prior to a sign in, it will not be processed.
 
 ### Enhancing the VDI Experience through Performance Optimization Tuning
 
@@ -350,8 +350,6 @@ Server Performance Tuning Guidelines for
 
 **Windows Client (Guest OS) Performance Tuning Guidance**
 
--   [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
-
 -   [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density)
 
 -   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
@@ -364,17 +362,17 @@ Several App-V features facilitate new scenarios or enable new customer deploymen
 
 |Step|Consideration|Benefits|Tradeoffs|
 |--- |--- |--- |--- |
-|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
            • Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
            • Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be re-sequenced.|
+|No Feature Block 1 (FB1, also known as Primary FB)|No FB1 means the application will launch immediately and stream fault (application requires file, DLL and must pull down over the network) during launch. If there are network limitations, FB1 will:
            • Reduce the number of stream faults and network bandwidth used when you launch an application for the first time.
            • Delay launch until the entire FB1 has been streamed.|Stream faulting decreases the launch time.|Virtual application packages with FB1 configured will need to be resequenced.|
 
 ### Removing FB1
 
-Removing FB1 does not require the original application installer. After completing the following steps, it is suggested that you revert the computer running the sequencer to a clean snapshot.
+Removing FB1 doesn't require the original application installer. After completing the following steps, it's suggested that you revert the computer running the sequencer to a clean snapshot.
 
 **Sequencer UI** - Create a New Virtual Application Package.
 
 1.  Complete the sequencing steps up to Customize -> Streaming.
 
-2.  At the Streaming step, do not select **Optimize the package for deployment over slow or unreliable network**.
+2.  At the Streaming step, don't select **Optimize the package for deployment over slow or unreliable network**.
 
 3.  If desired, move on to **Target OS**.
 
@@ -382,7 +380,7 @@ Removing FB1 does not require the original application installer. After completi
 
 1.  Complete the sequencing steps up to Streaming.
 
-2.  Do not select **Optimize the package for deployment over a slow or unreliable network**.
+2.  Don't select **Optimize the package for deployment over a slow or unreliable network**.
 
 3.  Move to **Create Package**.
 
@@ -405,7 +403,7 @@ Removing FB1 does not require the original application installer. After completi
 
 |Step|Considerations|Benefits|Tradeoffs|
 |--- |--- |--- |--- |
-|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages do not need to be re-sequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies will not install at publishing time.|SxS Assembly dependencies must be pre-installed.|
+|No SXS Install at Publish (Pre-Install SxS assemblies)|Virtual Application packages don't need to be resequenced. SxS Assemblies can remain in the virtual application package.|The SxS Assembly dependencies won't install at publishing time.|SxS Assembly dependencies must be pre-installed.|
 
 
 ### Creating a new virtual application package on the sequencer
@@ -414,7 +412,7 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins
 
 **Client Side**:
 
-When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
+When publishing a virtual application package, the App-V Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it's included in the package, a traditional Windows Installer (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation won't occur.
 
 |Step|Considerations|Benefits|Tradeoffs|
 |--- |--- |--- |--- |
@@ -427,7 +425,7 @@ When publishing a virtual application package, the App-V Client will detect if a
 
     **-DynamicDeploymentConfiguration** parameter
 
--   Similarly, when adding new packages using `Add-AppVClientPackage –Path c:\Packages\Apps\MyApp.appv`, do not use the
+-   Similarly, when adding new packages using `Add-AppVClientPackage –Path c:\Packages\Apps\MyApp.appv`, don't use the
 
     **-DynamicDeploymentConfiguration** parameter.
 
@@ -439,8 +437,8 @@ For documentation on How to Apply a Dynamic Configuration, see:
 
 |Step|Considerations|Benefits|Tradeoffs|
 |--- |--- |--- |--- |
-|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be significantly slower.
              Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.|
-|Remove Extraneous Virtual Fonts from Package.|The majority of applications investigated by the App-V product team contained a small number of fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.|
+|Account for Synchronous Script Execution during Package Lifecycle.|If script collateral is embedded in the package, Add cmdlets may be slower.
              Running of scripts during virtual application launch (StartVirtualEnvironment, StartProcess) and/or Add+Publish will impact the perceived performance during one or more of these lifecycle operations.|Use of Asynchronous (Non-Blocking) Scripts will ensure that the lifecycle operations complete efficiently.|This step requires working knowledge of all virtual application packages with embedded script collateral, which have associated dynamic configurations files and which reference and run scripts synchronously.|
+|Remove Extraneous Virtual Fonts from Package.|Most applications investigated by the App-V product team contained a few fonts, typically fewer than 20.|Virtual Fonts impact publishing refresh performance.|Desired fonts will need to be enabled/installed natively. For instructions, see Install or uninstall fonts.|
 
 ### Determining what virtual fonts exist in the package
 
@@ -448,7 +446,7 @@ For documentation on How to Apply a Dynamic Configuration, see:
 
 -   Rename Package\_copy.appv to Package\_copy.zip
 
--   Open AppxManifest.xml and locate the following:
+-   Open AppxManifest.xml and locate the following syntax:
 
     ```xml
     
@@ -458,7 +456,7 @@ For documentation on How to Apply a Dynamic Configuration, see:
     ```
 
   > [!Note]
-  > If there are fonts marked as **DelayLoad**, those will not impact first launch.
+  > If there are fonts marked as **DelayLoad**, those won't impact first launch.
 
 ### Excluding virtual fonts from the package
 
@@ -485,9 +483,9 @@ The following terms are used when describing concepts and actions related to App
 
 -   **Re-Integrate** – Applies the user integrations.
 
--   **Non-Persistent, Pooled** – Creates a computer running a virtual environment each time they log in.
+-   **Non-Persistent, Pooled** – Creates a computer running a virtual environment each time they sign in.
 
--   **Persistent, Personal** – A computer running a virtual environment that remains the same for every login.
+-   **Persistent, Personal** – A computer running a virtual environment that remains the same for every sign in.
 
 -   **Stateful** - For this document, implies that user integrations are persisted between sessions and a user environment management technology is used in conjunction with non-persistent RDSH or VDI.
 
@@ -497,13 +495,13 @@ The following terms are used when describing concepts and actions related to App
 
 -   **User Experience** - In the context of App-V, the user experience, quantitatively, is the sum of the following parts:
 
-    -   From the point that users initiate a log-in to when they are able to manipulate the desktop.
+    -   From the point that users initiate a sign in to when they're able to manipulate the desktop.
 
-    -   From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it is when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows PowerShell commands are initiated.
+    -   From the point where the desktop can be interacted with to the point a publishing refresh begins (in Windows PowerShell terms, sync) when using the App-V full server infrastructure. In standalone instances, it's when the **Add-AppVClientPackage** and **Publish-AppVClientPackage** Windows PowerShell commands are initiated.
 
-    -   From start to completion of the publishing refresh. In standalone instances, this is the first to last virtual application published.
+    -   From start to completion of the publishing refresh. In standalone instances, this refresh is the first to last instance leading to the virtual application being published.
 
-    -   From the point where the virtual application is available to launch from a shortcut. Alternatively, it is from the point at which the file type association is registered and will launch a specified virtual application.
+    -   From the point where the virtual application is available to launch from a shortcut. Alternatively, it's from the point at which the file type association is registered and will launch a specified virtual application.
 
 -   **User Profile Management** – The controlled and structured approach to managing user components associated with the environment. For example, user profiles, preference and policy management, application control and application deployment. You can use scripting or third-party solutions configure the environment as needed.
 
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index 840f9d2cf5..a1adab31c4 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -33,7 +33,7 @@ To use %AppData% folder redirection, you must:
 
 * Have an App-V package that has an AppData virtual file system (VFS) folder.
 * Enable folder redirection and redirect users’ folders to a shared folder, typically a network folder.
-* Roam both or neither of the following:
+* Roam both or neither of the following elements:
     * Files under %appdata%\Microsoft\AppV\Client\Catalog
     * Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages
 
@@ -45,7 +45,7 @@ The following scenarios aren't supported by App-V:
 
 * Configuring %LocalAppData% as a network drive.
 * Redirecting the Start menu to a single folder for multiple users.
-* If roaming AppData (%AppData%) is redirected to a network share that is not available, App-V applications will fail to launch, unless the unavailable network share has been enabled for Offline Files.
+* If roaming AppData (%AppData%) is redirected to a network share that isn't available, App-V applications will fail to launch, unless the unavailable network share has been enabled for Offline Files.
 
 ## How to configure folder redirection for use with App-V
 
@@ -53,11 +53,11 @@ Folder redirection can be applied to different folders, such as Desktop, My Docu
 
 ## How folder redirection works with App-V
 
-The following table describes how folder redirection works when %AppData% is redirected to a network and when you have met the requirements listed earlier in this article.
+The following table describes how folder redirection works when %AppData% is redirected to a network and when you've met the requirements listed earlier in this article.
 
 |Virtual environment state|Action that occurs|
 |---|---|
-|When the virtual environment starts.|The virtual file system (VFS) AppData folder is mapped to the local AppData folder (%LocalAppData%) instead of to the user’s roaming AppData folder (%AppData%).
              - LocalAppData contains a local cache of the user’s roaming AppData folder for the package in use. The local cache is located under ```%LocalAppData%\Microsoft\AppV\Client\VFS\PackageGUID\AppData```
              - The latest data from the user’s roaming AppData folder is copied to and replaces the data currently in the local cache.
              - While the virtual environment is running, data continues to be saved to the local cache. Data is served only out of %LocalAppData% and is not moved or synchronized with %AppData% until the end user shuts down the computer.
              - Entries to the AppData folder are made using the user context, not the system context.|
+|When the virtual environment starts.|The virtual file system (VFS) AppData folder is mapped to the local AppData folder (%LocalAppData%) instead of to the user’s roaming AppData folder (%AppData%).
              - LocalAppData contains a local cache of the user’s roaming AppData folder for the package in use. The local cache is located under ```%LocalAppData%\Microsoft\AppV\Client\VFS\PackageGUID\AppData```
              - The latest data from the user’s roaming AppData folder is copied to and replaces the data currently in the local cache.
              - While the virtual environment is running, data continues to be saved to the local cache. Data is served only out of %LocalAppData% and isn't moved or synchronized with %AppData% until the end user shuts down the computer.
              - Entries to the AppData folder are made using the user context, not the system context.|
 |When the virtual environment shuts down.|The local cached data in AppData (roaming) is zipped up and copied to the “real” roaming AppData folder in %AppData%. A time stamp that indicates the last known upload is simultaneously saved as a registry key under ```HKCU\Software\Microsoft\AppV\Client\Packages\\AppDataTime```. App-V keeps the three most recent copies of the compressed data under %AppData% for redundancy.|
 
 
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index dd7a0447e0..770424df0f 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -48,7 +48,7 @@ Running App-V Server in Shared Content Store (SCS) mode with clustered file serv
 To enable SCS mode configurations, follow these steps:
 
 1. Configure the App-V client to run in SCS mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
-2. Configure the file server cluster, configured in either the scale out mode (which started with Windows Server 2012) or the earlier clustering mode, with a virtual SAN.
+2. Configure the file server cluster, configured in either the scale-out mode (which started with Windows Server 2012) or the earlier clustering mode, with a virtual SAN.
 
 The following steps can be used to validate the configuration:
 
@@ -63,7 +63,7 @@ Review the following articles to learn more about configuring Windows Server fai
 
 ## Support for Microsoft SQL Server mirroring
 
-Using Microsoft SQL Server mirroring, where the App-V management server database is mirrored utilizing two SQL Server instances, for App-V management server databases is supported.
+ With the Microsoft SQL Server mirroring being used, where the App-V management server database is mirrored utilizing two SQL Server instances, for App-V management server databases is supported.
 
 Review the following to learn more about how to configure Microsoft SQL Server mirroring:
 
@@ -76,7 +76,7 @@ The following steps can be used to validate the configuration:
 2. Select **Failover** to designate a new master Microsoft SQL Server instance.
 3. Verify that the App-V management server continues to function as expected after the failover.
 
-The connection string on the management server can be modified to include ```failover partner = ```. This will only help when the primary on the mirror has failed over to the secondary and the computer running the App-V client is doing a fresh connection (say after reboot).
+The connection string on the management server can be modified to include ```failover partner = ```. This modification will only help when the primary on the mirror has failed over to the secondary and the computer running the App-V client is doing a fresh connection (say after reboot).
 
 Use the following steps to modify the connection string to include ```failover partner = ```:
 
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index 72aa9df82d..9256e08578 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -30,7 +30,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l
 For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click).
 
 >[!NOTE]
->You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Microsoft 365 Apps for enterprise. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744).
+>You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Microsoft 365 Apps for enterprise. App-V doesn't support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in February 2017](https://support.microsoft.com/kb/3199744).
 
 ## Using App-V with coexisting versions of Office
 
@@ -40,7 +40,7 @@ Microsoft’s recommended best practice is to avoid Office coexistence completel
 
 ### Before you implement Office coexistence
 
-Before implementing Office coexistence, review the information in the following table that corresponds to the newest version of Office that you will use in coexistence. The documentation linked here will guide you in implementing coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office.
+Before implementing Office coexistence, review the information in the following table that corresponds to the newest version of Office that you'll use in coexistence. The documentation linked here will guide you in implementing coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office.
 
 |Office version|Relevant how-to guides|
 |---|---|
@@ -52,10 +52,10 @@ Once you've reviewed the relevant guide, this topic will supplement what you've
 
 ### Supported Office coexistence scenarios
 
-The following tables summarize supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience.
+The following tables summarize supported coexistence scenarios. They're organized according to the version and deployment method you’re starting with and the version and deployment method you're migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience.
 
 >[!NOTE]
->Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
+>Microsoft doesn't support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
 
 ### Windows integrations and Office coexistence
 
@@ -65,10 +65,10 @@ The following table describes the integration level of each version of Office, a
 
 |Office version|The modes App-V can sequence this version of Office with|
 |---|---|
-|Office 2007|Always non-integrated. App-V does not offer any operating system integrations with a virtualized version of Office 2007.|
+|Office 2007|Always non-integrated. App-V doesn't offer any operating system integrations with a virtualized version of Office 2007.|
 |Office 2010|Integrated and non-integrated mode.|
-|Office 2013|Always integrated. Windows operating system integrations cannot be disabled.|
-|Office 2016|Always integrated. Windows operating system integrations cannot be disabled.|
+|Office 2013|Always integrated. Windows operating system integrations can't be disabled.|
+|Office 2016|Always integrated. Windows operating system integrations can't be disabled.|
 
 Microsoft recommends deploying Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode.
 
@@ -83,12 +83,12 @@ Limitations can occur when you install the following versions of Office on the s
 * Office 2010 with the Windows Installer-based version
 * Office 2013 or Office 2016 with App-V
 
-Publishing Office 2013 or Office 2016 with App-V at the same time as an earlier version of the Windows Installer-based Office 2010 might cause the Windows Installer to start. This is because either the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
+Publishing Office 2013 or Office 2016 with App-V at the same time as an earlier version of the Windows Installer-based Office 2010 might cause the Windows Installer to start. This scenario is because either the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
 
 To bypass the auto-registration operation for native Word 2010, follow these steps:
 
 1. Exit Word 2010.
-2. Start the Registry Editor by doing the following:
+2. Start the Registry Editor by doing the following tasks:
 
    * In Windows 7k, select **Start**, type **regedit** in the Start Search box, then select the Enter key.
 
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 6e96eb11e3..bdc2bee038 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -16,13 +16,13 @@ ms.topic: article
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv).
+If you're using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv).
 
 Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages:
 
 | Deployment requirement or option | Description |
 |---|---|
-| The App-V Management server, Management database, and Publishing server are not required. | These functions are handled by the implemented ESD solution. |
+| The App-V Management server, Management database, and Publishing server aren't required. | These functions are handled by the implemented ESD solution. |
 | You can deploy the App-V Reporting server and Reporting database side-by-side with the ESD. | The side-by-side deployment lets you collect data and generate reports.
              If you enable the App-V client to send report information without using the App-V Reporting server, the reporting data will be stored in associated .xml files. |
 
 
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index cb78bbb208..e25bc08e0a 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -20,7 +20,7 @@ There are several different deployment configurations and requirements to consid
 
 ## App-V supported configurations
 
-[App-V supported configurations](appv-supported-configurations.md) describes the minimum hardware and operating system requirements for each App-V components. For information about software that you must install before you install App-V, see [App-V Prerequisites](appv-prerequisites.md).
+[App-V supported configurations](appv-supported-configurations.md) describes the minimum hardware and operating system requirements for each App-V component. For information about software that you must install before you install App-V, see [App-V Prerequisites](appv-prerequisites.md).
 
 ## App-V capacity planning
 
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 130251c08a..5d42b2690d 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -20,7 +20,7 @@ ms.author: aaroncz
 The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607.
  
 ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client
-MSI packages that were generated using an App-V sequencer from previous versions of App-V (App-V versions 5.1 and earlier) include a check to validate that the App-V client is installed on client devices before allowing the MSI package to install. Now that the App-V client is installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail.
+There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail.
 
 **Workaround**:
 
@@ -44,21 +44,22 @@ MSI packages that were generated using an App-V sequencer from previous versions
 
     `Update-AppvPackageMsi -MsiPackage "" -MsSdkPath ""` 
 
-    where the path is to the new directory (**C:\MyMsiTools\ for this example**).
+     where the path is to the new directory (**C:\MyMsiTools\ for this example**).
 
 ## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10
-An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server doesn't understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but isn't backported to versions of App-V 5.0 SP3 or earlier.
+
+An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server doesn't understand the Windows 10-operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but isn't backported to versions of App-V 5.0 SP3 or earlier.
 
 **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients.
 
 ## Custom configurations don't get applied for packages that will be published globally if they're set using the App-V Server
 If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages won't have access to this custom configuration.
 
-**Workaround**: Do one of the following:
+**Workaround**: Implement one of the following tasks:
 
--   Assign the package to groups containing only user accounts. This will ensure that the package’s custom configuration will be stored in each user’s profile and will be applied correctly.
+-   Assign the package to groups containing only user accounts. This assignation ensures that the package’s custom configuration will be stored in each user’s profile and will be applied correctly.
 
--   Create a custom deployment configuration file and apply it to the package on the client using the Add-AppvClientPackage cmdlet with the –DynamicDeploymentConfiguration parameter. See [About App-V Dynamic Configuration](appv-dynamic-configuration.md) for more information.
+-   Create a custom deployment configuration file and apply it to the package on the client, using the Add-AppvClientPackage cmdlet with the –DynamicDeploymentConfiguration parameter. See [About App-V Dynamic Configuration](appv-dynamic-configuration.md) for more information.
 
 -   Create a new package with the custom configuration using the App-V Sequencer.
 
@@ -109,9 +110,9 @@ In environments that are running the RDS Client or that have multiple concurrent
 **Workaround**: Have users log out and then log back in.
 
 ## Error message is erroneously displayed when the connection group is published only to the user
-When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Please ensure that the package is added to the machine and published to the user.”
+When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Ensure that the package is added to the machine and published to the user.”
 
-**Workaround**: Do one of the following:
+**Workaround**: Execute one of the following tasks:
 
 -   Publish all packages in a connection group.
 
@@ -119,7 +120,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed,
 
 -   Repair packages individually using the Repair-AppvClientPackage command rather than the Repair-AppvClientConnectionGroup command.
 
-    Determine which packages are available to users and then run the **Repair-AppvClientPackage** command once for each package. Use Windows PowerShell cmdlets to do the following:
+    Determine which packages are available to users and then run the **Repair-AppvClientPackage** command once for each package. Use Windows PowerShell cmdlets to execute the following tasks:
 
     1.  Get all the packages in a connection group.
 
@@ -128,7 +129,8 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed,
     3.  If the package is currently published, run **Repair-AppvClientPackage** on that package.
 
 ## Icons not displayed properly in Sequencer
-Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the sizes of the icons are not 16x16 or 32x32.
+
+Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons is not 16x16 or 32x32.
 
 **Workaround**: Only use icons that are 16x16 or 32x32.
 
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index ff8fff1d70..cee9484018 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -28,9 +28,9 @@ The following list displays the end–to-end high-level workflow for reporting i
    * Windows Authentication role (under **IIS / Security**)
    * SQL Server installed and running with SQL Server Reporting Services (SSRS)
 
-     To confirm SQL Server Reporting Services is running, enter  in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear.
-2. Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
-3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/download/details.aspx?id=42630).
+     To confirm SQL Server Reporting Services is running, enter `https://localhost/Reports` in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear.
+2. Install the App-V reporting server and associated database. For more information about installing the reporting server, see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
+3. If you aren't using an electronic software distribution system such as Configuration Manager to view reports, then you can define reports in SQL Server Reporting Service.
 
    > [!NOTE]
     >If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V.
@@ -43,13 +43,13 @@ The following list displays the end–to-end high-level workflow for reporting i
     To immediately send App-V report data, run **Send-AppvClientReport** on the App-V client.
 
     For more information about configuring reporting on the App-V client, see [About client configuration settings](appv-client-configuration-settings.md). To administer App-V Reporting with Windows PowerShell, see [How to enable reporting on the App-V client by using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md).
-5. After the reporting server receives the data from the App-V client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server, which then notifies the App-V client.
+5. After the reporting server receives the data from the App-V client, it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server, which then notifies the App-V client.
 6. When the App-V client receives the success notification, it empties the data cache to conserve space.
 
    > [!NOTE]
     >By default, the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
     
-    If the App-V client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
+    If the App-V client device doesn't receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
 
 ### App-V reporting server frequently asked questions
 
@@ -57,7 +57,7 @@ The following sections provide answers to frequently asked questions about how A
 
 #### How frequently is reporting information sent to the reporting database?
 
-Frequency depends on the computer running the App-V client's reporting configuration. You must configure the frequency or interval for sending the reporting data manually, as App-V reporting is not enabled by default.
+Frequency depends on the computer running the App-V client's reporting configuration. You must configure the frequency or interval for sending the reporting data manually, as App-V reporting isn't enabled by default.
 
 #### What information is stored in the reporting server database?
 
@@ -73,10 +73,10 @@ The following information is stored in the reporting database:
 It depends. Three sets of data can be sent to the reporting server:
 
 * Operating system and App-V client information, which is about 150 Bytes every time it gets sent to the server.
-* Published package lists, which are about 7 KB per 30 packages. This is sent only when the package list is updated with a publishing refresh, which is done infrequently; if there is no change, this information is not sent.
-* Virtual application usage information is about 0.25 KB per event. Opening and closing count as one event if both occur before sending the information. When sending using a scheduled task, only the data since the last successful upload is sent to the server. If sending manually through the Windows PowerShell cmdlet, there is an optional argument called **DeleteOnSuccess** that controls if the data needs to be re-sent the next time around.
+* Published package lists, which are about 7 KB per 30 packages. This is sent only when the package list is updated with a publishing refresh, which is done infrequently; if there's no change, this information isn't sent.
+* Virtual application usage information is about 0.25 KB per event. Opening and closing count as one event if both occur before sending the information. When the information is sent through a scheduled task, only the data since the last successful upload is sent to the server. If sending manually through the Windows PowerShell cmdlet, there's an optional argument called **DeleteOnSuccess** that controls if the data needs to be resent the next time around.
 
-For example, if twenty applications are opened and closed and reporting information is scheduled to be sent daily, the typical daily traffic should be about 0.15 KB + 20 × 0.25 KB, or about 5 KB/user.
+For example, if 20 applications are opened and closed and reporting information is scheduled to be sent daily, the typical daily traffic should be about 0.15 KB + 20 × 0.25 KB, or about 5 KB/user.
 
 #### Can I schedule reporting?
 
@@ -96,7 +96,7 @@ Yes. Besides manually sending reporting using Windows PowerShell cmdlets (**Send
 
 ## App-V Client reporting
 
-To use App-V reporting you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting.
+To use App-V reporting,, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting.
 
 ### Configuring App-V client reporting using Windows PowerShell
 
@@ -177,7 +177,7 @@ Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess
 
 If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection.
 
-The **-DeleteOnSuccess** parameter indicates that if the transfer is successful, then the data cache will be cleared. If this is not specified, then the cache will not be cleared.
+The **-DeleteOnSuccess** parameter indicates that if the transfer is successful, then the data cache will be cleared. If the transfer-status isn't specified, then the cache won't be cleared.
 
 ### Manual Data Collection
 
@@ -185,16 +185,16 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
 
 |With a reporting server|Without a reporting server|
 |---|---|
-|f you have an existing App-V reporting server, create a customized scheduled task or script. Specify that the client sends the data to the specified location at the desired frequency.|If you do not have an existing App-V reporting Server, use the **–URL** parameter to send the data to a specified share. For example: ```Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess``` 
              The previous example will send the reporting data to the ```\\MyShare\MyData\``` location indicated by the **-URL** parameter. After the data has been sent, the cache is cleared.|
+|f you have an existing App-V reporting server, create a customized scheduled task or script. Specify that the client sends the data to the specified location at the desired frequency.|If you don't have an existing App-V reporting Server, use the **–URL** parameter to send the data to a specified share. For example: ```Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess``` 
              The previous example will send the reporting data to the ```\\MyShare\MyData\``` location indicated by the **-URL** parameter. After the data has been sent, the cache is cleared.|
 
 >[!NOTE]
 >If a location other than the Reporting Server is specified, the data is sent in **.xml** format with no additional processing.
 
 ### Creating reports
 
-To retrieve report information and create reports using App-V you must use one of the following methods:
+To retrieve report information and create reports using App-V, you must use one of the following methods:
 
-* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article.
+* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS isn't installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article.
 
 * Scripting—You can generate reports by scripting directly against the App-V reporting database. For example:
 
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index a005d725cb..8f37e1c8d1 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -22,7 +22,7 @@ ms.author: aaroncz
 -   Windows Server 2012 R2
 -   Windows Server 2016
 
-You can run a locally installed application in a virtual environment, alongside applications that have been virtualized by using Microsoft Application Virtualization (App-V). You might want to do this if you:
+You can run a locally installed application in a virtual environment, alongside applications that have been virtualized by using Microsoft Application Virtualization (App-V). You might want to do this task if you:
 
 -   Want to install and run an application locally on client computers, but want to virtualize and run specific plug-ins that work with that local application.
 
@@ -45,7 +45,7 @@ Each method accomplishes essentially the same task, but some methods may be bett
 
 To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections.
 
-There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry.
+There's no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry.
 
 Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user.
 
@@ -63,16 +63,16 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
        For example, create `HKEY_CURRENT_USER \SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe`.
 
     - Connection group can be:
-      - Packages that are published just globally or just to the user
+      - Packages that are published globally or just to the user
       - Packages that are published globally and to the user
 
-      Use the `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER` key. But, all of the following must be true:
+      Use the `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER` key. But, all of the following conditions must be fulfilled:
 
       - If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group.
       - Create only one subkey for one of the packages in the connection group. If, for example, you have one package that is published globally, and another package that is published to the user, you create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment.
       - The key under which you create the subkey must match the publishing method you used for the package.
 
-        For example, if you published the package to the user, you must create the subkey under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual`. Do not add a key for the same application under both hives.
+        For example, if you published the package to the user, you must create the subkey under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual`. Don't add a key for the same application under both hives.
 
 2.  Set the new registry subkey’s value to the PackageId and VersionId of the package, separating the values with an underscore.
 
@@ -80,7 +80,7 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
 
     **Example**: 4c909996-afc9-4352-b606-0b74542a09c1\_be463724-Oct1-48f1-8604-c4bd7ca92fa
 
-    The application in the previous example would produce a registry export file (.reg file) like the following:
+    The application in the previous example would produce a registry export file (.reg file) like the following example:
 
     ```registry
     Windows Registry Editor Version 5.00 
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index 46ae70c3ee..4c9e36326a 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -19,15 +19,15 @@ ms.topic: article
 This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
 
 >[!IMPORTANT]
->App-V is not a security product and does not provide any guarantees for a secure environment.
+>App-V isn't a security product and doesn't provide any guarantees for a secure environment.
 
 ## The PackageStoreAccessControl (PSAC) feature has been deprecated
 
-Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments.
+Effective as of June 2014, the PackageStoreAccessControl (PSAC) feature introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments.
 
 ## General security considerations
 
-**Understand the security risks.** The most serious risk to App-V is from unauthorized users hijacking an App-V client's functionality, giving the hacker the ability to reconfigure key data on App-V clients. By comparison, short-term loss of App-V functionality from a denial-of-service attack would not be as catastrophic.
+**Understand the security risks.** The most serious risk to App-V is from unauthorized users hijacking an App-V client's functionality, giving the hacker the ability to reconfigure key data on App-V clients. By comparison, short-term loss of App-V functionality from a denial-of-service attack wouldn't be as catastrophic.
 
 **Physically secure your computers**. A security strategy that doesn't consider physical security is incomplete. Anyone with physical access to an App-V server could potentially attack the entire client base, so potential physical attacks or thefts should be prevented at all cost. App-V servers should be stored in a physically secure server room with controlled access. Lock the computer with the operating system or a secured screen saver to keep computers secure when the administrators are away.
 
@@ -50,8 +50,8 @@ No groups are created automatically during App-V setup. You should create the fo
 |---|---|---|
 |App-V Management Admin group|Used to manage the App-V management server. This group is created during the App-V Management Server installation.|The management console can't create a new group after installation is complete.|
 |Database read/write for Management Service account|Provides read/write access to the management database. This account should be created during App-V management database installation.||
-|App-V Management Service install admin account|Provides public access to schema-version table in management database. This account should be created during App-V management database installation.|This is only required if the management database is being installed separately from the service.|
-|App-V Reporting Service install admin account|Public access to schema-version table in reporting database. This account should be created during the App-V reporting database installation.|This is only required if reporting database is being installed separately from the service.|
+|App-V Management Service install admin account|Provides public access to schema-version table in management database. This account should be created during App-V management database installation.|This account is only required if the management database is being installed separately from the service.|
+|App-V Reporting Service install admin account|Public access to schema-version table in reporting database. This account should be created during the App-V reporting database installation.|This account is only required if reporting database is being installed separately from the service.|
 
 Consider the following additional information:
 
@@ -62,9 +62,9 @@ Consider the following additional information:
 
 ### App-V package security
 
-The following will help you plan how to ensure that virtualized packages are secure.
+The following information will help you plan how to ensure that virtualized packages are secure.
 
-* If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. If the file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory does not exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**.
+* If an application installer applies an access control list (ACL) to a file or directory, then that ACL isn't persisted in the package. If the file or directory is modified by a user when the package is deployed, the modified file or directory will either inherit the ACL in the **%userprofile%** or inherit the ACL of the target computer’s directory. The former occurs if the file or directory doesn't exist in a virtual file system location; the latter occurs if the file or directory exists in a virtual file system location, such as **%windir%**.
 
 ## App-V log files
 
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 4342db61a0..0214e455b2 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -50,7 +50,7 @@ You can install the App-V Management server on a server running Windows Server 2
 ### Management server hardware requirements
 
 * A 64-bit (x64) processor that runs at 1.4 GHz or faster.
-* 1 GB RAM (64-bit).
+* 1-GB RAM (64-bit).
 * 200 MB of available hard disk space, not including the content directory.
 
 ### Management server database requirements
@@ -59,7 +59,7 @@ The following table lists the SQL Server versions that the App-V Management data
 
 |SQL Server version|Service pack|System architecture|
 |---|---|---|
-|Microsoft SQL Server 2019||32-bit or 64-bit|
+|Microsoft SQL Server 2019|CU4|32-bit or 64-bit|
 |Microsoft SQL Server 2017||32-bit or 64-bit|
 |Microsoft SQL Server 2016|SP2|32-bit or 64-bit|
 |Microsoft SQL Server 2014||32-bit or 64-bit|
@@ -74,10 +74,10 @@ The App-V Publishing server can be installed on a server that runs Windows Serve
 
 ### Publishing server hardware requirements
 
-App-V adds no additional requirements beyond those of Windows Server.
+App-V adds requires nothing beyond the requirements of Windows Server.
 
 * A 64-bit (x64) processor that runs at 1.4 GHz or faster.
-* 2 GB RAM (64-bit).
+* 2-GB RAM (64-bit).
 * 200 MB of available hard disk space, not including the content directory.
 
 ### Reporting server operating system requirements
@@ -86,10 +86,10 @@ You can install the App-V Reporting server on a server running Windows Server 20
 
 ### Reporting server hardware requirements
 
-App-V adds no additional requirements beyond those of Windows Server.
+App-V adds no other requirements beyond those requirements of Windows Server.
 
 * A 64-bit (x64) processor that runs at 1.4 GHz or faster.
-* 2 GB RAM (64-bit).
+* 2-GB RAM (64-bit).
 * 200 MB of available hard disk space, not including the content directory.
 
 ### Reporting server database requirements
@@ -98,6 +98,7 @@ The following table lists the SQL Server versions that are supported for the App
 
 |SQL Server version|Service pack|System architecture|
 |---|---|---|
+|Microsoft SQL Server 2019|CU4|32-bit or 64-bit|
 |Microsoft SQL Server 2017||32-bit or 64-bit|
 |Microsoft SQL Server 2016|SP2|32-bit or 64-bit|
 |Microsoft SQL Server 2014||32-bit or 64-bit|
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index 6c11271006..36c6a128fb 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -24,21 +24,21 @@ This section provides reference information related to managing App-V.
 
 -   [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
 
-    Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience.
+    Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these practices are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience.
 
 -   [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
 
 Describes how the following App-V client operations affect the local operating system:
 
 - App-V files and data storage locations
-- package registry
-- package store behavior
-- roaming registry and data
-- client application lifecycle management
-- integration of App-V packages
-- dynamic configuration
-- side-by-side assemblies
-- client logging
+- Package registry
+- Package store behavior
+- Roaming registry and data
+- Client application lifecycle management
+- Integration of App-V packages
+- Dynamic configuration
+- Side-by-side assemblies
+- Client logging
 
 -   [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
 
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index 82f04edd79..69dd653179 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -21,13 +21,13 @@ Use the following procedure to transfer the access and default package configura
 
 **To transfer access and configurations to another version of a package**
 
-1.  To view the package that you want to configure, open the App-V Management Console. Select the package to which you will transfer the new configuration, right-click the package and select **transfer default configuration from** or **transfer access and configurations from**, depending on the configuration that you want to transfer.
+1.  To view the package that you want to configure, open the App-V Management Console. Select the package to which you'll transfer the new configuration, right-click the package and select **transfer default configuration from** or **transfer access and configurations from**, depending on the configuration that you want to transfer.
 
 2.  To transfer the configuration, in the **Select Previous Version** dialog box, select the package that contains the settings that you want to transfer, and then click **OK**.
 
     If you select **transfer default configuration from**, then only the underlying dynamic deployment configuration will be transferred.
 
-    If you select **transfer access and configurations from**, then all access permissions, as well as the configuration settings, will be copied.
+    If you select **transfer access and configurations from**, then all access permissions, and the configuration settings, will be copied.
 
 
 
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 0977cd8d6f..33d519b976 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -19,13 +19,6 @@ ms.author: aaroncz
 
 This topic provides information about using the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
 
-## Obtain the client management console
-
-The client management console is separate from the App-V client itself. You can download the client management console from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=41186).
-
-> [!NOTE]
-> To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V client.
-
 ## Options for managing the App-V client
 
 The App-V client has associated settings that can be configured to determine how the client will run in your environment. You can manage these settings on the computer that runs the client, or you can use Windows PowerShell or Group Policy. For more information about configuring the client by using Windows PowerShell or Group Policy, see:
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index 2d457de57d..b9d63a3d9c 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -25,11 +25,11 @@ Users have the ability to control background activity for their device through t
 
 ![Background apps settings page.](images/backgroundapps-setting.png)
 
-The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop: 
+The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, and turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here's the set of available controls on desktop: 
 
 ![Battery usage by app on desktop.](images/battery-usage-by-app-desktop.png)
 
-Here is the set of available controls for mobile devices: 
+Here's the set of available controls for mobile devices: 
 
 ![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png)
 
@@ -48,13 +48,13 @@ These policies control the background activity battery settings for Universal Wi
 
 An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned  [BackgroundAccessStatus](/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page: 
   
-- **AlwaysAllowed**: Corresponds to **Always Allowed in Background** and **Managed By User**. This enables apps to run as much as possible in the background, including while the device is in battery saver mode.
+- **AlwaysAllowed**: Corresponds to **Always Allowed in Background** and **Managed By User**. This correspondence enables apps to run as much as possible in the background, including while the device is in battery saver mode.
   
-- **AllowedSubjectToSystemPolicy**: This is the default value. It corresponds to **Managed by Windows**. This enables apps to run in the background as determined by Windows. If the device is currently in the battery saver state then background activities do not run. 
+- **AllowedSubjectToSystemPolicy**: This value is the default one. It corresponds to **Managed by Windows**. This correspondence enables apps to run in the background as determined by Windows. If the device is currently in the battery saver state, then background activities don't run. 
   
-- **DeniedDueToSystemPolicy**: Corresponds to **Managed by Windows** and indicates that the system has determined that the app cannot currently run in the background. 
+- **DeniedDueToSystemPolicy**: Corresponds to **Managed by Windows** and indicates that the system has determined that the app can't currently run in the background. 
   
-- **DeniedByUser**: Corresponds to **Never Allowed in the Background**. The app cannot run in the background. Either the configuration in the settings app, or enterprise policy, has defined that this app is not allowed to run in the background. 
+- **DeniedByUser**: Corresponds to **Never Allowed in the Background**. The app can't run in the background. Either the configuration in the settings app, or enterprise policy, has defined that this app isn't allowed to run in the background. 
 
 The Universal Windows Platform ensures that consumers will have great battery life and that foreground apps will perform well. Enterprises have the ability to change settings to enable scenarios specific to their business needs. Administrators can use the **Background apps** policies to enable or disable whether a UWP app can run in the background.
 
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index 270911d1f0..b166f06efd 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -53,7 +53,7 @@ You can sideload apps on managed or unmanaged devices.
 
 Managed devices are typically owned by your organization. They're managed by Group Policy (on-premises), or a Mobile Device Management (MDM) provider, such as Microsoft Intune (cloud). Bring your own devices (BYOD) and personal devices can also be managed by your organization. On managed devices, you can create a policy that turns on sideloading, and then deploy this policy to your Windows devices.
 
-Unmanaged devices are devices that are not managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app.
+Unmanaged devices are devices that aren't managed by your organization. These devices are typically personal devices owned by users. Users can turn on sideloading using the Settings app.
 
 > [!IMPORTANT]
 > To install an app on Windows client, you can:
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 29bf7f6ae6..6158870fa4 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -16,7 +16,7 @@ manager: dougeby
 
 > Applies to: Windows 10
 
-The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance does not affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
+The **Service Host (svchost.exe)** is a shared-service process that serves as a shell for loading services from DLL files. Services are organized into related host groups, and each group runs inside a different instance of the Service Host process. In this way, a problem in one instance doesn't affect other instances. Service Host groups are determined by combining the services with matching security requirements. For example:
 
 * Local Service
 * Local Service No Network
@@ -33,7 +33,7 @@ Benefits of this design change include:
 
 * Increased reliability by insulating critical network services from the failure of another non-network service in the host, and adding the ability to restore networking connectivity seamlessly when networking components crash.
 * Reduced support costs by eliminating the troubleshooting overhead associated with isolating misbehaving services in the shared host.
-* Increased security by providing additional inter-service isolation 
+* Increased security by providing more inter-service isolation 
 * Increased scalability by allowing per-service settings and privileges 
 * Improved resource management through per-service CPU, I/O and memory management and increase clear diagnostic data (report CPU, I/O and network usage per service).
 
@@ -58,24 +58,24 @@ Compare that to the same view of running processes in Windows 10 version 1703:
 
 
 ## Exceptions
-Some services will continue to be grouped on PCs running with 3.5GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services.
+Some services will continue to be grouped on PCs running with 3.5 GB or higher RAM. For example, the Base Filtering Engine (BFE) and the Windows Firewall (Mpssvc) will be grouped together in a single host group, as will the RPC Endpoint Mapper and Remote Procedure Call services.
 
 If you need to identify services that will continue to be grouped, in addition to seeing them in Task Manager and using command line tools, you can look for the *SvcHostSplitDisable* value in their respective service keys under 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
 
 The default value of **1** prevents the service from being split.
 
-For example, this is the registry key configuration for BFE:
+For example, the registry key configuration for BFE is:
 ![Example of a service that cannot be separated.](media/svchost-separation-disabled.png)
 
 ## Memory footprint
 
-Be aware that separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) 
+Separating services increases the total number of SvcHost instances, which increases memory utilization. (Service grouping provided a modest reduction to the overall resource footprint of the services involved.) 
 
-Consider the following:
+Consider the following example:
 
 
-|Grouped Services (< 3.5GB) | Split Services (3.5GB+)
+|Grouped Services (< 3.5 GB) | Split Services (3.5 GB+)
 |--------------------------------------- | ------------------------------------------ | 
 |![Memory utilization for grouped services.](media/svchost-grouped-utilization.png)   |![Memory utilization for separated services](media/svchost-separated-utilization.png)       |
 
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 95c6a16227..59c8210b09 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -18,11 +18,11 @@ ms.collection: highpri
  
 ## Overview
 
-This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
+This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves many third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
  
 ## Scenarios
 
-This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
+This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication are attempted and then fail to establish. The workflow covers Windows 7 through Windows 10 (and Windows 11) for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
  
 ## Known issues
 
@@ -38,9 +38,9 @@ Viewing [NPS authentication status events](/previous-versions/windows/it-pro/win
 
 NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
 
-Check the Windows Security event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
+Check the Windows Security event log on the NPS Server for NPS events that correspond to the rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or the accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
  
-In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
+In the event message, scroll to the bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
  
    ![example of an audit failure.](images/auditfailure.png)
    *Example: event ID 6273 (Audit Failure)*

              
@@ -48,7 +48,7 @@ In the event message, scroll to the very bottom, and then check the [Reason Code
    ![example of an audit success.](images/auditsuccess.png)
    *Example: event ID 6272 (Audit Success)*
              
 
-‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
+‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, if connectivity problems occur, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
 
 On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to  **..\Wired-AutoConfig/Operational**. See the following example:
 
@@ -114,7 +114,7 @@ auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enab
 
 Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**.
 
-## Additional references
+## More references
 
 [Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
              
 [Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10))
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 858333629a..dd92af8c4f 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -46,11 +46,11 @@ Essential drivers required to start the Windows kernel are loaded and the kernel
 
 **4. Windows NT OS Kernel**
 
-The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START.
+The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
 
-The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START.
+The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
 
-Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
+Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
 
 ![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)
              
 [Click to enlarge](img-boot-sequence.md)
              
@@ -76,15 +76,15 @@ To determine whether the system has passed the BIOS phase, follow these steps:
 
 1. If there are any external peripherals connected to the computer, disconnect them.
 
-2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase.
+2. Check whether the hard disk drive light on the physical computer is working. If it's not working, this dysfunction indicates that the startup process is stuck at the BIOS phase.
 
-3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS.
+3. Press the NumLock key to see whether the indicator light toggles on and off. If it doesn't toggle, this dysfunction indicates that the startup process is stuck at BIOS.
 
    If the system is stuck at the BIOS phase, there may be a hardware problem.
 
 ## Boot loader phase
 
-If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase:
+If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase:
 
 -   Boot Configuration Data (BCD) missing or corrupted
 -   Boot file or MBR corrupted
@@ -100,7 +100,7 @@ To troubleshoot this problem, use Windows installation media to start the comput
 
 The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
 
-To do this, follow these steps.
+To do this task of invoking the Startup Repair tool, follow these steps.
 
 > [!NOTE]
 > For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
@@ -144,7 +144,7 @@ BOOTREC /FIXBOOT
 
 If you receive BCD-related errors, follow these steps:
 
-1. Scan for all the systems that are installed. To do this, run the following command:
+1. Scan for all the systems that are installed. To do this step, run the following command:
 
    ```console
    Bootrec /ScanOS
@@ -152,7 +152,7 @@ If you receive BCD-related errors, follow these steps:
 
 2. Restart the computer to check whether the problem is fixed.
 
-3. If the problem is not fixed, run the following commands:
+3. If the problem isn't fixed, run the following commands:
     
     ```console
     bcdedit /export c:\bcdbackup
@@ -168,7 +168,7 @@ If you receive BCD-related errors, follow these steps:
 
 ### Method 4: Replace Bootmgr
 
-If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps:
+If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this replacement, follow these steps:
 
 1. At a command prompt, change the directory to the System Reserved partition.
 
@@ -198,7 +198,7 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv
 
 ### Method 5: Restore System Hive
 
-If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
+If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
 
 If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
 
@@ -207,7 +207,7 @@ If the problem persists, you may want to restore the system state backup to an a
 
 ## Kernel Phase
 
-If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following:
+If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples:
 
 -   A Stop error appears after the splash screen (Windows Logo screen).
 
@@ -250,7 +250,7 @@ On the **Advanced Boot Options** screen, try to start the computer in **Safe Mod
 ### Clean boot
 
 To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
-Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party.
+Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
 
 Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
 
@@ -275,7 +275,7 @@ problems can be solved. Modify the registry at your own risk.
 
 To troubleshoot this Stop error, follow these steps to filter the drivers:
 
-1.  Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
+1.  Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version.
 
 2.  Open the registry.
 
@@ -291,7 +291,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers:
 
 7.  Restart the server in Normal mode.
 
-For additional troubleshooting steps, see the following articles:
+For more troubleshooting steps, see the following articles:
 
 - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
 
@@ -316,7 +316,7 @@ To fix problems that occur after you install Windows updates, check for pending
 
     Try to start the computer.
 
-If the computer does not start, follow these steps:
+If the computer doesn't start, follow these steps:
 
 1.  Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
 
@@ -348,7 +348,7 @@ If the Stop error occurs late in the startup process, or if the Stop error is st
 
 - [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md) 
 
-For more information about page file problems in Windows 10 or Windows Server 2016, see the following:
+For more information about page file problems in Windows 10 or Windows Server 2016, see the following article:
 - [Introduction to page files](./introduction-page-file.md)
 
 For more information about Stop errors, see the following Knowledge Base article:
@@ -359,7 +359,7 @@ If the dump file shows an error that is related to a driver (for example, window
 
 - Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
 
-- If the driver is not important and has no dependencies, load the system hive, and then disable the driver.
+- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
 
 - If the stop error indicates system file corruption, run the system file checker in offline mode.
 
@@ -371,7 +371,7 @@ If the dump file shows an error that is related to a driver (for example, window
 
         For more information, see [Using System File Checker (SFC) To Fix  Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
 
-    - If there is disk corruption, run the check disk command:
+    - If there's disk corruption, run the check disk command:
 
         ```console
         chkdsk /f /r
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index a9300a5ef2..8ab2aede4e 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -20,7 +20,7 @@ ms.topic: troubleshooting
 
 ## Overview
 
-This is a general troubleshooting of establishing Wi-Fi connections from Windows clients.
+This overview describes the general troubleshooting of establishing Wi-Fi connections from Windows clients.
 Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found.
 This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario.
 
@@ -29,11 +29,11 @@ This workflow involves knowledge and use of [TextAnalysisTool](https://github.co
 This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
 
 > [!NOTE]
-> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
+> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It's  not meant to be representative of every wireless problem scenario.
 
-Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
+Wireless ETW is incredibly verbose and calls out many innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
 
-It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
+It's  important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
 The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem.
 
 ### Known Issues and fixes
@@ -57,14 +57,14 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
 
 ## Data Collection
 
-1. Network Capture with ETW. Enter the following at an elevated command prompt:
+1. Network Capture with ETW. Enter the following command at an elevated command prompt:
 
     ```console
     netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
     ```
 2. Reproduce the issue.
-    - If there is a failure to establish connection, try to manually connect.
-    - If it is intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure.
+    - If there's a failure to establish connection, try to manually connect.
+    - If it's  intermittent but easily reproducible, try to manually connect until it fails. Record the time of each connection attempt, and whether it was a success or failure.
     - If the issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data.
     - If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
 3. Stop the trace by entering the following command: 
@@ -78,11 +78,11 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
     netsh trace convert c:\tmp\wireless.etl
     ```
 
-See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you will have three files: wireless.cab, wireless.etl, and wireless.txt.
+See the [example ETW capture](#example-etw-capture) at the bottom of this article for an example of the command output. After running these commands, you'll have three files: wireless.cab, wireless.etl, and wireless.txt.
 
 ## Troubleshooting
 
-The following is a high-level view of the main wifi components in Windows.
+The following view is a high-level one of the main wifi components in Windows.
 
 |Wi-fi Components|Description|
 |--- |--- |
@@ -116,7 +116,7 @@ Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnaly
 
 Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page.
 
-The following is an example of a good connection setup:
+An example of a good connection setup is:
 
 ```console
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
@@ -127,7 +127,7 @@ The following is an example of a good connection setup:
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
 ```
 
-The following is an example of a failed connection setup:
+An example of a failed connection setup is:
 
 ```console
 44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
@@ -138,9 +138,9 @@ The following is an example of a failed connection setup:
 49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
 ```
 
-By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. 
+By identifying the state at which the connection fails, one can focus more specifically in the trace on logs prior to the last known good state. 
 
-Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
+Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
 In many cases the next component of interest will be the MSM, which lies just below Wlansvc.
 
 The important components of the MSM include:
@@ -149,10 +149,10 @@ The important components of the MSM include:
 
     ![MSM details.](images/msmdetails.png)
 
-Each of these components has their own individual state machines which follow specific transitions.
+Each of these components has its own individual state machines that follow specific transitions.
 Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
 
-Continuing with the example above, the combined filters look like this:
+Further to the preceding example, the combined filters look like the following command example:
 
 ```console
 [2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: 
@@ -177,7 +177,7 @@ Authenticating to State: Roaming
 > [!NOTE]
 > In the next to last line the SecMgr transition is suddenly deactivating:
              
 >\[2\] 0C34.2FF0::08/28/17-13:24:29.7512788 \[Microsoft-Windows-WLAN-AutoConfig\]Port\[13\] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)

              
->This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
+>This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing prior to this SecMgr behavior to determine the reason for the deactivation.
 
 Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
 
@@ -203,7 +203,7 @@ The trail backwards reveals a **Port Down** notification:
 
 Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
 
-Below, the MSM is the native wifi stack. These are Windows native wifi drivers which talk to the wifi miniport drivers. It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
+Below, the MSM is the native wifi stack. These drivers are Windows native wifi drivers that talk to the wifi miniport drivers. It's  responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
 
 Enable trace filter for **[Microsoft-Windows-NWifi]:**
 
@@ -230,7 +230,7 @@ In the trace above, we see the line:
 [0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
 ```
 
-This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP.
+This line is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This denail could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This action would be done by examining internal logging/tracing from the AP.
 
 ### Resources
 
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index ec54bee4ae..cf0c18ee1d 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -31,11 +31,11 @@ From its release, Windows 10 has supported remote connections to PCs joined to A
 
 ## Set up
 
-- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
-- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. 
-- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. 
+- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported.
+- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. 
+- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. 
 
-Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
+Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC.
 
 - On the PC you want to connect to:
 
@@ -45,7 +45,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
 
      ![Allow remote connections to this computer.](images/allow-rdp.png)
 
-  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
+  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
      
       - Adding users manually
    
@@ -55,14 +55,14 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
         ```
         where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
 
-        In order to execute this PowerShell command you be a member of the local Administrators group. Otherwise, you'll get an error like this example:
+        In order to execute this PowerShell command, you must be a member of the local Administrators group. Otherwise, you'll get an error like this example:
         - for cloud only user: "There is no such global user or group : *name*"
         - for synced user: "There is no such global user or group : *name*" 
              
 
          > [!NOTE]
          > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
          >
-         > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
+         > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
 
       - Adding users using policy
      
diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md
index 0002838314..8717d386a2 100644
--- a/windows/client-management/data-collection-for-802-authentication.md
+++ b/windows/client-management/data-collection-for-802-authentication.md
@@ -42,7 +42,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl
    ```
  
-3. Run the following command to enable CAPI2 logging and increase the size :
+3. Run the following command to enable CAPI2 logging and increase the size:
    ```
    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
    wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
@@ -70,7 +70,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl
    ```
  
-6. Run the following command to enable CAPI2 logging and increase the size :
+6. Run the following command to enable CAPI2 logging and increase the size:
    ```
     wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
     wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600
@@ -241,7 +241,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
    wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
    ```
-   - Run the following 3 commands on Windows Server 2012 and later:
+   - Run the following commands on Windows Server 2012 and later:
    
    ```
    wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
@@ -320,7 +320,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx
    wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx
    ```
-   - Run the following 3 lines on Windows 2012 and up
+   - Run the following lines on Windows 2012 and up
    
    ```
    wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx
@@ -371,9 +371,9 @@ Use the following steps to collect wireless and wired logs on Windows and Window
    reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.txt
    ```
 3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf
-4. Log on to a domain controller and create C:\MSLOG to store captured logs.
+4. Sign in to a domain controller and create C:\MSLOG to store captured logs.
 5. Launch Windows PowerShell as an administrator.
-6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
+6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for "; test.local"; domain.
    
    ```powershell
    Import-Module ActiveDirectory
diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md
index be28170923..6c0e959124 100644
--- a/windows/client-management/determine-appropriate-page-file-size.md
+++ b/windows/client-management/determine-appropriate-page-file-size.md
@@ -15,7 +15,7 @@ ms.collection: highpri
 
 # How to determine the appropriate page file size for 64-bit versions of Windows
 
-Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This means that page file sizing is also unique to each system and cannot be generalized.
+Page file sizing depends on the system crash dump setting requirements and the peak usage or expected peak usage of the system commit charge. Both considerations are unique to each system, even for systems that are identical. This uniqueness means that page file sizing is also unique to each system and can't be generalized.
 
 ## Determine the appropriate page file size
 
@@ -23,17 +23,17 @@ Use the following considerations for page file sizing for all versions of Window
 
 ### Crash dump setting
 
-If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file is not created.
+If you want a crash dump file to be created during a system crash, a page file or a dedicated dump file must exist and be large enough to back up the system crash dump setting. Otherwise, a system memory dump file isn't created.
 
 For more information, see [Support for system crash dumps](introduction-page-file.md#support-for-system-crash-dumps) section.
 
 ### Peak system commit charge
 
-The system commit charge cannot exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary.
+The system commit charge can't exceed the system commit limit. This limit is the sum of physical memory (RAM) and all page files combined. If no page files exist, the system commit limit is slightly less than the physical memory that is installed. Peak system-committed memory usage can vary greatly between systems. Therefore, physical memory and page file sizing also vary.
 
 ### Quantity of infrequently accessed pages
 
-The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, be aware that not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true:
+The purpose of a page file is to *back* (support) infrequently accessed modified pages so that they can be removed from physical memory. This removal provides more available space for more frequently accessed pages. The "\Memory\Modified Page List Bytes" performance counter measures, in part, the number of infrequently accessed modified pages that are destined for the hard disk. However, not all the memory on the modified page list is written out to disk. Typically, several hundred megabytes of memory remains resident on the modified list. Therefore, consider extending or adding a page file if all the following conditions are true:
 
 - More available physical memory (\Memory\Available MBytes) is required.
 
@@ -43,7 +43,7 @@ The purpose of a page file is to *back* (support) infrequently accessed modified
 
 ## Support for system crash dumps
 
-A system crash (also known as a “bug check” or a "Stop error") occurs when the system cannot run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system cannot create the crash dump file.
+A system crash (also known as a “bug check” or a "Stop error") occurs when the system can't run correctly. The dump file that is produced from this event is called a system crash dump. A page file or dedicated dump file is used to write a crash dump file (Memory.dmp) to disk. Therefore, a page file or a dedicated dump file must be large enough to support the kind of crash dump selected. Otherwise, the system can't create the crash dump file.
 
 >[!Note]
 >During startup, system-managed page files are sized respective to the system crash dump settings. This assumes that enough free disk space exists.
@@ -57,29 +57,29 @@ A system crash (also known as a “bug check” or a "Stop error") occurs when t
 
 \* 1 MB of header data and device drivers can total 256 MB of secondary crash dump data.
 
-The **Automatic memory dump** setting is enabled by default. This is a setting instead of a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes. 
+The **Automatic memory dump** setting is enabled by default. This setting is an alternative to a kind of crash dump. This setting automatically selects the best page file size, depending on the frequency of system crashes. 
 
 The Automatic memory dump feature initially selects a small paging file size. It would accommodate the kernel memory most of the time. If the system crashes again within four weeks, the Automatic memory dump feature sets the page file size as either the RAM size or 32 GB, whichever is smaller. 
 
-Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge.
+Kernel memory crash dumps require enough page file space or dedicated dump file space to accommodate the kernel mode side of virtual memory usage. If the system crashes again within four weeks of the previous crash, a Complete memory dump is selected at restart. This dump requires a page file or dedicated dump file of at least the size of physical memory (RAM) plus 1 MB for header information plus 256 MB for potential driver data to support all the potential data that is dumped from memory. Again, the system-managed page file will be increased to back this kind of crash dump. If the system is configured to have a page file or a dedicated dump file of a specific size, make sure that the size is sufficient to back the crash dump setting that is listed in the table earlier in this section together with and the peak system commit charge.
 
 ### Dedicated dump files
 
-Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators now have the option to create a dedicated dump file instead.
+Computers that are running Microsoft Windows or Microsoft Windows Server usually must have a page file to support a system crash dump. System administrators can now create a dedicated dump file instead.
 
-A dedicated dump file is a page file that is not used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you do not want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options).
+A dedicated dump file is a page file that isn't used for paging. Instead, it is “dedicated” to back a system crash dump file (Memory.dmp) when a system crash occurs. Dedicated dump files can be put on any disk volume that can support a page file. We recommend that you use a dedicated dump file if you want a system crash dump but you don't want a page file. To learn how to create it, see [Overview of memory dump file options for Windows](/troubleshoot/windows-server/performance/memory-dump-file-options).
 
 ## System-managed page files
 
-By default, page files are system-managed. This means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump.
+By default, page files are system-managed. This system management means that the page files increase and decrease based on many factors, such as the amount of physical memory installed, the process of accommodating the system commit charge, and the process of accommodating a system crash dump.
 
-For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. This all assumes that the logical disk that is hosting the page file is large enough to accommodate the growth.
+For example, when the system commit charge is more than 90 percent of the system commit limit, the page file is increased to back it. This surge continues to occur until the page file reaches three times the size of physical memory or 4 GB, whichever is larger. Therefore, it's assumes that the logical disk that is hosting the page file is large enough to accommodate the growth.
 
 The following table lists the minimum and maximum page file sizes of system-managed page files in Windows 10 and Windows 11.
 
 |Minimum page file size	|Maximum page file size|
 |---------------|------------------|
-|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings.	|3 × RAM or 4 GB, whichever is larger. This is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if required for crash dump settings.|
+|Varies based on page file usage history, amount of RAM (RAM ÷ 8, max 32 GB) and crash dump settings.	|3 × RAM or 4 GB, whichever is larger. This size is then limited to the volume size ÷ 8. However, it can grow to within 1 GB of free space on the volume if necessary for crash dump settings.|
 
 ## Performance counters
 
@@ -87,7 +87,7 @@ Several performance counters are related to page files. This section describes t
 
 ### \Memory\Page/sec and other hard page fault counters
 
-The following performance counters measure hard page faults (which include, but are not limited to, page file reads):
+The following performance counters measure hard page faults (which include, but aren't limited to, page file reads):
 
 - \Memory\Page/sec
 
@@ -103,7 +103,7 @@ The following performance counters measure page file writes:
 
 Hard page faults are faults that must be resolved by retrieving the data from disk. Such data can include portions of DLLs, .exe files, memory-mapped files, and page files. These faults might or might not be related to a page file or to a low-memory condition. Hard page faults are a standard function of the operating system. They occur when the following items are read:
 
-- Parts of image files (.dll and .exe files) as they are used
+- Parts of image files (.dll and .exe files) as they're used
 
 - Memory-mapped files
 
@@ -111,11 +111,11 @@ Hard page faults are faults that must be resolved by retrieving the data from di
 
 High values for these counters (excessive paging) indicate disk access of generally 4 KB per page fault on x86 and x64 versions of Windows and Windows Server. This disk access might or might not be related to page file activity but may contribute to poor disk performance that can cause system-wide delays if the related disks are overwhelmed.
 
-Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. Be aware that a system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200 RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for.
+Therefore, we recommend that you monitor the disk performance of the logical disks that host a page file in correlation with these counters. A system that has a sustained 100 hard page faults per second experiences 400 KB per second disk transfers. Most 7,200-RPM disk drives can handle about 5 MB per second at an IO size of 16 KB or 800 KB per second at an IO size of 4 KB. No performance counter directly measures which logical disk the hard page faults are resolved for.
 
 ### \Paging File(*)\% Usage
 
-The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file does not indicate a performance problem as long as the system commit limit is not reached by the system commit charge, and if a significant amount of memory is not waiting to be written to a page file.
+The \Paging File(*)\% Usage performance counter measures the percentage of usage of each page file. 100 percent usage of a page file doesn't indicate a performance problem as long as the system commit limit isn't reached by the system commit charge, and if a significant amount of memory isn't waiting to be written to a page file.
 
 >[!Note]
 >The size of the Modified Page List (\Memory\Modified Page List Bytes) is the total of modified data that is waiting to be written to disk.
@@ -127,4 +127,4 @@ If the Modified Page List (a list of physical memory pages that are the least fr
 
 ## Multiple page files and disk considerations
 
-If a system is configured to have more than one page files, the page file that responds first is the one that is used. This means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Be aware that actual page file usage depends greatly on the amount of modified memory that the system is managing. This means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) are not written to a page file. Only modified data that does not already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it is backed by the disk and not by a page file.
+If a system is configured to have more than one page files, the page file that responds first is the one that is used. This customized configuration means that page files that are on faster disks are used more frequently. Also, whether you put a page file on a “fast” or “slow” disk is important only if the page file is frequently accessed and if the disk that is hosting the respective page file is overwhelmed. Actual page file usage depends greatly on the amount of modified memory that the system is managing. This dependency means that files that already exist on disk (such as .txt, .doc, .dll, and .exe) aren't written to a page file. Only modified data that doesn't already exist on disk (for example, unsaved text in Notepad) is memory that could potentially be backed by a page file. After the unsaved data is saved to disk as a file, it's backed by the disk and not by a page file.
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 12bd194bc7..b3c3a0f026 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -46,7 +46,7 @@ To enable memory dump setting, follow these steps:
 
 When the computer crashes and restarts, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.
 
-Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This can cause a prolonged server outage.
+Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Even in a best-case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This read-and-write process can cause a prolonged server outage.
 
 >[!Note]
 >Use this method to generate complete memory dump files with caution. Ideally, you should do this only when you are explicitly requested to by the Microsoft Support engineer. Any kernel or complete memory dump file debugging should be the last resort after all standard troubleshooting methods have been completely exhausted.
@@ -55,7 +55,7 @@ Depending on the speed of the hard disk on which Windows is installed, dumping m
 
 ### Use the NotMyFault tool
 
-If you can log on while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool. To do this, follow these steps:
+If you can sign in while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool by following these steps:
 
 1. Download the [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip) tool.
 
@@ -71,17 +71,17 @@ If you can log on while the problem is occurring, you can use the Microsoft Sysi
 
 ### Use NMI
 
-On some computers, you cannot use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard is not attached to the HP BladeSystem server.
+On some computers, you can't use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard isn't attached to the HP BladeSystem server.
 
 In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor. 
 
-To do this, follow these steps:
+To implement this process, follow these steps:
 
 > [!IMPORTANT]  
 > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
  
 > [!NOTE]
-> This registry key is not required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect.
+> This registry key isn't required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect.
 
 1. In Registry Editor, locate the following registry subkey:
 
@@ -104,7 +104,7 @@ To do this, follow these steps:
    >[!Note]
    >For the exact steps, see the BIOS reference manual or contact your hardware vendor.
 
-9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction.
+9. Test this method on the server by using the NMI switch to generate a dump file. You'll see a STOP 0x00000080 hardware malfunction.
 
 If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq).
 
diff --git a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md
index ecfa4c5ca0..9b1d7821f3 100644
--- a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md
+++ b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md
@@ -9,4 +9,4 @@ ms.prod: edge
 ms.topic: include
 ---
 
-Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy.  Also, the users must be signed in with a school or work account.
+Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy.  Also, the users must be signed in with a school or work account.
diff --git a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md
index 9d39c7e091..6fa1849707 100644
--- a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md
+++ b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data.
diff --git a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md
index 1aca979b7e..06b4e1eb02 100644
--- a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md
+++ b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. 
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. 
diff --git a/windows/client-management/includes/allow-saving-history-shortdesc.md b/windows/client-management/includes/allow-saving-history-shortdesc.md
index 9acffb1e18..822a8f9b81 100644
--- a/windows/client-management/includes/allow-saving-history-shortdesc.md
+++ b/windows/client-management/includes/allow-saving-history-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane.  Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane.  Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices.
diff --git a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md
index 4992a19eab..1ecba430cb 100644
--- a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md
+++ b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md
@@ -1,11 +1,16 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. 
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, users can execute the following tasks in Settings:
+- Add new search engines
+- Change the default search engine
+
+With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser.
diff --git a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md
index e16dbdc2db..985741be58 100644
--- a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md
+++ b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions.  Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell.  You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).  
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions.  Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell.  You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).  
diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md
index f4a61c024c..cd9e9d9751 100644
--- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md
+++ b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md
@@ -1,11 +1,18 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+The Set default search engine policy enables the users to:
+
+- Set a default search engine
+- Configure up to five more search engines, and set any one of them as the default
+
+If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines
+
diff --git a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md
index 75a3631a95..90eddc5182 100644
--- a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md
+++ b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default.  With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default.  With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.
diff --git a/windows/client-management/includes/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md
index dd27fad917..c5253680b3 100644
--- a/windows/client-management/includes/configure-do-not-track-shortdesc.md
+++ b/windows/client-management/includes/configure-do-not-track-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+Microsoft Edge doesn't send ‘Do Not Track’ requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.
diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md
index 0247b490e6..8397ff7c18 100644
--- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md
+++ b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md
@@ -1,11 +1,22 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+You can define a behavior for the Microsoft Edge browser, which it shall display when part of many applications running on a kiosk device.
+
+> [!NOTE]
+> You can define the browser's behavior only if you have the assigned access privileges.
+
+You can also define a behavior when Microsoft Edge serves as a single application.
+
+You can facilitate the following functionalities in the Microsoft Edge browser:
+- Execution of InPrivate full screen
+- Execution of InPrivate multi-tab with a tailored experience for kiosks
+- Provision for normal browsing
diff --git a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md
index 8d1cc4f603..97d9c264c0 100644
--- a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md
+++ b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allows users to make changes. With this policy, you can configure Microsoft Edge to load the Start page, New Tab page, or the previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy.
diff --git a/windows/client-management/includes/configure-start-pages-shortdesc.md b/windows/client-management/includes/configure-start-pages-shortdesc.md
index 146511b737..e8c18a3d8b 100644
--- a/windows/client-management/includes/configure-start-pages-shortdesc.md
+++ b/windows/client-management/includes/configure-start-pages-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, Microsoft Edge loads the pages specified in App settings as the default Start pages.  With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. 
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, Microsoft Edge loads the pages specified in App settings as the default Start pages.  With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users can't make changes. 
diff --git a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md
index 62547e8955..8eeb1e44a5 100644
--- a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md
+++ b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default.  Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off.  Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. 
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default.  Also, by default, users can't disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off.  Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. 
diff --git a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md
index 37ff4011ad..37156ee3a7 100644
--- a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md
+++ b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies can't be changed, and they remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start pages or any Start page configured with the Configure Start pages policy.
diff --git a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md
index 5bf46ea949..f4acce9ce0 100644
--- a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md
+++ b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, users can access the about:flags page in Microsoft Edge that is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page.
diff --git a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md
index 7264330137..b7331dd725 100644
--- a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md
+++ b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy.
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+The Microsoft Edge browser allows users to uninstall extensions, by default. When the users work with extensions that come under a policy that is enabled, they can configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any extra permissions requested by future updates of the extension get granted automatically. If - at this stage - you disable the policy, the list of extension package family names (PFNs) defined in this policy get ignored.
diff --git a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
index 5ef4bbdeca..b7b66d315b 100644
--- a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
+++ b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
@@ -1,11 +1,12 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. 
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+By default, Microsoft Edge shows localhost IP address while making calls through usage of the WebRTC protocol. Enabling this policy hides the localhost IP addresses. 
diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md
index 30b9677f92..2ddbc5c6d7 100644
--- a/windows/client-management/includes/provision-favorites-shortdesc.md
+++ b/windows/client-management/includes/provision-favorites-shortdesc.md
@@ -1,11 +1,21 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date:  10/02/2018
-ms.reviewer: 
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. 
+---
+author: dansimp
+ms.author: dansimp
+ms.date:  10/02/2018
+ms.reviewer: 
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+You can customize the Favorites list in the Microsoft Edge browser. Customization of the favorites list includes:
+
+- Creating a standard list
+    - This standard list includes:
+        - Folders (which you can add)
+        - the list of favorites that you manually add, after creating the standard list
+
+This customized favorite is the final version. 
+
+
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 329d185fad..be5ce9c487 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -35,7 +35,7 @@ For example, the following Windows servers require page files:
 - Certificate servers
 - ADAM/LDS servers
 
-This is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to make sure that the database cache can release memory if other services or applications request memory.
+This requirement is because the algorithm of the database cache for Extensible Storage Engine (ESENT, or ESE for Microsoft Exchange Server) depends on the "\Memory\Transition Pages RePurposed/sec" performance monitor counter. A page file is required to ensure that the database cache can release memory if other services or applications request memory.
 
 For Windows Server 2012 Hyper-V and Windows Server 2012 R2 Hyper-V, the page file of the management OS (commonly called the host OS) should be left at the default of setting of "System Managed".
 
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index f953bdeb3d..100a615574 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -47,16 +47,8 @@ You can use the same management tools to manage all device types running Windows
 
 [Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
 
-[Azure AD Join on Windows 10 (and Windows 11) devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
-
-[Azure AD support for Windows 10 (and Windows 11)](https://go.microsoft.com/fwlink/p/?LinkID=615765)
-
 [Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
 
-[How to manage Windows 10 (and Windows 11) devices using Intune](https://go.microsoft.com/fwlink/p/?LinkId=613620)
-
-[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207)
-
 Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/)
 
 
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index 3774c02704..29a9358bf0 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -27,19 +27,19 @@ By using Windows operating systems, administrators can determine what devices ca
 ## Introduction
 
 ### General
-This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and cannot install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
+This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
 
-- Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.
-- Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
+- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
+- Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it.
 
 This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices.
 
-The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide will not exactly match the user interface that appears on the computer.
+The example device used in the scenarios is a USB storage device. You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide won't exactly match the user interface that appears on the computer.
 
-It is important to understand that the Group Policies that are presented in this guide are only apply to machines/machine-groups, not to users/user-groups.
+It's important to understand that the Group Policies that are presented in this guide are only applied to machines/machine-groups, not to users/user-groups.
 
 > [!IMPORTANT]
-> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide is not meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
+> The steps provided in this guide are intended for use in a test lab environment. This step-by-step guide isn't meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
 
 ### Who Should Use This Guide?
 
@@ -56,7 +56,7 @@ Restricting the devices that users can install reduces the risk of data theft an
 
 #### Reduce the risk of data theft
 
-It is more difficult for users to make unauthorized copies of company data if users' computers cannot install unapproved devices that support removable media. For example, if users cannot install a USB thumb-drive device, they cannot download copies of company data onto a removable storage. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data.
+It's more difficult for users to make unauthorized copies of company data if users' computers can't install unapproved devices that support removable media. For example, if users can't install a USB thumb-drive device, they can't download copies of company data onto a removable storage. This benefit can't eliminate data theft, but it creates another barrier to unauthorized removal of data.
 
 #### Reduce support costs
 
@@ -82,7 +82,7 @@ In this scenario, the administrator allows standard users to install all printer
 
 ### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
 
-In this scenario, you will combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This is a more realistic scenario and brings you a step farther in understanding of the Device Installation Restrictions policies.
+In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies.
 
 ### Scenario #4: Prevent installation of a specific USB device
 
@@ -90,7 +90,7 @@ This scenario, although similar to scenario #2, brings another layer of complexi
 
 ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
 
-In this scenario, combining all previous 4 scenarios, you will learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first 4 scenarios and therefore it is preferred to go over them first before attempting this scenario.
+In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
 
 
 ## Technology Review
@@ -99,9 +99,9 @@ The following sections provide a brief overview of the core technologies discuss
 
 ### Device Installation in Windows
 
-A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it is a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
+A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
 
-When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages.
+When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages.
 
 Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows to specify which of these identifiers to allow or block.
 
@@ -122,24 +122,24 @@ Windows can use each string to match a device to a driver package. The strings r
 
 ##### Hardware IDs
 
-Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision is not available.
+Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision. This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision isn't available.
 
 ##### Compatible IDs
 
-Windows uses these identifiers to select a driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
+Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
 
 When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library.
 
 > [!NOTE]
 > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
 
-Some physical devices create one or more logical devices when they are installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
+Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function.
 
-When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you did not allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
+When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs.
 
 #### Device setup classes
 
-Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices are belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached.
+Device setup classes (also known as _Class_) are another type of identification string. The manufacturer assigns the Class to a device in the driver package. The Class groups devices that are installed and configured in the same way. For example, all Biometric devices belong to the Biometric Class (ClassGuid = {53D29EF7-377C-4D14-864B-EB3A85769359}), and they use the same co-installer when installed. A long number called a globally unique identifier (GUID) represents each device setup class. When Windows starts, it builds an in-memory tree structure with the GUIDs for all of the detected devices. Along with the GUID for the Class of the device itself, Windows may need to insert into the tree the GUID for the Class of the bus to which the device is attached.
 
 When you use device Classes to allow or prevent users from installing drivers, you must specify the GUIDs for all of the device's device setup classes, or you might not achieve the results you want. The installation might fail (if you want it to succeed) or it might succeed (if you want it to fail).
 
@@ -147,36 +147,36 @@ For example, a multi-function device, such as an all-in-one scanner/fax/printer,
 
 For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs.
 
-This guide does not depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
+This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices.
 
-The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly refer to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly refer to devices that could be connected to an existing computer/machine:
+The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine:
 
 - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
 - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
 
 #### ‘Removable Device’ Device type
 
-Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it is connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. 
+Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. 
 
 
 ### Group Policy Settings for Device Installation
 
 Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
 
-Device Installation section in Group Policy is a set of policies that control which device could or could not be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more details, see Group Policy Object Editor Technical Reference.
+Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference.
 
 The following passages are brief descriptions of the Device Installation policies that are used in this guide.
 
 > [!NOTE]
-> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You cannot apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
+> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.
 
 #### Allow administrators to override Device Installation Restriction policies
 
-This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or do not configure this policy setting, administrators are subject to all policy settings that restrict device installation.
+This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you disable or don't configure this policy setting, administrators are subject to all policy settings that restrict device installation.
 
 #### Allow installation of devices that match any of these device IDs
 
-This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
+This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
 
 #### Allow installation of devices that match any of these device instance IDs
 
@@ -184,20 +184,20 @@ This policy setting allows you to specify a list of Plug and Play device instanc
 
 #### Allow installation of devices using drivers that match these device setup classes
 
-This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and does not take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting. If you disable or do not configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
+This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled and doesn't take precedence over any policy setting that would prevent users from installing a device. If you enable this setting, users can install and update any device with a hardware ID or compatible ID that matches one of the IDs in this list if that installation hasn't been prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users can't install it even if the device is also described by a value in this policy setting. If you disable or don't configure this policy setting and no other policy setting describes the device, the Prevent installation of devices not described by other policy settings policy setting determines whether users can install the device.
 
 #### Prevent installation of devices that match these device IDs
 
-This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or do not configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
+This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users can't  install. If you enable this policy setting, users can't install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or don't configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
 Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device.
 
 #### Prevent installation of devices that match any of these device instance IDs
 
-This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
 
 #### Prevent installation of devices using drivers that match these device setup classes
 
-This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update devices that belong to any of the listed device setup classes. If you disable or do not configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
+This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users can't install. If you enable this policy setting, users can't install or update devices that belong to any of the listed device setup classes. If you disable or don't configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
 Note: This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device.
 
 ### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
@@ -209,7 +209,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
 > [!NOTE]
 > This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
 >
-> If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
+> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
 
 Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
  			
@@ -222,11 +222,11 @@ Some of these policies take precedence over other policies. The flowchart shown
 
 ### General
 
-To complete each of the scenarios, please ensure your have:
+To complete each of the scenarios, ensure your have:
 
 - A client computer running Windows.
 
-- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives do not require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
+- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
 
 - A USB/network printer pre-installed on the machine.
 
@@ -234,18 +234,18 @@ To complete each of the scenarios, please ensure your have:
 
 ### Understanding implications of applying ‘Prevent’ policies retroactive
 
-All ‘Prevent’ policies have an option to apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator is not sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
+All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices.
 
 For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones.
 
-This is a powerful tool, but as such it has to be used carefully.
+This option is a powerful tool, but as such it has to be used carefully.
 
 > [!IMPORTANT]
 > Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection.
 
 ## Determine device identification strings
 
-By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device do not match those shown in this guide, use the IDs that are appropriate to your device (this applies to Instance IDs and Classes, but we are not going to give an example for them in this guide).
+By following these steps, you can determine the device identification strings for your device. If the hardware IDs and compatible IDs for your device don't match those IDs shown in this guide, use the IDs that are appropriate to your device (this policy applies to Instance IDs and Classes, but we aren't going to give an example for them in this guide).
 
 You can determine the hardware IDs and compatible IDs for your device in two ways. You can use Device Manager, a graphical tool included with the operating system, or PnPUtil, a command-line tool available for all Windows versions. Use the following procedure to view the device identification strings for your device.
 
@@ -268,7 +268,7 @@ To find device identification strings using Device Manager
 
     ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
              _Open the ‘Details’ tab to look for the device identifiers_
 
-6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies.
+6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies.
 
     ![HWID.](images/device-installation-dm-printer-hardware-ids.png)
 
@@ -283,7 +283,7 @@ To find device identification strings using Device Manager
 pnputil /enum-devices /ids
 ```
 
-Here is an example of an output for a single device on a machine:
+Here's an example of an output for a single device on a machine:
 
 ```console
 
@@ -310,7 +310,7 @@ Compatible IDs:             PCI\VEN_8086&DEV_2F34&REV_02
 
 ## Scenario #1: Prevent installation of all printers
 
-In this simple scenario, you will learn how to prevent the installation of an entire Class of devices.
+In this simple scenario, you'll learn how to prevent the installation of an entire Class of devices.
 
 ### Setting up the environment
 
@@ -335,7 +335,7 @@ Getting the right device identifier to prevent it from being installed:
     - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors)
     - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use)
 
-3. Our current scenario is focused on preventing all printers from being installed, as such here is the Class GUID for most of printers in the market: 
+3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: 
 
     > Printers\
     > Class = Printer\
@@ -343,7 +343,7 @@ Getting the right device identifier to prevent it from being installed:
     > This class includes printers.
 
     > [!NOTE]
-    > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
+    > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they're not blocking any other existing device that is crucial to your system.
 
 Creating the policy to prevent all printers from being installed:
 
@@ -357,15 +357,15 @@ Creating the policy to prevent all printers from being installed:
 
 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
 
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block.
+5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
 
-6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
 
     ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
              _List of prevent Class GUIDs_
 
 7. Click ‘OK’.
 
-8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
 
 9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’
 
@@ -374,13 +374,13 @@ Creating the policy to prevent all printers from being installed:
 
 ### Testing the scenario
 
-1. If you have not completed step #9 – follow these steps:
+1. If you haven't completed step #9 – follow these steps:
 
    1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
    1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
-   1. You should not be able to reinstall the printer.
+   1. You shouldn't be able to reinstall the printer.
 
-2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
+2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
 
 ## Scenario #2: Prevent installation of a specific printer
 
@@ -392,13 +392,13 @@ Setting up the environment for the scenario with the following steps:
 
 1. Open Group Policy Editor and navigate to the Device Installation Restriction section.
 
-2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario). Although the policy is disabled in default, it is recommended to be enabled in most practical applications. For scenario #2 it is optional.
+2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional.
 
 ### Scenario steps – preventing installation of a specific device
 
 Getting the right device identifier to prevent it from being installed:
 
-1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously
+1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously
 
     ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
              _Printer Hardware ID_
 
@@ -414,7 +414,7 @@ Creating the policy to prevent a single printer from being installed:
 
 3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
-4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to block.
+4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block.
 
 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
 
@@ -422,26 +422,26 @@ Creating the policy to prevent a single printer from being installed:
 
 6. Click ‘OK’.
 
-7. Click ‘Apply’ on the bottom right of the policy’s window. This pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install.
+7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install.
 
 8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’.
 
 ###	Testing the scenario
 
-If you completed step #8 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
+If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
 
-If you have not completed step #8, follow these steps:
+If you haven't completed step #8, follow these steps:
 
 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
 
 2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
 
-3. You should not be able to reinstall the printer.
+3. You shouldn't be able to reinstall the printer.
 
 
 ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
 
-Now, using the knowledge from both previous scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed.
+Now, using the knowledge from both previous scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single printer to be installed.
 
 ### Setting up the environment
 
@@ -474,15 +474,15 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
 
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block.
+5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
 
-6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
+6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
 
     ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
              _List of prevent Class GUIDs_
 
 7. Click ‘OK’.
 
-8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
+8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs.
 
 9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’
 
@@ -494,7 +494,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
-10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow.
+10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow.
 
 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
 
@@ -502,18 +502,18 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 12. Click ‘OK’.
 
-13. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and allows the target printer to be installed (or stayed installed).
+13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed).
 
 ## Testing the scenario
 
-1. Simply look for your printer under Device Manager or the Windows Settings app and see that it is still there and accessible. Or just print a test document.
+1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
 
-2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you should not be bale to print anything or able to access the printer at all.
+2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all.
 
 
 ## Scenario #4: Prevent installation of a specific USB device
 
-The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you will gain an understanding of how some devices are built into the PnP (Plug and Play) device tree.
+The scenario builds upon the knowledge from scenario #2, Prevent installation of a specific printer. In this scenario, you'll gain an understanding of how some devices are built into the PnP (Plug and Play) device tree.
 
 ### Setting up the environment
 
@@ -521,7 +521,7 @@ Setting up the environment for the scenario with the following steps:
 
 1. Open Group Policy Editor and navigate to the Device Installation Restriction section
 
-2. Make sure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this is optional to be On/Off this scenario) – although the policy is disabled in default, it is recommended to be enabled in most practical applications.
+2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications.
 
 ### Scenario steps – preventing installation of a specific device
 
@@ -546,7 +546,7 @@ Getting the right device identifier to prevent it from being installed and its l
 
 5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
 
-6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
+6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
  
     ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
              _USB device hardware IDs_
 
@@ -560,7 +560,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
 
 3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
-4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This will take you to a table where you can enter the device identifier to block.
+4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block.
 
 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
  
@@ -568,24 +568,24 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
 
 6. Click ‘OK’.
 
-7. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install.
+7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install.
 
 8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’
 
 
 ### Testing the scenario
 
-1. If you have not completed step #8 – follow these steps:
+1. If you haven't completed step #8 – follow these steps:
 
     - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”.
-    - You should not be able to reinstall the device.
+    - You shouldn't be able to reinstall the device.
 
-2. If you completed step #8 above and restarted the machine, simply look for your Disk drives under Device Manager and see that it is no-longer available for you to use.
+2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use.
 
 
 ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive
 
-Now, using the knowledge from all the previous 4 scenarios, you will learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed.
+Now, using the knowledge from all the previous four scenarios, you'll learn how to prevent the installation of an entire Class of devices while allowing a single authorized USB thumb-drive to be installed.
 
 ### Setting up the environment
 
@@ -611,11 +611,11 @@ Getting the device identifier for both the USB Classes and a specific USB thumb-
 - USB Device
   - Class = USBDevice
   - ClassGuid = {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
-  - USBDevice includes all USB devices that do not belong to another class. This class is not used for USB host controllers and hubs.
+  - USBDevice includes all USB devices that don't belong to another class. This class isn't used for USB host controllers and hubs.
 
 - Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
 
-As mentioned in scenario #4, it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one are not blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
+As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well:
 
 - “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03
 - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
@@ -623,18 +623,18 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I
  
 ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
              _USB devices nested under each other in the PnP tree_
 
-These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
+These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine.
 
 > [!IMPORTANT]
-> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list:
+> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list:
 > 
 > 	PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/
 > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/
 > USB\USB20_HUB (for Generic USB Hubs)/
 > 
-> Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. 
+> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. 
 >
-> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done.
+> Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.
 
 First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one:
 
@@ -648,7 +648,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button.
 
-5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the class identifier to block.
+5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block.
 
 6. Enter both USB classes GUID you found above with the curly braces:
 
@@ -657,7 +657,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 7. Click ‘OK’.
 
-8. Click ‘Apply’ on the bottom right of the policy’s window – this pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs.
+8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs.
 
     > [!IMPORTANT]
     > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice.
@@ -668,7 +668,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
-11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This will take you to a table where you can enter the device identifier to allow.
+11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow.
 
 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
 
@@ -682,4 +682,4 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 ### Testing the scenario
 
-You should not be able to install any USB thumb-drive, except the one you authorized for usage
+You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 0e9dd8a789..cc38c493dd 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -17,9 +17,9 @@ ms.topic: article
 
 # Manage Windows 10 in your organization - transitioning to modern management
 
-Use of personal devices for work, as well as employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
+Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
 
-Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
+Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist.
 
 Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
 
@@ -50,7 +50,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man
 
 ## Deployment and Provisioning
 
-With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
+With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
 
 
 -   Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
@@ -59,7 +59,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can
 
 -   Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
 
-You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
 
 ## Identity and Authentication
 
@@ -73,8 +73,8 @@ You can envision user and device management as falling into these two categories
 
     -   Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
 
--   **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
-    With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This provides:
+-   **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
+    With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
 
     -   Single sign-on to cloud and on-premises resources from everywhere
 
@@ -98,7 +98,7 @@ As you review the roles in your organization, you can use the following generali
 
 Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
 
-**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
+**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
 
 **Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
 
@@ -115,7 +115,7 @@ MDM with Intune provide tools for applying Windows updates to client computers i
 
 ## Next steps
 
-There are a variety of steps you can take to begin the process of modernizing device management in your organization:
+There are various steps you can take to begin the process of modernizing device management in your organization:
 
 **Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
 
@@ -123,10 +123,10 @@ There are a variety of steps you can take to begin the process of modernizing de
 
 **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
 
-**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
+**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
 
 
-**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
+**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
 
 -   [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
 -   [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
@@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de
 
 ## Related topics
 
--   [What is Intune?](//mem/intune/fundamentals/what-is-intune)
+-   [What is Intune?](/mem/intune/fundamentals/what-is-intune)
 -   [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
 -   [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 5f2a7ff230..7be2cf47f8 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -19,7 +19,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
 > [!NOTE]
 > The AccountManagement CSP is only supported in Windows Holographic for Business edition.
 
-The following shows the AccountManagement configuration service provider in tree format.
+The following syntax shows the AccountManagement configuration service provider in tree format.
 
 ```console
 ./Vendor/MSFT
@@ -41,7 +41,7 @@ Interior node.
 **UserProfileManagement/EnableProfileManager**  
 Enable profile lifetime management for shared or communal device scenarios. Default value is false.
 
-Supported operations are Add, Get,Replace, and Delete. Value type is bool.
+Supported operations are Add, Get, Replace, and Delete. Value type is bool.
 
 **UserProfileManagement/DeletionPolicy**  
 Configures when profiles will be deleted. Default value is 1.
@@ -52,19 +52,19 @@ Valid values:
 -  1 - delete at storage capacity threshold
 -  2 - delete at both storage capacity threshold and profile inactivity threshold
 
-Supported operations are Add, Get,Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
 **UserProfileManagement/StorageCapacityStartDeletion**  
 Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25.
 
-Supported operations are Add, Get,Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
 **UserProfileManagement/StorageCapacityStopDeletion**  
 Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50.
 
-Supported operations are Add, Get,Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
 **UserProfileManagement/ProfileInactivityThreshold**  
-Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30.
+Start deleting profiles when they haven't been logged on during the specified period, given as number of days. Default value is 30.
 
-Supported operations are Add, Get,Replace, and Delete. Value type is integer.
+Supported operations are Add, Get, Replace, and Delete. Value type is integer.
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 1269c2797e..badfb5ccd9 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -1,6 +1,6 @@
 ---
 title: Accounts CSP
-description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group.
+description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@@ -17,7 +17,7 @@ manager: dansimp
 The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
 
 
-The following shows the Accounts configuration service provider in tree format.
+The following syntax shows the Accounts configuration service provider in tree format.
 
 ```
 ./Device/Vendor/MSFT
@@ -37,7 +37,7 @@ Root node.
 Interior node for the account domain information.
 
 **Domain/ComputerName**  
-This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
+This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
 
 Available naming macros:
 
@@ -61,9 +61,9 @@ This node specifies the username for a new local user account.  This setting can
 This node specifies the password for a new local user account.  This setting can be managed remotely. 
 
 Supported operation is Add.
-GET operation is not supported.  This setting will report as failed when deployed from the Endpoint Manager.
+GET operation isn't supported.  This setting will report as failed when deployed from the Endpoint Manager.
 
 **Users/_UserName_/LocalUserGroup**  
-This optional node specifies the local user group that a local user account should be joined to.  If the node is not set, the new local user account is joined just to the Standard Users group.  Set the value to 2 for Administrators group. This setting can be managed remotely.
+This optional node specifies the local user group that a local user account should be joined to.  If the node isn't set, the new local user account is joined just to the Standard Users group.  Set the value to 2 for Administrators group. This setting can be managed remotely.
 
 Supported operation is Add.
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index e69eef0c44..307391743a 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -17,7 +17,7 @@ ms.date: 06/26/2017
 
 The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
 
-Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
+Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.
 
 > [!NOTE]
 > The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
@@ -28,7 +28,7 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th
 
  
 
-The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
 
 ```
 ./Vendor/MSFT
@@ -86,7 +86,7 @@ Defines a specific ActiveSync account. A globally unique identifier (GUID) must
 
 Supported operations are Get, Add, and Delete.
 
-When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account.
+When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and doesn't create the new account.
 
 Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:
 
@@ -107,7 +107,7 @@ For OMA DM, you must use the ASCII values of %7B and %7D for the opening and clo
 ***Account GUID*/EmailAddress**  
 Required. A character string that specifies the email address associated with the Exchange ActiveSync account.
 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
 This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com".
 
@@ -119,21 +119,21 @@ Supported operations are Get, Replace, Add, and Delete.
 ***Account GUID*/AccountIcon**  
 Required. A character string that specifies the location of the icon associated with the account.
 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
 The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
 
 ***Account GUID*/AccountType**  
 Required. A character string that specifies the account type.
 
-Supported operations are Get and Add (cannot Add after the account is created).
+Supported operations are Get and Add (can't Add after the account is created).
 
-This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
+This value is entered during setup and can't be modified once entered. An Exchange account is indicated by the string value "Exchange".
 
 ***Account GUID*/AccountName**  
 Required. A character string that specifies the name that refers to the account on the device.
 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
 ***Account GUID*/Password**  
 Required. A character string that specifies the password for the account.
@@ -145,14 +145,14 @@ For the Get command, only asterisks are returned.
 ***Account GUID*/ServerName**  
 Required. A character string that specifies the server name used by the account.
 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
 ***Account GUID*/UserName**  
 Required. A character string that specifies the user name for the account.
 
-Supported operations are Get, and Add (cannot Add after the account is created).
+Supported operations are Get, and Add (can't Add after the account is created).
 
-The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
+The user name can't be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
 
 **Options**  
 Node for other parameters.
@@ -163,9 +163,9 @@ Specifies the time window used for syncing calendar items to the device. Value t
 **Options/Logging**  
 Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled).
 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
-Valid values are one of the following:
+Valid values are any of the following values:
 
 -   0 (default) - Logging is off.
 
@@ -173,7 +173,7 @@ Valid values are one of the following:
 
 -   2 - Advanced logging is enabled.
 
-Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
+Logging is set to off by default. The user might be asked to set this logging to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
 
 **Options/MailBodyType**  
 Indicates the email format. Valid values:
@@ -185,19 +185,19 @@ Indicates the email format. Valid values:
 -   4 - MIME
 
 **Options/MailHTMLTruncation**  
-Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
+Specifies the size beyond which HTML-formatted email messages are truncated when they're synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
 
 **Options/MailPlainTextTruncation**  
-This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
+This setting specifies the size beyond which text-formatted e-mail messages are truncated when they're synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
 
 **Options/UseSSL**  
 Optional. A character string that specifies whether SSL is used.
 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
 Valid values are:
 
--   0 - SSL is not used.
+-   0 - SSL isn't used.
 
 -   1 (default) - SSL is used.
 
@@ -206,7 +206,7 @@ Required. A character string that specifies the time until the next sync is perf
 
 Supported operations are Get and Replace.
 
-Valid values are one of the following:
+Valid values are any of the following values:
 
 -   -1 (default) - A sync will occur as items are received
 
@@ -223,7 +223,7 @@ Required. A character string that specifies the time window used for syncing ema
 
 Supported operations are Get and Replace.
 
-Valid values are one of the following:
+Valid values are any of the following values:
 
 -   0 – No age filter is used, and all email items are synced to the device.
 
@@ -238,7 +238,7 @@ Valid values are one of the following:
 **Options/ContentTypes/***Content Type GUID*  
 Defines the type of content to be individually enabled/disabled for sync.
 
-The *GUID* values allowed are one of the following:
+The *GUID* values allowed are any of the following values:
 
 -   Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}"
 
@@ -251,11 +251,11 @@ The *GUID* values allowed are one of the following:
 **Options/ContentTypes/*Content Type GUID*/Enabled**  
 Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled).
 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
-Valid values are one of the following:
+Valid values are any of the following values:
 
--   0 - Sync for email, contacts, calendar, or tasks is disabled.
+-   0 - Sync for email, contacts, calendar, or tasks are disabled.
 -   1 (default) - Sync is enabled.
 
 **Options/ContentTypes/*Content Type GUID*/Name**  
@@ -265,7 +265,7 @@ Required. A character string that specifies the name of the content type.
 > In Windows 10, this node is currently not working.
 
  
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).
 
 When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
 
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 740ad8289d..3328f5ca2a 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -57,7 +57,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
 
    ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)
 
-10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....).
+10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange).
 
     ![admin center left navigation menu.](images/azure-ad-add-tenant9.png)
 
@@ -75,7 +75,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
 
     ![register in azure-ad.](images/azure-ad-add-tenant11.png)
 
-3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
+3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
 
     ![register azuread](images/azure-ad-add-tenant12.png)
 
@@ -87,7 +87,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
 
     ![registration in azuread.](images/azure-ad-add-tenant14.png)
 
-6.  You will see a welcome page when the process completes.
+6.  You'll see a welcome page when the process completes.
 
     ![register screen of azuread](images/azure-ad-add-tenant15.png)
 
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index 26bcc2dda6..de7482b72d 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -24,9 +24,9 @@ This CSP was added in Windows 10, version 1511.
 
  
 
-For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).
+For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB)](https://wikipedia.org/wiki/AllJoyn). For more information, see [AllJoyn - Wikipedia](https://wikipedia.org/wiki/AllJoyn).
 
-The following shows the AllJoynManagement configuration service provider in tree format
+The following example shows the AllJoynManagement configuration service provider in tree format
 
 ```
 ./Vendor/MSFT
@@ -70,10 +70,10 @@ List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn
 The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
 
 **Services/*Node name*/Port**
-The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports.
+The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it's possible to specify more ports.
 
 **Services/*Node name*/Port/***Node name*
-Port number used for communication. This is specified by the configurable AllJoyn object and reflected here.
+Port number used for communication. This value is specified by the configurable AllJoyn object and reflected here.
 
 **Services/*Node name*/Port/*Node name*/CfgObject**
 The set of configurable interfaces that are available on the port of the AllJoyn object.
@@ -89,7 +89,7 @@ This is the credential store. An administrator can set credentials for each AllJ
 When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase.
 
 **Credentials/***Node name*
-This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID.
+This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It's typically implemented as a GUID.
 
 **Credentials/*Node name*/Key**
 An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard.
@@ -128,7 +128,7 @@ SyncML xmlns="SYNCML:SYNCML1.2">
 
 ```
 
-You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting.
+You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. The data is base-64 encoded representation of the configuration file that you're setting.
 
 Get PIN data
 
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 648d9c245f..d18a0ebd70 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -13,10 +13,10 @@ ms.date: 09/10/2020
 
 # ApplicationControl CSP
 
-Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
+Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot.
 Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
 
-The following shows the ApplicationControl CSP in tree format.
+The following example shows the ApplicationControl CSP in tree format.
 
 ```
 ./Vendor/MSFT
@@ -80,14 +80,14 @@ Scope is dynamic. Supported operation is Get.
 Value type is char.
 
 **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective**  
-This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system.
+This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system.
 
 Scope is dynamic. Supported operation is Get.
 
 Value type is bool. Supported values are as follows:
 
-- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
-- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
+- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system.
+- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value.
 
 **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed**  
 This node specifies whether a policy is deployed on the system and is present on the physical machine.
@@ -96,18 +96,18 @@ Scope is dynamic. Supported operation is Get.
 
 Value type is bool. Supported values are as follows:
 
-- True — Indicates that the policy is deployed on the system and is present on the physical machine.
-- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
+- True—Indicates that the policy is deployed on the system and is present on the physical machine.
+- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.
 
 **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized**  
-This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system.
+This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system.
 
 Scope is dynamic. Supported operation is Get.
 
 Value type is bool. Supported values are as follows:
 
-- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
-- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
+- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
+- False—Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value.
 
 The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes:
 
@@ -144,7 +144,7 @@ For customers using Intune standalone or hybrid management with Configuration Ma
 
 ## Generic MDM Server Usage Guidance
 
-In order to leverage the ApplicationControl CSP without using Intune, you must:
+In order to use the ApplicationControl CSP without using Intune, you must:
 
 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems.
 2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
@@ -171,7 +171,7 @@ To deploy base policy and supplemental policies:
 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
 2. Repeat for each base or supplemental policy (with its own GUID and data).
 
-The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
+The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and doesn't need that reflected in the ADD).
 
 #### Example 1: Add first base policy
 
@@ -240,7 +240,7 @@ The following table displays the result of Get operation on different nodes:
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|
 
-The following is an example of Get command:
+An example of Get command is:
 
 ```xml
  
@@ -257,7 +257,7 @@ The following is an example of Get command:
 
 #### Rebootless Deletion
 
-Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This sequence will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
 
 #### Unsigned Policies
 
@@ -266,7 +266,7 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon
 #### Signed Policies
 
 > [!NOTE]
-> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
+> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** isn't sufficient to delete a signed policy.
 
 To delete a signed policy:
 
@@ -274,7 +274,7 @@ To delete a signed policy:
 2. Deploy another update with unsigned Allow All policy.
 3. Perform delete.
 
-The following is an example of Delete command:
+An example of Delete command is:
 
 ```xml
    
@@ -289,7 +289,7 @@ The following is an example of Delete command:
 
 ## PowerShell and WMI Bridge Usage Guidance
 
-The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
+The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
 
 ### Setup for using the WMI Bridge
 
@@ -305,7 +305,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi
 
 ### Deploying a policy via WMI Bridge
 
-Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces.
+Run the following command. PolicyID is a GUID that can be found in the policy xml, and should be used here without braces.
 
 ```powershell
 New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="";Policy=$policyBase64}
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 61070859fe..4d6a2a787f 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -15,9 +15,9 @@ ms.date: 11/19/2019
 # AppLocker CSP
 
 
-The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked.
+The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.
 
-The following shows the AppLocker configuration service provider in tree format.
+The following example shows the AppLocker configuration service provider in tree format.
 
 ```console
 ./Vendor/MSFT
@@ -75,7 +75,7 @@ Defines restrictions for applications.
 > [!NOTE]
 > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
 
-> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
+> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
 
 > [!NOTE]
 > The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
@@ -83,7 +83,7 @@ Defines restrictions for applications.
 Additional information:
 
 **AppLocker/ApplicationLaunchRestrictions/_Grouping_**  
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
 Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
 
 Supported operations are Get, Add, Delete, and Replace.
@@ -101,7 +101,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.
 
 **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
 
 The data type is a string. 
 
@@ -125,7 +125,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.
 
 **AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
 
 The data type is a string. 
 
@@ -144,7 +144,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.
 
 **AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
 
 The data type is a string.
 
@@ -163,7 +163,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.
 
 **AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
 
 The data type is a string.
 
@@ -182,7 +182,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.
 
 **AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
 
 The data type is a string.
 
@@ -211,7 +211,7 @@ Supported operations are Get, Add, Delete, and Replace.
 **AppLocker/EnterpriseDataProtection**  
 Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
 
-In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
+In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
 
 You can set the allowed list using the following URI:
 - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
@@ -227,10 +227,10 @@ Exempt examples:
 
 Additional information:
 
-- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
+- [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
 
 **AppLocker/EnterpriseDataProtection/_Grouping_**  
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
 Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.
 
 Supported operations are Get, Add, Delete, and Replace.
@@ -259,7 +259,7 @@ Data type is string.
 
 Supported operations are Get, Add, Delete, and Replace.
 
-1.  On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive).
+1.  On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
 2.  On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.
 
     The **Device Portal** page opens on your browser.
@@ -267,11 +267,11 @@ Supported operations are Get, Add, Delete, and Replace.
     ![device portal screenshot.](images/applocker-screenshot1.png)
 
 3.  On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
-4.  On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
+4.  On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.
 
     ![device portal app manager.](images/applocker-screenshot3.png)
 
-5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
+5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
 
     ![app manager.](images/applocker-screenshot2.png)
 
@@ -281,9 +281,9 @@ The following table shows the mapping of information to the AppLocker publisher
 |--- |--- |
 |PackageFullName|ProductName

               The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
 |Publisher|Publisher|
-|Version|Version
               
              This can be used either in the HighSection or LowSection of the BinaryVersionRange.
               
              HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
+|Version|Version
               
              The version can be used either in the HighSection or LowSection of the BinaryVersionRange.
               
              HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
 
-Here is an example AppLocker publisher rule:
+Here's an example AppLocker publisher rule:
 
 ```xml
 
@@ -307,7 +307,7 @@ Request URI:
 https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
 ```
 
-Here is the example for Microsoft OneNote:
+Here's the example for Microsoft OneNote:
 
 Request
 
@@ -330,13 +330,13 @@ Result
 |--- |--- |
 |packageIdentityName|ProductName|
 |publisherCertificateName|Publisher|
-|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. 
               
               This value will only be present if there is a XAP package associated with the app in the Store. 
               
              If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
+|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. 
               
               This value will only be present if there's a XAP package associated with the app in the Store. 
               
              If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
 
 
 ## Settings apps that rely on splash apps
 
 
-These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
+These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
 
 The product name is first part of the PackageFullName followed by the version number.
 
@@ -526,7 +526,7 @@ The following example blocks the usage of the map application.
 
 ```
 
-The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
 
 ```xml
 
@@ -1022,7 +1022,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
 ```
 
 ## Example for Windows 10 Holographic for Business
-The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings.
+The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings.
 
 ```xml
 
@@ -1276,8 +1276,8 @@ The following example for Windows 10 Holographic for Business denies all apps an
 
 ```
 
-## Recommended deny list for Windows Information Protection
-The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
+## Recommended blocklist for Windows Information Protection
+The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
 
 In this example, Contoso is the node name. We recommend using a GUID for this node.
 
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index ac7cb56c39..79bb949ff1 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -23,7 +23,7 @@ manager: dansimp
 
 [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
 
-The following shows the EnterpriseAppVManagement configuration service provider in tree format.
+The following example shows the EnterpriseAppVManagement configuration service provider in tree format.
 
 ```console
 ./Vendor/MSFT
@@ -54,7 +54,7 @@ EnterpriseAppVManagement
 ------------Policy
 ```
 
-
              (./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.
              
+
              (./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.
              
 
 
              AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.
              
 
@@ -144,7 +144,7 @@ EnterpriseAppVManagement
 
 #### Configure App-V client
 
-
              This example shows how to allow package scripts to run during package operations (publish, run, and unpublish).  Allowing package scripts assists in package deployments (add and publish of App-V apps).
              
+
              This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).
              
 
 ```xml
  
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index fd89c3803d..0b28cf30d1 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -1,7 +1,6 @@
 ---
 title: AssignedAccess CSP
 description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode.
-ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -9,12 +8,12 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 09/18/2018
+ms.date: 05/03/2022
 ---
 
 # AssignedAccess CSP
 
-The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
+The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user sign in that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
 
 For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
 
@@ -29,7 +28,7 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
 > [!Note]
 > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
 
-The following shows the AssignedAccess configuration service provider in tree format
+The following example shows the AssignedAccess configuration service provider in tree format
 
 ```
 ./Vendor/MSFT
@@ -55,7 +54,7 @@ For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Educ
 > Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
 
 > [!Note]
-> You cannot set both KioskModeApp and ShellLauncher at the same time on the device.
+> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
 
 Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
 
@@ -70,7 +69,7 @@ Here's an example:
 >
 > This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.
 
-When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
+When the kiosk mode app is being configured, the account name will be used to find the target user. The account name includes domain name and user name.
 
 > [!Note]
 > The domain name can be optional, if the user name is unique across the system.
@@ -80,13 +79,20 @@ For a local account, the domain name should be the device name. When Get is exec
 The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
 
 **./Device/Vendor/MSFT/AssignedAccess/Configuration**
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+
+Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key.
+
+> [!Note]
+> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
+>
+> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
 
 Enterprises can use this to easily configure and manage the curated lockdown experience.
 
 Supported operations are Add, Get, Delete, and Replace.
 
-Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (for example, Start Layout).
+Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it can't revert all the enforced policies back (for example, Start Layout).
 
 **./Device/Vendor/MSFT/AssignedAccess/Status**
 Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
@@ -95,9 +101,9 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito
 
 |Status  |Description  |
 |---------|---------|---------|
-| KioskModeAppRunning | This means the kiosk app is running normally. |
-| KioskModeAppNotFound | This occurs when the kiosk app isn't deployed to the machine. |
-| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
+| KioskModeAppRunning | This status means the kiosk app is running normally. |
+| KioskModeAppNotFound | This state occurs when the kiosk app isn't deployed to the machine. |
+| KioskModeAppActivationFailure | This state occurs when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
 
 > [!NOTE]
 > Status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
@@ -140,7 +146,7 @@ Supported operation is Get.
 Added in Windows 10, version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
 
 > [!Note]
-> You cannot set both ShellLauncher and KioskModeApp at the same time on the device.
+> You can't set both ShellLauncher and KioskModeApp at the same time on the device.
 >
 > Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
 >
@@ -149,9 +155,9 @@ Added in Windows 10, version 1803. This node accepts a ShellLauncherConfiguratio
 **./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
 Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
 
-By default the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
+By default, the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
 
-Optionally, the MDM server can opt in to the MDM alert, so that MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
+Optionally, the MDM server can opt in to the MDM alert so that an MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
 
 This MDM alert header is defined as follows:
 
@@ -249,7 +255,7 @@ KioskModeApp Replace
 
 ## AssignedAccessConfiguration XSD
 
-Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release.
 
 ```xml
 
@@ -260,11 +266,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
     xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
     xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
     xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
+    xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
     targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
     >
 
     
     
+    
 
     
         
@@ -274,8 +282,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
 
     
         
+        
     
 
+    
+        
+        
+    
+
     
         
             
@@ -284,7 +298,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
                 
                 
             
-            
+            
+                
+                    
+                        
+                        
+                    
+                    
+                        
+                        
+                    
+                
+                
+            
         
         
         
@@ -385,6 +411,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
     
         
             
+            
         
     
 
@@ -423,7 +450,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
             
         
     
-
+);
 ```
 
 Here's the schema for new features introduced in Windows 10 1809 release
@@ -502,7 +529,32 @@ Schema for Windows 10 prerelease
 
 ```
 
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature, which is added in 1809 release, the below can be used to notice that an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization.
+```xml
+
+
+
+    
+    
+
+    
+
+    
+        
+    
+
+
+```
+
+To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
 
 ```xml
 
 
@@ -569,6 +622,53 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
 
 ```
 
+Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
+```xml
+
+
+  
+    
+      
+    
+  
+  
+    
+      EdgeKioskUser
+      
+    
+  
+
+```
+
+Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
+> [!NOTE]
+> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
+```xml
+
+
+  
+    
+      
+      
+    
+  
+  
+    
+      EdgeKioskUser
+      
+    
+  
+
+```
+
 ## Configuration examples
 
 XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
@@ -1235,6 +1335,11 @@ ShellLauncherConfiguration Add
 
 ShellLauncherConfiguration Add AutoLogon
 
+This function creates an autologon account on your behalf. It's a standard user with no password. The autologon account is managed by AssignedAccessCSP, so the account name isn't exposed.
+
+> [!Note]
+> The autologon function is designed to be used after OOBE with provisioning packages.
+
 ```xml
 
   
@@ -1480,4 +1585,4 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C
 
 ## Related topics
 
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index c6d84bf203..6a73458cf7 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -22,8 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
 
-The XML below is for Windows 10, version 1803.
-
+The XML below is for Windows 10, version 1909.
 ```xml
 
 
             
             
-                com.microsoft/2.0/MDM/AssignedAccess
+                com.microsoft/4.0/MDM/AssignedAccess
             
         
         
@@ -208,4 +207,3 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
 
 
 
-
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 96dd333a39..a0a4883d44 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -114,11 +114,14 @@ The MDM vendor must first register the application in their home tenant and mark
 > [!NOTE]
 > For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
 
-The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenent the managed device belongs.
+The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs.
+
+> [!NOTE]
+> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership).
 
 Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
 
-1.  Log in to the Azure Management Portal using an admin account in your home tenant.
+1.  Log on to the Azure Management Portal using an admin account in your home tenant.
 
 2.  In the left navigation, select **Active Directory**.
 
@@ -134,7 +137,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
 
 7.  Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**.
 
-8.  Enter the login URL for your MDM service.
+8.  Enter the logon URL for your MDM service.
 
 9.  For the App ID, enter `https:///ContosoMDM`, then select OK.
 
@@ -166,9 +169,9 @@ For more information about registering applications with Azure AD, see [Basics o
 
 The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Microsoft Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
 
-For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715).
+For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
 
-You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
+You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
 
 For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
 
@@ -325,7 +328,7 @@ The following table shows the error codes.
 |Cause|HTTP status|Error|Description|
 |--- |--- |--- |--- |
 |api-version|302|invalid_request|unsupported version|
-|Tenant or user data are missing or other required prerequisites for device enrollment are not met|302|unauthorized_client|unauthorized user or tenant|
+|Tenant or user data are missing or other required prerequisites for device enrollment aren't met|302|unauthorized_client|unauthorized user or tenant|
 |Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
 |internal service error|302|server_error|internal service error|
 
@@ -357,7 +360,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
 There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
 
 **Multiple user management for Azure AD joined devices**
-In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically MDM enrollment completes before Azure AD user sign in to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
+In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
 
 **Adding a work account and MDM enrollment to a device**
 In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
@@ -369,7 +372,7 @@ The Azure AD token is in the HTTP Authorization header in the following format:
 Authorization:Bearer 
 ```
 
-Additional claims may be present in the Azure AD token, such as:
+More claims may be present in the Azure AD token, such as:
 
 -   User - user currently logged in
 -   Device compliance - value set the MDM service into Azure
@@ -378,9 +381,10 @@ Additional claims may be present in the Azure AD token, such as:
 
 Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
 
--   Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](/previous-versions/dotnet/framework/security/json-web-token-handler).
+-   Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
 -   Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
 
+
 ## Device Alert 1224 for Azure AD user token
 
 An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
@@ -410,9 +414,9 @@ An alert is sent to the MDM server in DM package\#1.
 
 -   Alert type - com.microsoft/MDM/LoginStatus
 -   Alert format - chr
--   Alert data - provide login status information for the current active logged in user.
-    -   Logged in user who has an Azure AD account - predefined text: user.
-    -   Logged in user without an Azure AD account- predefined text: others.
+-   Alert data - provide sign-in status information for the current active logged in user.
+    -   Signed-in user who has an Azure AD account - predefined text: user.
+    -   Signed-in user without an Azure AD account- predefined text: others.
     -   No active user - predefined text:none
 
 Here's an example.
@@ -476,7 +480,7 @@ Response:
 
 ## Data loss during unenrollment from Azure Active Directory Join
 
-When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
+When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
 
 ![aadj unenrollment.](images/azure-ad-unenrollment.png)
 
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 6c1b9368e4..b4564bd96c 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -14,18 +14,18 @@ ms.collection: highpri
 ---
 # BitLocker CSP
 
-The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting from Windows 10, version 1809, it's supported in Windows 10 Pro.
+The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
 
 > [!NOTE]
-> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
->
+> Settings are enforced only at the time encryption is started. Encryption isn't restarted with settings changes.
+> 
 > You must send all the settings together in a single SyncML to be effective.
 
 A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin.
 
-For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, whether Trusted Platform Module (TPM) protection and encryption is required. And, if the device has BitLocker enabled but with password protector, the status reported will be 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
+For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
 
-The following shows the BitLocker configuration service provider in tree format.
+The following example shows the BitLocker configuration service provider in tree format.
 
 ```console
 ./Device/Vendor/MSFT
@@ -86,7 +86,7 @@ Supported operations are Add, Get, Replace, and Delete.
 
 The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
 
-Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet more criteria to be considered encryptable:
+Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet other criteria to be considered encryptable:
 
 - It must not be a dynamic volume.
 - It must not be a recovery partition.
@@ -97,8 +97,8 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
 
 The following list shows the supported values:
 
--   0 (default) — Disable. If the policy setting isn't set or is set to 0, the device's enforcement status is not checked. The policy doesn't enforce encryption and it does not decrypt encrypted volumes.
--   1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).  
+- 0 (default): Disable. If the policy setting isn't set or is set to 0, the device's enforcement status isn't checked. The policy doesn't enforce encryption and it doesn't decrypt encrypted volumes.
+- 1: Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).  
 
 If you want to disable this policy, use the following SyncML:
 
@@ -122,7 +122,7 @@ If you want to disable this policy, use the following SyncML:
 ```
 
 > [!NOTE]
-> Currently full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
+> Currently only full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.
 
 
 
@@ -177,7 +177,7 @@ If you disable or don't configure this policy setting, BitLocker will use the de
 > [!NOTE]
 > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.  
 
-  If you want to disable this policy use the following SyncML: 
+  If you want to disable this policy, use the following SyncML: 
 
 ```xml
 
@@ -226,7 +226,7 @@ ADMX Info:
 
 This setting is used to establish an identifier that is applied to all encrypted drives in your organization.
 
-Identifiers are usually stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
+Identifiers are stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
 
 - **BitLocker identification field**: It allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the Manage-bde command-line tool. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field.
 
@@ -243,7 +243,7 @@ Sample value for this node to enable this policy is:
 
 ```
 
-Data Id:
+Data ID:
 
 - IdentificationField: This is a BitLocker identification field.
 - SecIdentificationField: This is an allowed BitLocker identification field.
@@ -281,7 +281,7 @@ ADMX Info:
 
 
 
-This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
+This setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This setting overrides the "Require startup PIN with TPM" option of the "Require additional authentication at startup" policy on compliant hardware.
 
 If you enable this policy setting, users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without pre-boot authentication.
 
@@ -323,7 +323,7 @@ ADMX Info:
 This setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. Enhanced startup PINs permit the usage of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
 
 >[!Note]
->Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+>Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
 
 If you enable this policy setting, all new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.
 
@@ -415,10 +415,11 @@ Sample value for this node to enable this policy is:
 ```
 
 If this policy is disabled, the Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.
-When the Windows Recovery Environment is not enabled and this policy is not enabled, you can’t turn on BitLocker on a device that uses the Windows touch keyboard.
+
+When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
 
 >[!Note]
->If you do not enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
+>If you don't enable this policy setting, the following options in the **Require additional authentication at startup policy** might not be available:
 >
 >- Configure TPM startup PIN: Required and Allowed
 >- Configure TPM startup key and PIN: Required and Allowed
@@ -456,7 +457,7 @@ This policy setting is applied when you turn on BitLocker. Changing the encrypti
 
 Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
 
 Sample value for this node to enable this policy is:
 
@@ -468,7 +469,7 @@ If this policy is disabled, the BitLocker Setup Wizard asks the user to select t
 
 >[!Note]
 >This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. 
->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+>For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
@@ -499,12 +500,12 @@ ADMX Info:
 
 
 
-This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
+This setting allows you to configure whether BitLocker requires more authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
 
 > [!NOTE]
 > Only one of the additional authentication options is required at startup, otherwise an error occurs.
 
-If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
+If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
 
 On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
 
@@ -518,8 +519,8 @@ If you disable or don't configure this setting, users can configure only basic o
 > [!NOTE]
 > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
 
-> [!NOTE]
-> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
+> [!NOTE] 
+> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern Standby devices won't be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
 
 Sample value for this node to enable this policy is:
 
@@ -527,7 +528,7 @@ Sample value for this node to enable this policy is:
 
 ```
 
-Data id:
+Data ID:
 
 - ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
 - ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
@@ -596,12 +597,12 @@ ADMX Info:
 
 
 
-This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
+This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of six digits and can have a maximum length of 20 digits.
 
 > [!NOTE]
 > In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. 
 >
->In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
+>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This doesn't apply to TPM 1.2.
 
 If you enable this setting, you will require a minimum number of digits to set the startup PIN.
 
@@ -613,7 +614,7 @@ Sample value for this node to enable this policy is:
 
 ```
 
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
 
 ```xml
  
@@ -688,7 +689,7 @@ The possible values for 'xx' are:
 > [!NOTE]
 > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
 
-Disabling the policy will let the system choose the default behaviors.  If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors.  If you want to disable this policy, use the following SyncML:
 
 ```xml
 
@@ -706,7 +707,7 @@ Disabling the policy will let the system choose the default behaviors.  If you w
 ```
 
 > [!NOTE]
-> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test the characters you use for the custom message or URL to appear correctly on the pre-boot recovery screen.
+> Not all characters and languages are supported in pre-boot. It's strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
 
 Data type is string. 
 
@@ -740,18 +741,18 @@ ADMX Info:
 
 This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker.
 
-The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs.
 
 In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
 
-Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
 
 Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
 
-Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker, unless the computer is connected to domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
 > [!NOTE]
-> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
+> If the "OSRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
 
 If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
 
@@ -779,7 +780,7 @@ The possible values for 'zz' are:
 - 2 = Store recovery passwords only.
 - 1 = Store recovery passwords and key packages.
 
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
 
 ```xml
  
@@ -828,20 +829,20 @@ ADMX Info:
 
 This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
 
-The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
+The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs.
 
 In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
 
-Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
+Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This setting means that you won't be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
 
 Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
 
-Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
 Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
 
 > [!NOTE]
-> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
+> If the "FDVRequireActiveDirectoryBackup_Name" (Don't enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
 
 If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
 
@@ -927,7 +928,7 @@ Sample value for this node to enable this policy is:
 
 ```
 
-If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:
+If you disable or don't configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy, use the following SyncML:
 
 ```xml
  
@@ -978,7 +979,7 @@ This policy setting is applied when you turn on BitLocker and controls whether f
 
 Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only a portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
-If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.
+If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.
 
 Sample value for this node to enable this policy is:
 
@@ -989,8 +990,8 @@ Sample value for this node to enable this policy is:
 If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
 
 >[!Note]
->This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method.
->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+>This policy is ignored when you're shrinking or expanding a volume and the BitLocker driver uses the current encryption method. 
+>For example, when a drive that's using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that's using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
@@ -1023,11 +1024,11 @@ ADMX Info:
 
 This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
 
-If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+If you enable this setting, all removable data drives that aren't BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
 
 If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
 
-If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
+If you disable or don't configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
 
 > [!NOTE]
 > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
@@ -1143,13 +1144,12 @@ Sample value for this node to enable this policy is:
 ```xml
 
 ```
+Data ID:
 
-Data id:
+- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives
+- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives
 
-- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives.
-- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives.
-
-If this policy is disabled, users can’t use BitLocker on removable disk drives.
+If this policy is disabled, users can't use BitLocker on removable disk drives.
 
 If you don't configure this policy setting, users can use BitLocker on removable disk drives.
 
@@ -1217,7 +1217,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
 
 "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy  being set to "0", i.e, silent encryption is enforced.
 
-If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system.
+If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDeviceEncryption" policy won't try to encrypt drive(s) if a standard user is the current logged on user in the system.
 
 
 |Edition|Windows 10|Windows 11|
@@ -1233,7 +1233,7 @@ If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDe
 The expected values for this policy are:
 
 - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
-- 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive.
+- 0 = This value is the default value, when the policy isn't set. If the current logged on user is a standard user, "RequireDeviceEncryption" policy won't try to enable encryption on any drive.
 
 If you want to disable this policy, use the following SyncML:
 
@@ -1295,7 +1295,7 @@ Supported values are:
 
 
 
-This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
+This setting refreshes all recovery passwords for OS and fixed drives (removable drives aren't included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. If errors occur, an error code will be returned so that server can take appropriate action to remediate.
 
 
 The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.  
@@ -1304,7 +1304,7 @@ Policy type is Execute. When “Execute Policy” is pushed, the client sets the
 
 Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh. 
 
-Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can’t refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. 
+Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can't refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account. 
 
 Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
 - RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
@@ -1374,11 +1374,11 @@ Supported values:
 | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume, but the user didn't consent.|
 | 1 |The encryption method of the OS volume doesn't match the BitLocker policy.|
 | 2 |The OS volume is unprotected.|
-| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.|
-| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.|
-| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.|
-| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.|
-| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.|
+| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection is not used.|
+| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector is not used.|
+| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector is not used.|
+| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector is not used.|
+| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM is not used.|
 | 8 |Recovery key backup failed.|
 | 9 |A fixed drive is unprotected.|
 | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
@@ -1401,7 +1401,7 @@ Supported values:
 This node reports the status of RotateRecoveryPasswords request. 
 
 
-Status code can be one of the following:  
+Status code can be one of the following values:  
 
 - 2 – Not started
 - 1 - Pending
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index d1db6d514e..0309b24aad 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,6 +1,6 @@
 ---
 title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11.
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
 MS-HAID: 
   - 'p\_phdevicemgmt.bulk\_enrollment'
   - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
@@ -18,7 +18,7 @@ ms.date: 06/26/2017
 
 # Bulk enrollment
 
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
 
 ## Typical use cases
 
@@ -28,7 +28,7 @@ Bulk enrollment is an efficient way to set up a large number of devices to be ma
 -   Set up industrial machinery.
 -   Set handheld POS devices.
 
-On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can log in to use it. This is especially useful in getting a large number of desktop ready to use within a domain.
+On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
 
 On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
 
@@ -63,21 +63,21 @@ Using the WCD, create a provisioning package using the enrollment information re
 5. Skip **Import a provisioning package (optional)** and click **Finish**.
 6. Expand **Runtime settings** > **Workplace**.
 7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
-   The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
+   The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
 8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
-   Here is the list of available settings:
+   Here's the list of available settings:
    -   **AuthPolicy** - Select **OnPremise**.
    -   **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
    -   **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
    -   **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
    -   **Secret** - Password
    For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
-   Here is the screenshot of the WCD at this point.
+   Here's the screenshot of the WCD at this point.
    
     ![bulk enrollment screenshot.](images/bulk-enrollment.png)
-9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-10. When you are done adding all the settings, on the **File** menu, click **Save**.
-11. On the main menu click **Export** > **Provisioning package**.
+9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+10. When you're done adding all the settings, on the **File** menu, click **Save**.
+11. On the main menu, click **Export** > **Provisioning package**.
 
     ![icd menu for export.](images/bulk-enrollment2.png)
 12. Enter the values for your package and specify the package output location.
@@ -112,17 +112,17 @@ Using the WCD, create a provisioning package using the enrollment information re
 7. Specify the workplace settings.
    1. Got to **Workplace** > **Enrollments**.
    2. Enter the **UPN** for the enrollment and then click **Add**.
-      The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
+      The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
    3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
-      Here is the list of available settings:
+      Here's the list of available settings:
       -   **AuthPolicy** - Select **Certificate**.
       -   **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
       -   **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
       -   **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
       -   **Secret** - the certificate thumbprint.
       For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
-8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-9. When you are done adding all the settings, on the **File** menu, click **Save**.
+8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
+9. When you're done adding all the settings, on the **File** menu, click **Save**.
 10. Export and build the package (steps 10-13 in the procedure above).
 11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
 12. Apply the package to your devices.
@@ -145,17 +145,17 @@ Here's the list of topics about applying a provisioning package:
 
 1.  Go to **Settings** > **Accounts** > **Access work or school**.
 2.  Click **Add or remove a provisioning package**.
-    You should see the your package listed.
+    You should see your package listed.
 
 ## Retry logic in case of a failure
 
-If the provisioning engine receives a failure from a CSP it will retry to provision 3 times in a row.
+If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
 
-If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry 4 times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context.
+If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context.
 
-It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well.
+It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
 
-In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
+In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
 
 ## Other provisioning topics
 
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index 1f27f60756..5605ebe1f4 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -19,7 +19,7 @@ The CellularSettings configuration service provider is used to configure cellula
 > [!Note]
 > Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
 
-The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.
+The following example shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.
 
 ```console
 ./Vendor/MSFT
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 11079b3ac6..0ef7d8606c 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -20,9 +20,9 @@ The CertificateStore configuration service provider is used to add secure socket
 > The CertificateStore configuration service provider does not support installing client certificates.
 > The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
 
-For the CertificateStore CSP, you cannot use the Replace command unless the node already exists.
+For the CertificateStore CSP, you can't use the Replace command unless the node already exists.
 
-The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
+The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
 
 ```
 ./Vendor/MSFT
@@ -121,7 +121,7 @@ Supported operation is Get.
 > CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
 
 **My/User**  
-Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
+Defines the certificate store that contains public keys for client certificates. This certificate store is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
 
 Supported operation is Get.
 
@@ -129,7 +129,7 @@ Supported operation is Get.
 > My/User is case sensitive.
 
 **My/System**  
-Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
+Defines the certificate store that contains public key for client certificate. This certificate store is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
 
 Supported operation is Get.
 
@@ -142,27 +142,27 @@ Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certifi
 Supported operations are Get, Delete, and Replace.
 
 ***CertHash*/EncodedCertificate**  
-Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can’t include extra formatting characters such as embedded linefeeds, etc.
+Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc.
 
 Supported operations are Get, Add, Delete, and Replace.
 
 ***CertHash*/IssuedBy**  
-Required. Returns the name of the certificate issuer. This is equivalent to the *Issuer* member in the CERT\_INFO data structure.
+Required. Returns the name of the certificate issuer. This name is equivalent to the *Issuer* member in the CERT\_INFO data structure.
 
 Supported operation is Get.
 
 ***CertHash*/IssuedTo**  
-Required. Returns the name of the certificate subject. This is equivalent to the *Subject* member in the CERT\_INFO data structure.
+Required. Returns the name of the certificate subject. This name is equivalent to the *Subject* member in the CERT\_INFO data structure.
 
 Supported operation is Get.
 
 ***CertHash*/ValidFrom**  
-Required. Returns the starting date of the certificate's validity. This is equivalent to the *NotBefore* member in the CERT\_INFO structure.
+Required. Returns the starting date of the certificate's validity. This date is equivalent to the *NotBefore* member in the CERT\_INFO structure.
 
 Supported operation is Get.
 
 ***CertHash*/ValidTo**  
-Required. Returns the expiration date of the certificate. This is equivalent to the *NotAfter* member in the CERT\_INFO structure.
+Required. Returns the expiration date of the certificate. This expiration date is equivalent to the *NotAfter* member in the CERT\_INFO structure.
 
 Supported operation is Get.
 
@@ -217,7 +217,7 @@ Supported operations are Get, Add, Delete, and Replace.
 **My/SCEP/*UniqueID*/Install/SubjectName**  
 Required. Specifies the subject name. 
 
-The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”  ).
+The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
 
 For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
 
@@ -228,7 +228,7 @@ Supported operations are Get, Add, Delete, and Replace.
 **My/SCEP/*UniqueID*/Install/KeyProtection**  
 Optional. Specifies the location of the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection.
 
-Supported values are one of the following:
+Supported values are one of the following values:
 
 - 1 – Private key is protected by device TPM.
 
@@ -246,15 +246,15 @@ Optional. Specifies the device retry waiting time in minutes when the SCEP serve
 Supported operations are Get, Add, and Delete.
 
 **My/SCEP/*UniqueID*/Install/RetryCount**  
-Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value can’t be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
+Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
 
 Supported operations are Get, Add, Delete, and Replace.
 
 **My/SCEP/*UniqueID*/Install/TemplateName**  
 Optional. OID of certificate template name.
 
->[!Note]
-> Template name is typically ignored by the SCEP server; therefore, the MDM server typically doesn't need to provide it. Value type is chr.
+> [!Note]
+> Template name is typically ignored by the SCEP server, so the MDM server typically doesn't need to provide it. Value type is `chr`.
 
 Supported operations are Get, Add, and Delete.
 
@@ -285,7 +285,7 @@ Optional. Specifies the units for the valid period. Value type is chr.
 
 Supported operations are Get, Add, Delete, and Replace.
 
-Valid values are one of the following:
+Valid values are one of the following values:
 
 - Days (default)
 - Months
@@ -317,7 +317,7 @@ Required. Specifies the latest status for the certificate due to enrollment requ
 
 Supported operation is Get.
 
-Valid values are one of the following:
+Valid values are one of the following values:
 
 -   1 – Finished successfully.
 
@@ -363,7 +363,7 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't
 Supported operations are Add, Get, Delete, and Replace.
 
 **My/WSTEP/Renew/RenewalPeriod**  
-Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
+Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
 
 The default value is 42 and the valid values are 1 – 1000. Value type is an integer.
 
@@ -401,7 +401,7 @@ Required. Shows the latest action status for this certificate. Value type is an
 
 Supported operation is Get.
 
-Supported values are one of the following:
+Supported values are one of the following values:
 
 - 0 – Not started.
 - 1 – Renewal in progress.
diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index 089b3868fd..ef943cbe35 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -14,7 +14,7 @@ ms.date: 10/19/2020
 
 # Change history for Mobile Device Management documentation
 
-This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues are not listed.
+This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those articles that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues aren't listed.
 
 ## November 2020
 
@@ -60,7 +60,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |New or updated article | Description|
 |--- | ---|
 |[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.|
-|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. 
+|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table. 
 
 ## February 2020
 
@@ -101,7 +101,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |New or updated article | Description|
 |--- | ---|
 |[DiagnosticLog CSP](diagnosticlog-csp.md)
              [DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
              Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
-|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
              Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
+|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include more reference links and the following two topics:
              Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
 
 ## July 2019
 
@@ -111,7 +111,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
 |[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
              SecurityKey, SecurityKey/UseSecurityKeyForSignin|
 |[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
              LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
-|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
              Create a custom configuration service provider
              Design a custom configuration service provider
              IConfigServiceProvider2
              IConfigServiceProvider2::ConfigManagerNotification
              IConfigServiceProvider2::GetNode
              ICSPNode
              ICSPNode::Add
              ICSPNode::Clear
              ICSPNode::Copy
              ICSPNode::DeleteChild
              ICSPNode::DeleteProperty
              ICSPNode::Execute
              ICSPNode::GetChildNodeNames
              ICSPNode::GetProperty
              ICSPNode::GetPropertyIdentifiers
              ICSPNode::GetValue
              ICSPNode::Move
              ICSPNode::SetProperty
              ICSPNode::SetValue
              ICSPNodeTransactioning
              ICSPValidate
              Samples for writing a custom configuration service provider.|
+|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs isn't currently supported:
              Create a custom configuration service provider
              Design a custom configuration service provider
              IConfigServiceProvider2
              IConfigServiceProvider2::ConfigManagerNotification
              IConfigServiceProvider2::GetNode
              ICSPNode
              ICSPNode::Add
              ICSPNode::Clear
              ICSPNode::Copy
              ICSPNode::DeleteChild
              ICSPNode::DeleteProperty
              ICSPNode::Execute
              ICSPNode::GetChildNodeNames
              ICSPNode::GetProperty
              ICSPNode::GetPropertyIdentifiers
              ICSPNode::GetValue
              ICSPNode::Move
              ICSPNode::SetProperty
              ICSPNode::SetValue
              ICSPNodeTransactioning
              ICSPValidate
              Samples for writing a custom configuration service provider.|
 
 ## June 2019
 
@@ -141,7 +141,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 
 |                                         New or updated article                                          |                                                                                                                                                                                                          Description                                                                                                                                                                                                          |
 |-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
              Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. |
+| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
              Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it doesn't. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. |
 |                          [Policy CSP - UserRights](policy-csp-userrights.md)                          |                                                                                                                                  Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields.                                                                                                                                  |
 
 ## March 2019
@@ -193,12 +193,12 @@ This article lists new and updated articles for the Mobile Device Management (MD
 
 |New or updated article|Description|
 |--- |--- |
-|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:

              You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.|
+|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following note:

              You can only assign one single app kiosk profile to an individual user account on a device. The single app profile doesn't support domain groups.|
 |[PassportForWork  CSP](passportforwork-csp.md)|Added new settings in Windows 10, version 1809.|
 |[EnterpriseModernAppManagement  CSP](enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.|
 |[Win32CompatibilityAppraiser  CSP](win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.|
 |[WindowsLicensing  CSP](windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.|
-|[SUPL CSP](supl-csp.md)|Added 3 new certificate nodes in Windows 10, version 1809.|
+|[SUPL CSP](supl-csp.md)|Added three new certificate nodes in Windows 10, version 1809.|
 |[Defender CSP](defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.|
 |[BitLocker CSP](bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.|
 |[DevDetail CSP](devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.|
@@ -211,7 +211,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[Wifi CSP](wifi-csp.md)|Added a new node WifiCost in Windows 10, version 1809.|
 |[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)|Recent changes:
            • Added procedure for collecting logs remotely from Windows 10 Holographic.
            • Added procedure for downloading the MDM Diagnostic Information log.|
 |[BitLocker CSP](bitlocker-csp.md)|Added new node AllowStandardUserEncryption in Windows 10, version 1809.|
-|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:
            • AccountPoliciesAccountLockoutPolicy
            • AccountLockoutDuration - removed from docs. Not supported.
            • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
            • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
            • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
            • System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.
            • Security/RequireDeviceEncryption is supported in the Home SKU.
            • Start/StartLayout - added a table of SKU support information.
            • Start/ImportEdgeAssets - added a table of SKU support information.

              Added the following new policies in Windows 10, version 1809:
            • Update/EngagedRestartDeadlineForFeatureUpdates
            • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
            • Update/EngagedRestartTransitionScheduleForFeatureUpdates
            • Update/SetDisablePauseUXAccess
            • Update/SetDisableUXWUAccess|
+|[Policy CSP](policy-configuration-service-provider.md)|Recent changes:
            • AccountPoliciesAccountLockoutPolicy
            • AccountLockoutDuration - removed from docs. Not supported.
            • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
            • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
            • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
            • System/AllowFontProviders isn't supported in HoloLens (first gen) Commercial Suite.
            • Security/RequireDeviceEncryption is supported in the Home SKU.
            • Start/StartLayout - added a table of SKU support information.
            • Start/ImportEdgeAssets - added a table of SKU support information.

              Added the following new policies in Windows 10, version 1809:
            • Update/EngagedRestartDeadlineForFeatureUpdates
            • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
            • Update/EngagedRestartTransitionScheduleForFeatureUpdates
            • Update/SetDisablePauseUXAccess
            • Update/SetDisableUXWUAccess|
 |[WiredNetwork CSP](wirednetwork-csp.md)|New CSP added in Windows 10, version 1809.|
 
 ## May 2018
@@ -225,7 +225,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |New or updated article|Description|
 |--- |--- |
 |[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:
            • Settings/AllowVirtualGPU
            • Settings/SaveFilesToHost|
-|[NetworkProxy CSP](\networkproxy--csp.md)|Added the following node in Windows 10, version 1803:
            • ProxySettingsPerUser|
+|[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:
            • ProxySettingsPerUser|
 |[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.|
 |[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.|
 |[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.|
@@ -240,7 +240,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)|Added the following videos:
            • [How to create a custom xml to enable an ADMX-backed policy and deploy the XML in Intune](https://www.microsoft.com/showcase/video.aspx?uuid=bdc9b54b-11b0-4bdb-a022-c339d16e7121)
            • [How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)|
 |[AccountManagement CSP](accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.|
 |[RootCATrustedCertificates CSP](rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:
            • UntrustedCertificates|
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
            • ApplicationDefaults/EnableAppUriHandlers
            • ApplicationManagement/MSIAllowUserControlOverInstall
            • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
            • Connectivity/AllowPhonePCLinking
            • Notifications/DisallowCloudNotification
            • Notifications/DisallowTileNotification
            • RestrictedGroups/ConfigureGroupMembership

              The following existing policies were updated:
            • Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.
            • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
            • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.

              Added a new section:
            • [[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
            • ApplicationDefaults/EnableAppUriHandlers
            • ApplicationManagement/MSIAllowUserControlOverInstall
            • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
            • Connectivity/AllowPhonePCLinking
            • Notifications/DisallowCloudNotification
            • Notifications/DisallowTileNotification
            • RestrictedGroups/ConfigureGroupMembership

              The following existing policies were updated:
            • Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.
            • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
            • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.

              Added a new section:
            • [[Policies in Policy CSP supported by Group Policy](/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.|
 |[Policy CSP - Bluetooth](policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).|
 |[MultiSIM CSP](multisim-csp.md)|Added SyncML examples and updated the settings descriptions.|
 |[RemoteWipe CSP](remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.|
@@ -251,7 +251,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |--- |--- |
 |[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
            • Display/DisablePerProcessDpiForApps
            • Display/EnablePerProcessDpi
            • Display/EnablePerProcessDpiForApps
            • Experience/AllowWindowsSpotlightOnSettings
            • TextInput/ForceTouchKeyboardDockedState
            • TextInput/TouchKeyboardDictationButtonAvailability
            • TextInput/TouchKeyboardEmojiButtonAvailability
            • TextInput/TouchKeyboardFullModeAvailability
            • TextInput/TouchKeyboardHandwritingModeAvailability
            • TextInput/TouchKeyboardNarrowModeAvailability
            • TextInput/TouchKeyboardSplitModeAvailability
            • TextInput/TouchKeyboardWideModeAvailability|
 |[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)|Updated the XSD and Plug-in profile example for VPNv2 CSP.|
-|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:
            • Status
            • ShellLauncher
            • StatusConfiguration

              Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.|
+|[AssignedAccess CSP](assignedaccess-csp.md)|Added the following nodes in Windows 10, version 1803:
            • Status
            • ShellLauncher
            • StatusConfiguration

              Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (first gen) Commercial Suite. Added example for HoloLens (first gen) Commercial Suite.|
 |[MultiSIM CSP](multisim-csp.md)|Added a new CSP in Windows 10, version 1803.|
 |[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:
            • MaintainProcessorArchitectureOnUpdate|
 
@@ -259,7 +259,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
 
 |New or updated article|Description|
 |--- |--- |
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
            • Browser/AllowConfigurationUpdateForBooksLibrary
            • Browser/AlwaysEnableBooksLibrary
            • Browser/EnableExtendedBooksTelemetry
            • Browser/UseSharedFolderForBooks
            • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
            • DeliveryOptimization/DODelayForegroundDownloadFromHttp
            • DeliveryOptimization/DOGroupIdSource
            • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
            • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
            • DeliveryOptimization/DORestrictPeerSelectionBy
            • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
            • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
            • KioskBrowser/BlockedUrlExceptions
            • KioskBrowser/BlockedUrls
            • KioskBrowser/DefaultURL
            • KioskBrowser/EnableHomeButton
            • KioskBrowser/EnableNavigationButtons
            • KioskBrowser/RestartOnIdleTime
            • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
            • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
            • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
            • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
            • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
            • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
            • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
            • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
            • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
            • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
            • RestrictedGroups/ConfigureGroupMembership
            • Search/AllowCortanaInAAD
            • Search/DoNotUseWebResults
            • Security/ConfigureWindowsPasswords
            • System/FeedbackHubAlwaysSaveDiagnosticsLocally
            • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
            • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
            • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
            • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
            • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
            • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
            • TaskScheduler/EnableXboxGameSaveTask
            • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
            • Update/ConfigureFeatureUpdateUninstallPeriod
            • UserRights/AccessCredentialManagerAsTrustedCaller
            • UserRights/AccessFromNetwork
            • UserRights/ActAsPartOfTheOperatingSystem
            • UserRights/AllowLocalLogOn
            • UserRights/BackupFilesAndDirectories
            • UserRights/ChangeSystemTime
            • UserRights/CreateGlobalObjects
            • UserRights/CreatePageFile
            • UserRights/CreatePermanentSharedObjects
            • UserRights/CreateSymbolicLinks
            • UserRights/CreateToken
            • UserRights/DebugPrograms
            • UserRights/DenyAccessFromNetwork
            • UserRights/DenyLocalLogOn
            • UserRights/DenyRemoteDesktopServicesLogOn
            • UserRights/EnableDelegation
            • UserRights/GenerateSecurityAudits
            • UserRights/ImpersonateClient
            • UserRights/IncreaseSchedulingPriority
            • UserRights/LoadUnloadDeviceDrivers
            • UserRights/LockMemory
            • UserRights/ManageAuditingAndSecurityLog
            • UserRights/ManageVolume
            • UserRights/ModifyFirmwareEnvironment
            • UserRights/ModifyObjectLabel
            • UserRights/ProfileSingleProcess
            • UserRights/RemoteShutdown
            • UserRights/RestoreFilesAndDirectories
            • UserRights/TakeOwnership
            • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
            • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
            • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
            • WindowsDefenderSecurityCenter/HideSecureBoot
            • WindowsDefenderSecurityCenter/HideTPMTroubleshooting

              Added the following policies the were added in Windows 10, version 1709
            • DeviceLock/MinimumPasswordAge
            • Settings/AllowOnlineTips
            • System/DisableEnterpriseAuthProxy

              Security/RequireDeviceEncryption - updated to show it is supported in desktop.|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
            • Browser/AllowConfigurationUpdateForBooksLibrary
            • Browser/AlwaysEnableBooksLibrary
            • Browser/EnableExtendedBooksTelemetry
            • Browser/UseSharedFolderForBooks
            • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
            • DeliveryOptimization/DODelayForegroundDownloadFromHttp
            • DeliveryOptimization/DOGroupIdSource
            • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
            • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
            • DeliveryOptimization/DORestrictPeerSelectionBy
            • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
            • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
            • KioskBrowser/BlockedUrlExceptions
            • KioskBrowser/BlockedUrls
            • KioskBrowser/DefaultURL
            • KioskBrowser/EnableHomeButton
            • KioskBrowser/EnableNavigationButtons
            • KioskBrowser/RestartOnIdleTime
            • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
            • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
            • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
            • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
            • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
            • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
            • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
            • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
            • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
            • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
            • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
            • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
            • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
            • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
            • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
            • RestrictedGroups/ConfigureGroupMembership
            • Search/AllowCortanaInAAD
            • Search/DoNotUseWebResults
            • Security/ConfigureWindowsPasswords
            • System/FeedbackHubAlwaysSaveDiagnosticsLocally
            • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
            • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
            • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
            • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
            • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
            • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
            • TaskScheduler/EnableXboxGameSaveTask
            • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
            • Update/ConfigureFeatureUpdateUninstallPeriod
            • UserRights/AccessCredentialManagerAsTrustedCaller
            • UserRights/AccessFromNetwork
            • UserRights/ActAsPartOfTheOperatingSystem
            • UserRights/AllowLocalLogOn
            • UserRights/BackupFilesAndDirectories
            • UserRights/ChangeSystemTime
            • UserRights/CreateGlobalObjects
            • UserRights/CreatePageFile
            • UserRights/CreatePermanentSharedObjects
            • UserRights/CreateSymbolicLinks
            • UserRights/CreateToken
            • UserRights/DebugPrograms
            • UserRights/DenyAccessFromNetwork
            • UserRights/DenyLocalLogOn
            • UserRights/DenyRemoteDesktopServicesLogOn
            • UserRights/EnableDelegation
            • UserRights/GenerateSecurityAudits
            • UserRights/ImpersonateClient
            • UserRights/IncreaseSchedulingPriority
            • UserRights/LoadUnloadDeviceDrivers
            • UserRights/LockMemory
            • UserRights/ManageAuditingAndSecurityLog
            • UserRights/ManageVolume
            • UserRights/ModifyFirmwareEnvironment
            • UserRights/ModifyObjectLabel
            • UserRights/ProfileSingleProcess
            • UserRights/RemoteShutdown
            • UserRights/RestoreFilesAndDirectories
            • UserRights/TakeOwnership
            • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
            • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
            • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
            • WindowsDefenderSecurityCenter/HideSecureBoot
            • WindowsDefenderSecurityCenter/HideTPMTroubleshooting

              Added the following policies in Windows 10, version 1709
            • DeviceLock/MinimumPasswordAge
            • Settings/AllowOnlineTips
            • System/DisableEnterpriseAuthProxy

              Security/RequireDeviceEncryption - updated to show it's supported in desktop.|
 |[BitLocker CSP](bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.|
 |[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.|
 |[DMClient CSP](dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
            • AADSendDeviceToken
            • BlockInStatusPage
            • AllowCollectLogsButton
            • CustomErrorText
            • SkipDeviceStatusPage
            • SkipUserStatusPage|
@@ -309,11 +309,11 @@ This article lists new and updated articles for the Mobile Device Management (MD
 |[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)|Added new step-by-step guide to enable ADMX-backed policies.|
 |[Mobile device enrollment](mobile-device-enrollment.md)|Added the following statement:

              Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.|
 |[CM_CellularEntries CSP](cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.|
-|[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following:
            •  0 (default) – Off / No protection (decrypts previously protected data).
            •   1 – Silent mode (encrypt and audit only).
            •   2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
            •   3 – Hides overrides (encrypt, prompt but hide overrides, and audit).|
-|[AppLocker CSP](applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allow list examples](applocker-csp.md#allow-list-examples).|
+|[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following values:
            •  0 (default) – Off / No protection (decrypts previously protected data).
            •   1 – Silent mode (encrypt and audit only).
            •   2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
            •   3 – Hides overrides (encrypt, prompt but hide overrides, and audit).|
+|[AppLocker CSP](applocker-csp.md)|Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Allowlist examples](applocker-csp.md#allow-list-examples).|
 |[DeviceManageability CSP](devicemanageability-csp.md)|Added the following settings in Windows 10, version 1709:
            • Provider/ProviderID/ConfigInfo
            •  Provider/ProviderID/EnrollmentInfo|
 |[Office CSP](office-csp.md)|Added the following setting in Windows 10, version 1709:
            • Installation/CurrentStatus|
-|[BitLocker CSP](bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
+|[BitLocker CSP](bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
 |[Firewall CSP](firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:
            • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
            • Changed some data types from integer to bool.
            • Updated the list of supported operations for some settings.
            • Added default values.|
 |[Policy DDF file](policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
            • Browser/AllowMicrosoftCompatibilityList
            • Update/DisableDualScan
            • Update/FillEmptyContentUrls|
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
            • Browser/ProvisionFavorites
            • Browser/LockdownFavorites
            • ExploitGuard/ExploitProtectionSettings
            • Games/AllowAdvancedGamingServices
            • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
            • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
            • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
            • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
            • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
            • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
            • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
            • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
            • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
            • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
            • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
            • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
            • Privacy/EnableActivityFeed
            • Privacy/PublishUserActivities
            • Update/DisableDualScan
            • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

              Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

              Changed the names of the following policies:
            • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
            • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
            • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

              Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

              There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
            • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
            • Start/HideAppList|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
            • Browser/ProvisionFavorites
            • Browser/LockdownFavorites
            • ExploitGuard/ExploitProtectionSettings
            • Games/AllowAdvancedGamingServices
            • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
            • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
            • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
            • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
            • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
            • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
            • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
            • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
            • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
            • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
            • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
            • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
            • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
            • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
            • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
            • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
            • Privacy/EnableActivityFeed
            • Privacy/PublishUserActivities
            • Update/DisableDualScan
            • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

              Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

              Changed the names of the following policies:
            • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
            • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
            • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

              Added links to the extra [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

              There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
            • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
            • Start/HideAppList|
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 2eb4d0d758..de295098f3 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -23,7 +23,7 @@ For PFX certificate installation and SCEP installation, the SyncML commands must
 
 You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
 
-The following shows the ClientCertificateInstall configuration service provider in tree format.
+The following example shows the ClientCertificateInstall configuration service provider in tree format.
 
 ```
 ./Vendor/MSFT
@@ -109,7 +109,7 @@ Date type is string.
 Supported operations are Get, Add, Delete, and Replace.
 
 **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**  
-CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
+CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This Add operation requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before the Add operation is called. This trigger for addition also sets the Status node to the current Status of the operation.
 
 The data type format is binary.
 
@@ -187,7 +187,7 @@ A node required for SCEP certificate enrollment. Parent node to group SCEP cert
 Supported operations are Get, Add, Replace, and Delete.
 
 > [!Note]
-> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
+> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and ensure the device isn't at an unknown state before changing child node values.
 
 **ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**  
 Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
@@ -213,7 +213,7 @@ Supported operations are Get, Add, Delete, and Replace.
 **ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**  
 Required. Specifies the subject name. 
 
-The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”  ).
+The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
 
 For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
 
@@ -225,7 +225,7 @@ Supported operations are Add, Get, and Replace.
 Optional. Specifies where to keep the private key.
 
 > [!Note]
-> Even if the private key is protected by TPM, it is not protected with a TPM PIN.
+> Even if the private key is protected by TPM, it isn't protected with a TPM PIN.
 
 The data type is an integer corresponding to one of the following values:  
 
@@ -300,14 +300,14 @@ Data type is string.
 Supported operations are Add, Get, Delete, and Replace.
 
 **ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**  
-Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
+Required. Specifies Root CA thumbprint. This thumbprint is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it isn't a match, the authentication will fail.
 
 Data type is string.
 
 Supported operations are Add, Get, Delete, and Replace.
 
 **ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**  
-Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
+Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. For more information, see the name type definitions in MSDN.
 
 Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].
 
@@ -332,9 +332,9 @@ Valid values are:
 Supported operations are Add, Get, Delete, and Replace.
 
 **ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**  
-Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node. 
+Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node. 
 
->[!Note]
+> [!Note]
 > The valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
 
 Data type is string.
@@ -375,7 +375,7 @@ Supported operations are Add, Get, Delete, and Replace.
 **ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**  
 Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
 
-If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
+If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted) then it will return an empty string.
 
 Data type is string.
 
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index c333660f0f..06562d8462 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -18,7 +18,7 @@ The CM\_CellularEntries configuration service provider is used to configure the
 
 This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
 
-The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
+The following example shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider.
 
 ```console
 CM_CellularEntries
@@ -56,9 +56,9 @@ The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of
 **AlwaysOn**  
 Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
 
-A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
+A value of "0" specifies that AlwaysOn isn't supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally. For example, an APN that only controls MMS.
 
-A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
+A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it's available. This setting is recommended for general purpose internet APNs.
 
 There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
 
@@ -110,7 +110,7 @@ Optional. Specifies if the connection requires a corresponding mappings policy.
 
 A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
 
-For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
+For example, if the multimedia messaging service (MMS) APN shouldn't have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose internet traffic.
 
 **Version**  
 Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
@@ -143,11 +143,11 @@ Optional. Type: String. Specifies the network protocol of the connection. Availa
 > Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
 
 **ExemptFromDisablePolicy**  
-Added back in Windows 10, version 1511.Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt).
+Added back in Windows 10, version 1511. Optional. Type: Int. This value should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt).
 
-To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. 
+To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". These settings indicate that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. 
 
->[!Note]
+> [!Note]
 > Sending MMS while roaming is still not allowed.
 
 > [!IMPORTANT]
@@ -159,16 +159,16 @@ To avoid UX inconsistency with certain value combinations of ExemptFromDisablePo
 - Set AllowMMSIfDataIsOff to 1 (default is 0)
 
 **ExemptFromRoaming**  
-Added back in Windows 10, version 1511.Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt).
+Added back in Windows 10, version 1511. Optional. Type: Int. This value should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value isn't specified, the default value is "0" (not exempt).
 
 **TetheringNAI**  
-Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0".
+Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value isn't specified, the default value is "0".
 
 **IdleDisconnectTimeout**  
 Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
 
 > [!IMPORTANT]
-> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
+> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it isn't specified, the default value of 30 seconds may be used.
 
 > [!NOTE]
 > If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index d37ac364ec..333377d822 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -67,7 +67,7 @@ The following list describes the available mapping policy types:
 **Host**  
 Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
 
-The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
+The host pattern can have two wild cards, `*` and `+`. The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be `*.host_name.com` to match any prefix to the `host_name.com` domains. The host pattern will match `www.host_name.com` and `mail.host_name.com`, but it won't match `host_name.com`.
 
 **OrderedConnections**  
 Specifies whether the list of connections is in preference order.
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index cca467417c..e8f9de1f33 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -64,7 +64,7 @@ The following list describes the available mapping policy types:
 **Host**  
 Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
 
-The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
+The host pattern can have two wild cards, "\*" and "+". The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
 
 **OrderedConnections**  
 Specifies whether the list of connections is in preference order.
@@ -72,7 +72,7 @@ Specifies whether the list of connections is in preference order.
 A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
 
 **Conn***XXX*  
-Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy which is applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
+Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
 
 **ConnectionID**  
 Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
@@ -107,8 +107,8 @@ For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network typ
 |HSPA HSUPA|{1536A1C6-A4AF-423C-8884-6BDDA3656F84}|
 |LTE|{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}|
 |EHRPD|{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}|
-|Ethernet 10Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
-|Ethernet 100Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
+|Ethernet 10 Mbps|{97D3D1B3-854A-4C32-BD1C-C13069078370}|
+|Ethernet 100 Mbps|{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}|
 |Ethernet Gbps|{556C1E6B-B8D4-448E-836D-9451BA4CCE75}|
 
 For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 7a4eb3b5e1..1a0f77c9ed 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -14,8 +14,8 @@ ms.date: 06/26/2017
 
 # CustomDeviceUI CSP
 
-The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
-The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
+The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, and the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
+The following example shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
 
 > [!NOTE]
 > This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
@@ -38,7 +38,7 @@ AppID string value is the default appid/AUMID to launch during startup. The supp
 List of package names of background tasks that need to be launched on device startup. The supported operation is Get.
 
 **BackgroundTasksToLaunch/***BackgroundTaskPackageName*  
-Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace.
+Package Full Name of the application that needs to be launched in the background. This application can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace.
 
 ## SyncML examples
 
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index f514676cbe..22ee682cf2 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -20,7 +20,7 @@ ms.date: 02/22/2022
 
 The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
 
-The following shows the Windows Defender configuration service provider in tree format.
+The following example shows the Windows Defender configuration service provider in tree format.
 ```
 ./Vendor/MSFT
 Defender
@@ -98,7 +98,7 @@ The data type is a string.
 Supported operation is Get.
 
 **Detections/*ThreatId*/URL**  
-URL link for additional threat information.
+URL link for more threat information.
 
 The data type is a string.
 
@@ -264,9 +264,9 @@ Supported operation is Get.
 
 The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. 
 The acceptable values for this parameter are:
-- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
+- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
 - 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
-- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log. 
+- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log. 
 
 Accepted values: Disabled, Enabled, and AuditMode
 Position: Named
@@ -276,7 +276,7 @@ Accept wildcard characters: False
 
 **EnableNetworkProtection/AllowNetworkProtectionDownLevel**
 
-By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. 
+By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. 
 - Type: Boolean
 - Position: Named
 - Default value: False
@@ -285,7 +285,7 @@ By default, network protection is not allowed to be enabled on Windows versions
 
 **EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
 
-By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
 
 - Type: Boolean
 - Position: Named
@@ -315,7 +315,7 @@ Network Protection inspects UDP connections allowing us to find malicious DNS or
 
 **EnableNetworkProtection/DisableInboundConnectionFiltering**
 
-Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
+Network Protection inspects and can block both connections that originate from the host machine, and those connections that originate from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
 
 - Type: Boolean
 - Position: Named
@@ -325,7 +325,7 @@ Network Protection inspects and can block both connections that originate from t
 
 **EnableNetworkProtection/EnableDnsSinkhole**
 
-Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
+Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS-based malicious attacks. Set this configuration to "$true" to enable this feature.
 
 - Type: Boolean
 - Position: Named
@@ -335,7 +335,7 @@ Network Protection can inspect the DNS traffic of a machine and, in conjunction
 
 **EnableNetworkProtection/DisableDnsOverTcpParsing**
 
-Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
 
 - Type: Boolean
 - Position: Named
@@ -345,7 +345,7 @@ Network Protection inspects DNS traffic that occurs over a TCP channel, to provi
 
 **EnableNetworkProtection/DisableDnsParsing**
 
-Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
 
 - Type: Boolean
 - Position: Named
@@ -399,7 +399,7 @@ An interior node to group information about Windows Defender health status.
 Supported operation is Get.
 
 **Health/ProductStatus**  
-Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
+Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list.
 
 The data type is integer. Supported operation is Get.
 
@@ -489,7 +489,7 @@ Supported operation is Get.
 **Health/QuickScanOverdue**  
 Indicates whether a Windows Defender quick scan is overdue for the device.
 
-A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default).
+A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default).
 
 The data type is a Boolean.
 
@@ -498,7 +498,7 @@ Supported operation is Get.
 **Health/FullScanOverdue**  
 Indicates whether a Windows Defender full scan is overdue for the device.
 
-A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default).
+A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default).
 
 The data type is a Boolean.
 
@@ -594,30 +594,30 @@ An interior node to group Windows Defender configuration information.
 Supported operation is Get.
 
 **Configuration/TamperProtection**  
-Tamper protection helps protect important security features from unwanted changes and interference.  This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
+Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
 
-Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
+Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
 
 The data type is a Signed blob.
 
 Supported operations are Add, Delete, Get, Replace.
 
 Intune tamper protection setting UX supports three states:  
-- Not configured (default): Does not have any impact on the default state of the device.
+- Not configured (default): Doesn't have any impact on the default state of the device.
 - Enabled: Enables the tamper protection feature.
 - Disabled: Turns off the tamper protection feature.
 
-When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
 
 **Configuration/DisableLocalAdminMerge**
              
 This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
 
-If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings.
+If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
 
 If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator.
 
 > [!NOTE]
-> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
+> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
 
 Supported OS versions:  Windows 10
 
@@ -630,14 +630,14 @@ Valid values are:
 - 0 (default) – Disable.
 
 **Configuration/HideExclusionsFromLocalAdmins**
              
-This policy setting controls whether or not exclusions are visible to Local Admins.  For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
+This policy setting controls whether or not exclusions are visible to Local Admins.  For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
 
-If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
+If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
 
 If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell.
 
 > [!NOTE]
-> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
+> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
 
 Supported OS versions:  Windows 10
 
@@ -650,7 +650,7 @@ Valid values are:
 - 0 (default) – Disable.
 
 **Configuration/DisableCpuThrottleOnIdleScans**
              	
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle.  This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.	
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle.  This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.	
 
 The data type is integer.	
 
@@ -691,7 +691,7 @@ Supported operations are Add, Delete, Get, Replace.
 
 **Configuration/EnableFileHashComputation**  
 Enables or disables file hash computation feature.
-When this feature is enabled Windows Defender will compute hashes for files it scans.
+When this feature is enabled, Windows Defender will compute hashes for files it scans.
 
 The data type is integer.
 
@@ -710,11 +710,11 @@ Supported operations are Add, Delete, Get, Replace.
 
 Intune Support log location setting UX supports three states:  
 
-- Not configured (default) - Does not have any impact on the default state of the device. 
+- Not configured (default) - Doesn't have any impact on the default state of the device. 
 - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
 - 0 - Disabled. Turns off the Support log location feature. 
 
-When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.  
+When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.  
 
 More details:  
 
@@ -734,7 +734,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
 
 Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only 
 
-If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
 
 The data type is integer.
 
@@ -767,7 +767,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual
 
 Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
 
-If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
+If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
 
 The data type is integer.
 
@@ -793,7 +793,7 @@ Current Channel (Staged): Devices will be offered updates after the release cycl
 
 Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
 
-If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
+If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
 
 The data type is integer.
 Supported operations are Add, Delete, Get, Replace.
@@ -810,12 +810,12 @@ More details:
 
 **Configuration/DisableGradualRelease**
 Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates.
-Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This is best for datacenters that only receive limited updates.
+Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This facility for devices is best for datacenters that only receive limited updates.
 
 > [!NOTE]
 > This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates.
 
-If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
+If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
 
 The data type is integer.
 
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index c964ed065c..9768af70a3 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -17,9 +17,9 @@ ms.date: 11/01/2017
 
 The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
 
-For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. 
+For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information. 
 
-The following shows the DeviceManageability configuration service provider in a tree format.
+The following example shows the DeviceManageability configuration service provider in a tree format.
 ```
 ./Device/Vendor/MSFT
 DeviceManageability
@@ -46,14 +46,14 @@ Added in Windows 10, version 1709. Interior node.
 Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources.
 
 **Provider/_ProviderID_/ConfigInfo**  
-Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
+Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to use during sync session.
 
 ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
 
 Data type is string. Supported operations are Add, Get, Delete, and Replace.
 
 **Provider/_ProviderID_/EnrollmentInfo**  
-Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It is readable by MDM server during sync session.
+Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
 
 Data type is string. Supported operations are Add, Get, Delete, and Replace. 
 
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index f87acbed2e..17cb3d7424 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -17,7 +17,7 @@ ms.date: 06/25/2021
 
 The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
 
-The following shows the DeviceStatus configuration service provider in tree format.
+The following example shows the DeviceStatus configuration service provider in tree format.
 ```
 ./Vendor/MSFT
 DeviceStatus
@@ -67,7 +67,7 @@ DeviceStatus
 The root node for the DeviceStatus configuration service provider.
 
 **DeviceStatus/SecureBootState**  
-Indicates whether secure boot is enabled. The value is one of the following:
+Indicates whether secure boot is enabled. The value is one of the following values:
 
 -   0 - Not supported
 -   1 - Enabled
@@ -136,7 +136,7 @@ Boolean value that indicates whether the network card associated with the MAC ad
 Supported operation is Get.
 
 **DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**  
-Type of network connection. The value is one of the following:
+Type of network connection. The value is one of the following values:
 
 -   2 - WLAN (or other Wireless interface)
 -   1 - LAN (or other Wired interface)
@@ -148,7 +148,7 @@ Supported operation is Get.
 Node for the compliance query.
 
 **DeviceStatus/Compliance/EncryptionCompliance**  
-Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following:
+Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
 
 -   0 - Not encrypted
 -   1 - Encrypted
@@ -194,9 +194,9 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
 
 Valid values:
 
--   0 - The security software reports that it is not the most recent version.
--   1 (default) - The security software reports that it is the most recent version.
--   2 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+-   0 - The security software reports that it isn't the most recent version.
+-   1 (default) - The security software reports that it's the most recent version.
+-   2 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
 
 Supported operation is Get.
 
@@ -213,9 +213,9 @@ Valid values:
 
 -   0 – Antivirus is on and monitoring.
 -   1 – Antivirus is disabled.
--   2 – Antivirus is not monitoring the device/PC or some options have been turned off.
+-   2 – Antivirus isn't monitoring the device/PC or some options have been turned off.
 -   3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
--   4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+-   4 – Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
 
 Supported operation is Get.
 
@@ -229,9 +229,9 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp
 
 Valid values:
 
--  0 - The security software reports that it is not the most recent version.
--  1 - The security software reports that it is the most recent version.
--  2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+-  0 - The security software reports that it isn't the most recent version.
+-  1 - The security software reports that it's the most recent version.
+-  2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
 
 Supported operation is Get.
 
@@ -246,10 +246,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp
 
 Valid values:
 
-- 0 - The status of the security provider category is good and does not need user attention.
-- 1 - The status of the security provider category is not monitored by Windows Security.
+- 0 - The status of the security provider category is good and doesn't need user attention.
+- 1 - The status of the security provider category isn't monitored by Windows Security.
 - 2 - The status of the security provider category is poor and the computer may be at risk.
-- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service is not actively protecting the computer.
+- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service isn't actively protecting the computer.
 
 Supported operation is Get.
 
@@ -265,9 +265,9 @@ Valid values:
 
 -   0 – Firewall is on and monitoring.
 -   1 – Firewall has been disabled.
--   2 – Firewall is not monitoring all networks or some rules have been turned off.
+-   2 – Firewall isn't monitoring all networks or some rules have been turned off.
 -   3 (default) – Firewall is temporarily not monitoring all networks.
--   4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+-   4 – Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesn’t exist.)
 
 Supported operation is Get.
 
@@ -292,21 +292,21 @@ Added in Windows, version 1607. Integer that specifies the status of the batter
 Supported operation is Get.
 
 **DeviceStatus/Battery/EstimatedChargeRemaining**  
-Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
+Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
 
-The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 
 Supported operation is Get.
 
 **DeviceStatus/Battery/EstimatedRuntime**  
-Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
+Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
 
-The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
+The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 
 Supported operation is Get.
 
 **DeviceStatus/DomainName**  
-Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device is not domain-joined, it returns an empty string.
+Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
 
 Supported operation is Get.
 
@@ -322,15 +322,15 @@ Added in Windows, version 1709. Virtualization-based security hardware requirem
 - 0x1: SecureBoot required 
 - 0x2: DMA Protection required
 - 0x4: HyperV not supported for Guest VM
-- 0x8: HyperV feature is not available
+- 0x8: HyperV feature isn't available
 
 Supported operation is Get.
 
 **DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**  
-Added in Windows, version 1709. Virtualization-based security status.  Value is one of the following:
+Added in Windows, version 1709. Virtualization-based security status.  Value is one of the following values:
 - 0 - Running
 - 1 - Reboot required 
-- 2 - 64 bit architecture required 
+- 2 - 64-bit architecture required 
 - 3 - Not licensed 
 - 4 - Not configured 
 - 5 - System doesn't meet hardware requirements 
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index 670c0d736e..ef7c93a036 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -1,6 +1,6 @@
 ---
 title: DevInfo CSP
-description: Learn now the DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server.
+description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server.
 ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c
 ms.reviewer: 
 manager: dansimp
@@ -15,16 +15,16 @@ ms.date: 06/26/2017
 # DevInfo CSP
 
 
-The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
+The DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
 
 > [!NOTE]
 > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
  
 
-For the DevInfo CSP, you cannot use the Replace command unless the node already exists.
+For the DevInfo CSP, you can't use the Replace command unless the node already exists.
 
-The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
+The following example shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
 ```
 .
 DevInfo
@@ -52,14 +52,14 @@ The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.
 **Man**  
 Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
 
-If no name is found, this returns "Unknown".
+If no name is found, the value returned is "Unknown".
 
 Supported operation is Get.
 
 **Mod**  
 Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
 
-If no name is found, this returns "Unknown".
+If no name is found, the value returned is "Unknown".
 
 Supported operation is Get.
 
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 5dc126771b..057030f5f3 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -19,7 +19,7 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
 
 ## Download the MDM Diagnostic Information log from Windows 10 PCs
 
-1. On your managed device go to **Settings** > **Accounts** > **Access work or school**.
+1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**.
 1. Click your work or school account, then click **Info.**  
    ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png)
 
@@ -88,7 +88,7 @@ You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC
 
 ## Collect logs remotely from Windows 10 PCs
 
-When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
+When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
 
 -   Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
 -   Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
@@ -234,7 +234,7 @@ After the logs are collected on the device, you can retrieve the files through t
 
 ## View logs
 
-For best results, ensure that the PC or VM on which you are viewing logs matches the build of the OS from which the logs were collected.
+For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected.
 
 1.  Open eventvwr.msc.
 2.  Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
@@ -256,7 +256,7 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
 
     ![event filter for Device Management.](images/diagnose-mdm-failures13.png)
 
-7.  Now you are ready to start reviewing the logs.
+7.  Now you're ready to start reviewing the logs.
 
     ![event viewer review logs.](images/diagnose-mdm-failures14.png)
 
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index cef5ea62ca..ded51dd0fa 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -18,16 +18,16 @@ The DiagnosticLog configuration service provider (CSP) provides the following fe
 - [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
 - [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
 - [EtwLog area](#etwlog-area). Control ETW trace sessions.
-- [DeviceStateData area](#devicestatedata-area). Provide additional device information.
+- [DeviceStateData area](#devicestatedata-area). Provide more device information.
 - [FileDownload area](#filedownload-area). Pull trace and state data directly from the device.
 
-The following are the links to different versions of the DiagnosticLog CSP DDF files:
+The links to different versions of the DiagnosticLog CSP DDF files are:
 -   [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
 -   [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
 -   [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
 
 
-The following shows the DiagnosticLog CSP in tree format.
+The following example shows the DiagnosticLog CSP in tree format.
 
 ```
 ./Vendor/MSFT/DiagnosticLog
@@ -92,7 +92,7 @@ Set and Execute are functionality equivalent, and each accepts a `Collection` XM
 
 With Windows 10 KB5011543, Windows 11 KB5011563 we have added support for an additional element which will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML. 
 
-The following is an example of a `Collection` XML.
+The following example shows a `Collection` XML:
 
 ``` xml
 
@@ -116,7 +116,7 @@ The XML should include the following elements within the `Collection` element:
 The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
 
 **SasUrl**
-The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It is the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
+The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
 - Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
 - Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
 - Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
@@ -127,7 +127,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
   - Exports all of the key names and values under a given path (recursive).
   - Expected input value: Registry path such as "HKLM\Software\Policies".
   - Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command.
-  - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those under HKLM and HKCR.
+  - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those paths that're under HKLM and HKCR.
 
 - **Events**
   - Exports all events from the named Windows event log.
@@ -135,9 +135,9 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
   - Output format: Creates a .evtx file.
 
 - **Commands**
-  - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
+  - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
   - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
-  - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
+  - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands that may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
   - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
     - %windir%\\system32\\certutil.exe
     - %windir%\\system32\\dxdiag.exe
@@ -237,11 +237,11 @@ A Get to the above URI will return the results of the data gathering for the las
 
 ```
 
-Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
+Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, the mdmdiagnosticstool.exe command failed.
 
 ### Making use of the uploaded data
 
-The zip archive which is created and uploaded by the CSP contains a folder structure like the following:
+The zip archive that is created and uploaded by the CSP contains a folder structure like the following example:
 
 ```powershell
 PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
@@ -278,7 +278,7 @@ Administrators can apply automation to 'results.xml' to create their own preferr
 ```powershell
 Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
 ```
-This example produces output similar to the following:
+This example produces output similar to the following output:
 ```
 DirectiveNumber DirectiveHRESULT DirectiveInput
 --------------- ---------------- --------------
@@ -335,7 +335,7 @@ foreach( $element in $resultElements )
 #endregion
 Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse
 ```
-That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly:
+That example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to `results.xml` repeatedly:
 
 ```powershell
 PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name
@@ -371,7 +371,7 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains
 The supported operation is Get.
 
 **Policy/Channels/_ChannelName_**
-Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
+Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When the name is being specified in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
 
 Supported operations are Add, Delete, and Get.
 
@@ -439,7 +439,7 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting
 
 If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
 
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
+If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
 
 Supported operations are Add, Delete, Get, and Replace.
 
@@ -636,11 +636,11 @@ Supported operations are Add, Delete, Get, and Replace.
 The data type is string.
 
 The following are the possible values:
-- Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost.
-- Overwrite — When the log file reaches its maximum file size, new events overwrite old events.
-- Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file.
+- Truncate—When the log file reaches its maximum file size, new events aren't written to the log and are lost.
+- Overwrite—When the log file reaches its maximum file size, new events overwrite old events.
+- Archive—When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value isn't set, the new file is saved in the same directory as current log file.
 
-If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration.
+If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
 
 
 Add **ActionWhenFull**
@@ -737,10 +737,10 @@ Supported operations are Add, Delete, Get, and Replace.
 The data type is boolean.
 
 The following are the possible values:
-- TRUE — Enables the channel.
-- FALSE — Disables the channel.
+- TRUE—Enables the channel.
+- FALSE—Disables the channel.
 
-If you disable or do not configure this policy setting, the locally configured value is used as default.
+If you disable or don't configure this policy setting, the locally configured value is used as default.
 
 Get **Enabled**
 ``` xml
@@ -853,7 +853,7 @@ For each collector node, the user can:
 - Change trace log file mode
 - Change trace log file size limit
 
-The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
+The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
 
 For each registered provider in this collector, the user can:
 
@@ -868,7 +868,7 @@ The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediat
 
  ### Channel-based tracing
 
-The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
+The type of event tracing exports event data from a specific channel. This method is only supported on the desktop.
 
 Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
 
@@ -999,7 +999,7 @@ The following table lists the possible values:
 
 The supported operation is Execute.
 
-After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
+After you've added a logging task, you can start a trace by running an Execute command on this node with the value START.
 
 To stop the trace, running an execute command on this node with the value STOP.
 
@@ -1217,7 +1217,7 @@ The following table lists the possible values:
 
 | Value | Description        |
 | ----- | ------------------ |
-| TRUE  | Provider is enabled in the trace session. This is the default. |
+| TRUE  | Provider is enabled in the trace session. This value is the default value. |
 | FALSE | Provider is disabled in the trace session. |
 
 Set provider **State**
@@ -1404,7 +1404,7 @@ Set channel **State**
 
 ## DeviceStateData area
 
-The DeviceStateData functionality within the DiagnosticLog CSP provides additional device information.
+The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information.
 
 The following section describes the nodes for the DeviceStateData functionality.
 
@@ -1443,10 +1443,10 @@ The FileDownload feature of the DiagnosticLog CSP enables a management server to
 
 ### Comparing FileDownload and DiagnosticArchive
 
-Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they are optimized for different workflows.
+Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows.
 
-- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It is typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
-- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
+- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
+- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
 
 The following section describes the nodes for the FileDownload functionality.
 
diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
index a9e4996ee9..f3e3c24cf9 100644
--- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
@@ -1,6 +1,6 @@
 ---
 title: Disconnecting from the management infrastructure (unenrollment)
-description: Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server.
+description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
 MS-HAID:
 - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_'
 - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment'
@@ -18,15 +18,16 @@ ms.date: 06/26/2017
 
 # Disconnecting from the management infrastructure (unenrollment)
 
-Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. User-initiated disconnection is performed much like the initial connection, and it is initiated from the same location in the Setting Control Panel as creating the workplace account. Users may choose to disconnect for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an administrator initiates a disconnection, the enrollment client performs the disconnection during its next regular maintenance session. Administrators may choose to disconnect a user’s device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy.
+The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. 
+The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy.
 
-During disconnection, the client does the following:
+During disconnection, the client executes the following tasks:
 
 -   Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well.
 -   Removes certificates that are configured by MDM server.
--   Ceases enforcement of the settings policies that the management infrastructure has applied.
+-   Ceases enforcement of the settings policies applied by the management infrastructure.
 -   Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure.
--   Reports successful initiated disassociation to the management infrastructure if the admin initiated the process. Note that in Windows, user-initiated disassociation is reported to the server as a best effort.
+-   Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort.
 
 
 ## In this topic
@@ -40,12 +41,12 @@ During disconnection, the client does the following:
 
 ## User-initiated disconnection
 
-In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will send a notification to the MDM server notifying that the server the account will be removed. This is a best effort action as no retry is built-in to ensure the notification is successfully sent to the device.
+In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device.
 
 This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
 
 > [!NOTE]
-> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
+> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
 
  
 The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
@@ -135,11 +136,11 @@ You can only use the Work Access page to unenroll under the following conditions
 
 ## Unenrollment from Azure Active Directory Join
 
-When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
+When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
 
 ![aadj unenerollment.](images/azure-ad-unenrollment.png)
 
-When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
+During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
 
 Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation.
 
@@ -148,7 +149,7 @@ In mobile devices, remote unenrollment for Azure Active Directory Joined devices
 
 ## IT admin–requested disconnection
 
-The server requests an enterprise management disconnection request by issuing an Exec OMA DM SyncML XML command to the device using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DM client configuration topic.
+The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
 
 When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management.
 
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 9b4f0785ff..4e55cd3c89 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -21,9 +21,9 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve
 
  
 
-For the DMAcc CSP, you cannot use the Replace command unless the node already exists.
+For the DMAcc CSP, you can't use the Replace command unless the node already exists.
 
-The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+The following example shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
 
 ```
 ./SyncML
@@ -103,7 +103,7 @@ Required.
 **AppAddr/***ObjectName*  
 Required. Defines the OMA DM server address. Only one server address can be configured.
 
-When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored.
+When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". This DM address is the first one encountered in the w7 APPLICATION configuration service provider; other DM accounts are ignored.
 
 ***ObjectName*/Addr**  
 Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
@@ -125,10 +125,10 @@ Optional.
 **Port/***ObjectName*  
 Required. Only one port number can be configured.
 
-When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1".
+When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1".
 
 ***ObjectName*/PortNbr**  
-Required. Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer.
+Required. Specifies the port number of the OMA MD account address. This number must be a decimal number that fits within the range of a 16-bit unsigned integer.
 
 Value type is string. Supported operations are Add, Get, and Replace.
 
@@ -137,7 +137,7 @@ Optional. Specifies the application authentication preference.
 
 A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication.
 
-If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first.
+If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria aren't met, then the client tries BASIC authorization first.
 
 Value type is string. Supported operations are Add, Get, and Replace.
 
@@ -147,7 +147,7 @@ Optional. Defines authentication settings.
 **AppAuth/***ObjectName*  
 Required. Defines one set of authentication settings.
 
-When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
+When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
 
 ***ObjectName*/AAuthlevel**  
 Required. Specifies the application authentication level.
@@ -176,7 +176,7 @@ Value type is string. Supported operations are Add and Replace.
 ***ObjectName*/AAuthData**  
 Optional. Specifies the next nonce used for authentication.
 
-"Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.
+"Nonce" refers to a number used once. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in repeat attacks.
 
 Value type is binary. Supported operations are Add and Replace.
 
@@ -226,16 +226,16 @@ The default value is 86400000.
 Value type is integer. Supported operations are Add, Get, and Replace.
 
 **Microsoft/ProtoVer**  
-Optional. Specifies the OMA DM Protocol version that the server supports. There is no default value.
+Optional. Specifies the OMA DM Protocol version that the server supports. There's no default value.
 
-Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
+Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
 
 Value type is string. Supported operations are Add, Get, and Replace.
 
 **Microsoft/Role**  
 Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server.
 
-If this parameter is not present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
+If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
 
 -   4 = SECROLE\_OPERATOR
 
@@ -245,7 +245,7 @@ If this parameter is not present, the DM session is given the role mask of the O
 
 -   128 = SECROLE\_OPERATOR\_TPS
 
-The acceptable access roles for this node cannot be more than the roles assigned to the DMAcc object.
+The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object.
 
 Value type is integer. Supported operations are Get and Replace.
 
@@ -267,9 +267,9 @@ Value type is bool. Supported operations are Add, Get, and Replace.
 **Microsoft/UseNonceResync**  
 Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE".
 
-If the authentication fails because the server nonce does not match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device did not authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
+If the authentication fails because the server nonce doesn't match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device didn't authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
 
-The default value of "FALSE" specifies that the client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
+The default value of "FALSE" specifies that the client doesn't try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.
 
 Value type is bool. Supported operations are Add, Get, and Replace.
 
@@ -284,19 +284,19 @@ Optional. Determines whether the OMA DM client should be launched when roaming.
 Value type is bool. Supported operations are Add, Get, and Replace.
 
 **SSLCLIENTCERTSEARCHCRITERIA**  
-Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored.
+Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored.
 
 The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.
 
-The supported names are Subject and Stores; wildcard certificate search is not supported.
+The supported names are Subject and Stores; wildcard certificate search isn't supported.
 
-Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive.
+Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
 
 > **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
 
  
 
-Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:
+Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema:
 
 ```xml
 Value type is string. Supported operation is Get.
              
 
 **PowerSettings**  
-
              Node for power-related configrations
              
+
              Node for power-related configurations
              
 
 **PowerSettings/MaxSkippedSessionsInLowPowerState**  
 
              Maximum number of continuous skipped sync sessions when the device is in low-power state.
              
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index 37a56ed643..355e5d1e79 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -14,11 +14,11 @@ ms.collection: highpri
 
 # DynamicManagement CSP
 
-Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.  
+Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.  
 
 This CSP was added in Windows 10, version 1703.
 
-The following shows the DynamicManagement configuration service provider in tree format.
+The following example shows the DynamicManagement configuration service provider in tree format.
 ```
 ./Device/Vendor/MSFT
 DynamicManagement
@@ -85,7 +85,7 @@ DynamicManagement
 
              Value type is integer. Supported operation is Get.
              
 
 **Altitude**  
-
              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
              
+
              A value that determines how to handle conflict resolution of applying multiple contexts on the device. This value is required and must be distinct of other priorities.
              
 
              Value type is integer. Supported operations are Add, Get, Delete, and Replace.
              
 
 **AlertsEnabled**  
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 37f0269edb..9f9d1ab88c 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -34,7 +34,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
 
     ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png)
 
-1.  Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
+1.  Enter an Internet address and connection name. These details can be fake since it doesn't impact the authentication parameters.
 
     ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png)
 
@@ -60,7 +60,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
     Get-VpnConnection -Name Test
     ```
 
-    Here is an example output.
+    Here's an example output.
 
     ``` syntax
     Name                  : Test
@@ -88,7 +88,7 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
     $a.EapConfigXmlStream.InnerXml
     ```
 
-    Here is an example output.
+    Here's an example output.
 
     ```xml
      listed. The *text id* and *enum id* represents the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
+   5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
     
-      Here is the snippet from appv.admx:
+      Here's the snippet from appv.admx:
 
       ```xml
       
@@ -208,7 +208,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
 
    6. From the **\**  tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
 
-      Here is the example XML for Publishing_Server2_Policy:
+      Here's the example XML for Publishing_Server2_Policy:
         
       ```xml
       
@@ -225,7 +225,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
 
    7. Create the SyncML to enable the policy. Payload contains \ and name/value pairs.  
 
-      Here is the example for **AppVirtualization/PublishingAllowServer2**:
+      Here's the example for **AppVirtualization/PublishingAllowServer2**:
         
        > [!NOTE]
        > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 6e4cf78685..767c141d9a 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 03/02/2022
+ms.date: 04/30/2022
 ms.reviewer:
 manager: dansimp
 ms.collection: highpri
@@ -18,19 +18,19 @@ ms.collection: highpri
 
 -   Windows 10
 
-Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
+Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
 
-The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
+The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
 
 Requirements:
 - Active Directory-joined PC running Windows 10, version 1709 or later
 - The enterprise has configured a mobile device management (MDM) service
 - The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad)
-- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
-- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
+- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
+- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
 
 > [!TIP]
-> For additional information, see the following topics:
+> For more information, see the following topics:
 > - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
 > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
 > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
@@ -42,9 +42,9 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ
 
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 
-In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins)
+In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
 
-For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
+For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices.
 
 ## Verify auto-enrollment requirements and settings
 
@@ -55,17 +55,18 @@ The following steps demonstrate required settings using the Intune service:
 
    :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
 
-2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
+2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
 
     ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
 
     > [!IMPORTANT]
-    > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
+    > For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
     >
-    > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
+    > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
 
 3. Verify that the device OS version is Windows 10, version 1709 or later.
-4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is  hybrid Azure AD joined, run  `dsregcmd /status` from the command line.
+
+4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line.
 
     You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
 
@@ -87,10 +88,11 @@ The following steps demonstrate required settings using the Intune service:
 
    :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
 
-7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
+7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune.
+
 You may contact your domain administrators to verify if the group policy has been deployed successfully.
 
-8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
+8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).
 
 9. Verify that Microsoft Intune should allow enrollment of Windows devices.
 
@@ -98,42 +100,38 @@ You may contact your domain administrators to verify if the group policy has bee
 
 ## Configure the auto-enrollment Group Policy for a single PC
 
-This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
+This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
 
 Requirements:
 - AD-joined PC running Windows 10, version 1709 or later
 - Enterprise has MDM service already configured
 - Enterprise AD must be registered with Azure AD
 
-1. Run GPEdit.msc
-
-    Click Start, then in the text box type gpedit.
+1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`.
 
     ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png)
 
-2. Under **Best match**, click **Edit group policy** to launch it.
+2. Under **Best match**, select **Edit group policy** to launch it.
 
-3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
+3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**.
 
    :::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png":::
 
-4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
+4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**.
 
    :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
 
-5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
+5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**.
 
     > [!NOTE]
-    > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
-    > 
-    > The default behavior for older releases is to revert to **User Credential**.
-    > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop.
+    > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**.
+    > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop because the Intune subscription is user centric.
 
-    When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
+    When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from AAD."
 
     To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
 
-    If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
+    If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.
 
     ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
 
@@ -141,33 +139,33 @@ Requirements:
     > You can avoid this behavior by using Conditional Access Policies in Azure AD.
     Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview).
 
-6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
+6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.
 
-7. Click **Info** to see the MDM enrollment information.
+7. Select **Info** to see the MDM enrollment information.
 
     ![Work School Settings.](images/autoenrollment-settings-work-school.png)
 
-    If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
+    If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app).
 
 
 ### Task Scheduler app
 
-1. Click **Start**, then in the text box type **task scheduler**.
+1. Select **Start**, then in the text box type `task scheduler`.
 
    ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png)
 
-2. Under **Best match**, click **Task Scheduler** to launch it.
+2. Under **Best match**, select **Task Scheduler** to launch it.
 
-3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
+3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
 
    :::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
 
-    To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
+    To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab.
 
-    If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy.
+    If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
 
     > [!NOTE]
-    > The GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
+    > The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
 
 ## Configure the auto-enrollment for a group of devices
 
@@ -178,7 +176,7 @@ Requirements:
 - Ensure that PCs belong to same computer group.
 
 > [!IMPORTANT]
-> If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
+> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
 
 1. Download:
 
@@ -219,11 +217,11 @@ Requirements:
 
    - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update (21H2)**
 
-4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
+4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`.
 
-5. Copy PolicyDefinitions folder to **\\SYSVOL\contoso.com\policies\PolicyDefinitions**.
+5. Copy the PolicyDefinitions folder to `\\SYSVOL\contoso.com\policies\PolicyDefinitions`.
 
-   If this folder does not exist, then be aware that you will be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
+   If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
 
 6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
 
@@ -238,40 +236,41 @@ This procedure will work for any future version as well.
 4. Filter using Security Groups.
 
 ## Troubleshoot auto-enrollment of devices
+
 Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device.
 
 To collect Event Viewer logs:
 
 1. Open Event Viewer.
-2. Navigate to **Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin**.
+
+2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**.
 
     > [!Tip]
     > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
 
-3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
+3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:
 
    :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png"  lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
 
-    If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
+    If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons:
 
-    - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
+    - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed:
 
       :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png":::
 
-      To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors) for more information.
+      To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors).
 
-    - The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
+    - The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
 
-      The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
+      The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot:
 
       :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
 
     > [!Note]
-    > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
+    > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.
 
-    This task runs every 5 minutes for the duration of 1 day. To confirm if the task succeeded, check the task scheduler event logs:
-    **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
-    Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
+    This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs:
+    **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
 
     :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
 
@@ -279,16 +278,16 @@ To collect Event Viewer logs:
 
     :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
 
-    Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
+    The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment.
 
-    If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
+    If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required.
     One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
 
     :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
 
-    By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
+    By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016.
 
-    A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
+    A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
 
     :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png":::
 
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 3b4e865ccb..6cf9e1ad93 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -1,6 +1,6 @@
 ---
 title: EnrollmentStatusTracking CSP
-description: Learn how to perform a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations.
+description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@@ -11,14 +11,14 @@ ms.date: 05/21/2019
 
 # EnrollmentStatusTracking CSP
 
-During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device use until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar to configure ESP for blocking the device use until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
+During Autopilot deployment, you can configure the Enrollment Status Page (ESP) to block the device usage until the required apps are installed. You can select the apps that must be installed before using the device. The EnrollmentStatusTracking configuration service provider (CSP) is used by Intune's agents, such as SideCar, to configure ESP for blocking the device usage until the required Win32 apps are installed. It tracks the installation status of the required policy providers and the apps they install and sends it to ESP, which displays the installation progress message to the user. For more information on ESP, see [Windows Autopilot Enrollment Status page](/windows/deployment/windows-autopilot/enrollment-status).
 
-ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. See [DMClient CSP](dmclient-csp.md) for more information.
+ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track the installation of different apps. The EnrollmentStatusTracking CSP tracks Win32 apps installations and DMClient CSP tracks MSI and Universal Windows Platform apps installations. In DMClient CSP, the **FirstSyncStatus/ExpectedMSIAppPackages** and **FirstSyncStatus/ExpectedModernAppPackages** nodes list the apps to track their installation. For more information, see [DMClient CSP](dmclient-csp.md).
 
 The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
 
 
-The following shows the EnrollmentStatusTracking CSP in tree format.
+The following example shows the EnrollmentStatusTracking CSP in tree format.
 ```
 ./User/Vendor/MSFT
 EnrollmentStatusTracking
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index 9397684167..d5a45549a2 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -400,7 +400,7 @@ If you purchased an app from the Store for Business and the app is specified for
 
 Here are the requirements for this scenario:
 
-- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
+- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx`).
 - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
 - The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled.
 - The user must be logged in, but association with Azure AD identity isn't required.
@@ -517,7 +517,7 @@ Provisioning allows you to stage the app to the device and all users of the devi
 
 Here are the requirements for this scenario:
 
-- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
+- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx\`)
 - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
 - The device doesn't need to have connectivity to the Microsoft Store, or store services enabled.
 - The device doesn't need any Azure AD identity or domain membership.
diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md
index 2b50af966e..8893e068c9 100644
--- a/windows/client-management/mdm/enterpriseapn-csp.md
+++ b/windows/client-management/mdm/enterpriseapn-csp.md
@@ -19,7 +19,7 @@ The EnterpriseAPN configuration service provider (CSP) is used by the enterprise
 > [!Note]
 > Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
 
-The following shows the EnterpriseAPN configuration service provider in tree format.
+The following example shows the EnterpriseAPN configuration service provider in tree format.
 ```
 ./Vendor/MSFT
 EnterpriseAPN
@@ -52,7 +52,7 @@ EnterpriseAPN
 
              Supported operations are Add, Get, Delete, and Replace.
              
 
 **EnterpriseAPN/*ConnectionName*/IPType**  
-
              This value can be one of the following:
              
+
              This value can be one of the following values:
              
 
 -   IPv4 - only IPV4 connection type
 -   IPv6 - only IPv6 connection type
@@ -67,12 +67,12 @@ EnterpriseAPN
 
              Supported operations are Add, Get, Delete, and Replace.
              
 
 **EnterpriseAPN/*ConnectionName*/ClassId**  
-
              GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
              
+
              GUID that defines the APN class to the modem. This GUID is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.
              
 
 
              Supported operations are Add, Get, Delete, and Replace.
              
 
 **EnterpriseAPN/*ConnectionName*/AuthType**  
-
              Authentication type. This value can be one of the following:
              
+
              Authentication type. This value can be one of the following values:
              
 
 -   None (default)
 -   Auto
@@ -93,7 +93,7 @@ EnterpriseAPN
 
              Supported operations are Add, Get, Delete, and Replace.
              
 
 **EnterpriseAPN/*ConnectionName*/IccId**  
-
              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
              
+
              Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
              
 
 
              Supported operations are Add, Get, Delete, and Replace.
              
 
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index 4192b8bdcc..b59fc137e1 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -21,7 +21,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
 > The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core.
  
 
-The following shows the EnterpriseAppManagement configuration service provider in tree format.
+The following example shows the EnterpriseAppManagement configuration service provider in tree format.
 
 ```console
 ./Vendor/MSFT
@@ -52,7 +52,7 @@ EnterpriseAppManagement
 ```
 
 ***EnterpriseID***
-Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
+Optional. A dynamic node that represents the EnterpriseID as a GUID. It's used to enroll or unenroll enterprise applications.
 
 Supported operations are Add, Delete, and Get.
 
@@ -190,11 +190,11 @@ Supported operation is Exec.
 
 ### Install and Update Line of Business (LOB) applications
 
-A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support a variety of file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section.
+A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support various file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section.
 
 ### Uninstall Line of Business (LOB) applications
 
-A workplace can also remotely uninstall Line of Business applications on the device. It is not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that are not installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section
+A workplace can also remotely uninstall Line of Business applications on the device. It's not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that aren't installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section.
 
 ### Query installed Store application
 
@@ -242,7 +242,7 @@ All node values under the ProviderID interior node represent the policy values t
 
 -   An Add or Replace command on those nodes returns success in both of the following cases:
 
-    -   The value is actually applied to the device.
+    -   The value is applied to the device.
 
     -   The value isn’t applied to the device because the device has a more secure value set already.
 
@@ -252,9 +252,9 @@ From a security perspective, the device complies with the policy request that is
 
 -   If a Replace command fails, the node value is set to be the previous value before Replace command was applied.
 
--   If an Add command fails, the node is not created.
+-   If an Add command fails, the node isn't created.
 
-The value actually applied to the device can be queried via the nodes under the DeviceValue interior node.
+The value applied to the device can be queried via the nodes under the DeviceValue interior node.
 
 ## OMA DM examples
 
@@ -303,7 +303,7 @@ Update the enrollment token (for example, to update an expired application enrol
 
 ```
 
-Query all installed applications that belong to enterprise id “4000000001”:
+Query all installed applications that belong to enterprise ID “4000000001”:
 
 ```xml
 
@@ -430,7 +430,7 @@ Response from the device (that contains two installed applications):
 
 Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”.
 
-To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog.
+To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application doesn't exist, the application will be silently installed without any user interaction. If the application can't be installed, the user will be notified with an Alert dialog.
 
 > [!NOTE]
 > - If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation).
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index e406d98d74..d8ec6f71d5 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -29,7 +29,7 @@ To learn more about WIP, see the following articles:
 -   [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
 -   [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
 
-The following shows the EnterpriseDataProtection CSP in tree format.
+The following example shows the EnterpriseDataProtection CSP in tree format.
 
 ```console
 ./Device/Vendor/MSFT
@@ -53,7 +53,7 @@ The root node for the CSP.
 The root node for the Windows Information Protection (WIP) configuration settings.
 
 **Settings/EDPEnforcementLevel**  
-Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
+Set the WIP enforcement level. Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running.
 
 The following list shows the supported values:
 
@@ -67,7 +67,7 @@ Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 **Settings/EnterpriseProtectedDomainNames**  
 A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
 
-Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client.
+Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
 
 > [!Note]
 > The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
@@ -82,7 +82,7 @@ Here are the steps to create canonical domain names:
 Supported operations are Add, Get, Replace, and Delete. Value type is string.
 
 **Settings/AllowUserDecryption**  
-Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
+Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user won't be able to remove protection from enterprise content through the operating system or the application user experiences.
 
 > [!IMPORTANT]
 > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
@@ -97,7 +97,7 @@ Most restricted value is 0.
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
 **Settings/DataRecoveryCertificate**  
-Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.
+Specifies a recovery certificate that can be used for data recovery of encrypted files. This certificate is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.
 
 > [!Note]
 > If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
@@ -226,12 +226,12 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
 } PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG;
 ```
 
-For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.
+For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
 
 Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
 
 **Settings/RevokeOnUnenroll**  
-This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
+This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
 
 The following list shows the supported values:
 
@@ -241,7 +241,7 @@ The following list shows the supported values:
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
 **Settings/RevokeOnMDMHandoff**  
-Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
+Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
 
 - 0 - Don't revoke keys
 - 1 (default) - Revoke keys
@@ -262,8 +262,8 @@ Specifies whether to allow Azure RMS encryption for WIP.
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
 **Settings/SMBAutoEncryptedFileExtensions**  
-Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.
-When this policy is not specified, the existing auto-encryption behavior is applied.  When this policy is configured, only files with the extensions in the list will be encrypted.
+Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.
+When this policy isn't specified, the existing auto-encryption behavior is applied.  When this policy is configured, only files with the extensions in the list will be encrypted.
 Supported operations are Add, Get, Replace and Delete. Value type is string.
 
 **Settings/EDPShowIcons**  
@@ -290,7 +290,7 @@ Bit 0 indicates whether WIP is on or off.
 
 Bit 1 indicates whether AppLocker WIP policies are set.
 
-Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero).
+Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero).
 
 Here's the list of mandatory WIP policies:
 
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index 5df6a8b40b..13aead751f 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -17,9 +17,9 @@ ms.date: 07/11/2017
 
 The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications.
 
-Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
+Application installations can take some time to complete, hence they're done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
 
-The following shows the EnterpriseDesktopAppManagement CSP in tree format.
+The following example shows the EnterpriseDesktopAppManagement CSP in tree format.
 
 ```
 ./Device/Vendor/MSFT
@@ -66,9 +66,9 @@ Installation date of the application. Value type is string. Supported operation
 **MSI/*ProductID*/DownloadInstall**
 Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
 
-In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.\ 0 will set the timeout to infinite. 
+In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (don't send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. `` 0 will set the timeout to infinite. 
 
-Here is an example:
+Here's an example:
 
 ```xml
 
@@ -99,12 +99,12 @@ Status of the application. Value type is string. Supported operation is Get.
  
 
 **MSI/*ProductID*/LastError**
-The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
+The last error code during the application installation process. This error code is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this error could be the result of executing MSIExec.exe or the error result from an API that failed.
 
 Value type is string. Supported operation is Get.
 
 **MSI/*ProductID*/LastErrorDesc**
-Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
+Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there's no LastErrorDesc returned.
 
 Value type is string. Supported operation is Get.
 
@@ -112,7 +112,7 @@ Value type is string. Supported operation is Get.
 Added in the March service release of Windows 10, version 1607.
 
 **MSI/UpgradeCode/_Guid_**
-Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when an Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
+Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when an administrator wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
 
 Value type is string. Supported operation is Get.
 
@@ -143,7 +143,7 @@ The following table describes the fields in the previous sample:
 | Name   | Description                                                                                                                   |
 |--------|-------------------------------------------------------------------------------------------------------------------------------|
 | Get    | Operation being performed. The Get operation is a request to return information.                                              |
-| CmdID  | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
+| CmdID  | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
 | LocURI | Path to Win32 CSP command processor.                                                                                          |
 
  
@@ -171,7 +171,7 @@ The following table describes the fields in the previous sample:
 | Name   | Description                                                                                                                                                                                                         |
 |--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. |
-| CmdID  | Input value used to reference the request. Responses will include this value which can be used to match request and response.                                                                                       |
+| CmdID  | Input value used to reference the request. Responses will include this value that can be used to match request and response.                                                                                       |
 | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.                                                          |
 
  
@@ -199,7 +199,7 @@ The following table describes the fields in the previous sample:
 | Name   | Description |
 |--------|-----------------------|
 | Get    | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application.|
-| CmdID  | Input value used to reference the request. Responses will include this value which can be used to match request and response. |
+| CmdID  | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
 | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
 
  
@@ -261,8 +261,8 @@ The following table describes the fields in the previous sample:
 
 |Name|Description|
 |--- |--- |
-|Add|This is required to precede the Exec command.
            • CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
-|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
            • CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
            • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
            • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).|
+|Add|This field is required to precede the Exec command.
            • CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.
            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
+|Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.
            • CmdID - Input value used to reference the request. Responses will include this value that can be used to match request and response.
            • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
            • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
            • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).|
 
 
 > [!Note]
@@ -326,10 +326,10 @@ The following table MsiInstallJob describes the schema elements.
 
 |Element|Description|
 |--- |--- |
-|MsiInstallJob|root element
              "Attribute: "id - the application identifier of the application being installed|
+|MsiInstallJob|root element
              Attribute: "id" - the application identifier of the application being installed|
 |Product|child element of MsiInstallJob
              Attribute: “Version” – string representation of application version|
 |Download|child element of Product. Container for download configuration information.|
-|ContentURLList|child element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.|
+|ContentURLList|child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements.|
 |ContentURL|Location content should be downloaded from. Must be a property formatted URL that points to the .MSI file.|
 |Validation|Contains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content|
 |FileHash|SHA256 hash value of file content|
@@ -341,7 +341,7 @@ The following table MsiInstallJob describes the schema elements.
 
  
 
-Here is an example of a common response to a request
+Here's an example of a common response to a request
 
 ```xml
 
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 38daca74a6..709013b0bd 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -19,7 +19,7 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f
 > [!Note]
 > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
 
-The following shows the EnterpriseModernAppManagement configuration service provider in tree format.
+The following example shows the EnterpriseModernAppManagement configuration service provider in tree format.
 
 ```console
 ./Vendor/MSFT
@@ -109,18 +109,18 @@ Query parameters:
 
 -   Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are:
     -   PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified.
-    -   PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall.
+    -   PackageDetails - returns all inventory attributes of the package. This information includes all information from PackageNames parameter, but doesn't validate RequiresReinstall.
     -   RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
 -   Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
     -   AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
-    -   nonStore - This classification is for apps that were not acquired from the Microsoft Store.
-    -   System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
+    -   nonStore - This classification is for apps that weren't acquired from the Microsoft Store.
+    -   System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried.
 -   PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are:
 
     -   Main - returns the main installed package.
     -   Bundle - returns installed bundle packages.
     -   Framework - returns installed framework packages.
-    -   Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
+    -   Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They're parts of a bundle.
     -   XAP - returns XAP package types. This filter is only supported on Windows Mobile.
     -   All - returns all package types.
 
@@ -128,11 +128,11 @@ Query parameters:
 
 -   PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value.
 
-    If you do not specify this value, then all packages are returned.
+    If you don't specify this value, then all packages are returned.
 
 -   Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field.
 
-    If you do not specify this value, then all publishers are returned.
+    If you don't specify this value, then all publishers are returned.
 
 
 Supported operation is Get and Replace.
@@ -161,8 +161,8 @@ Parameters:
          
            • Name: Specifies the PackageFullName of the particular package to remove.
              • 
          
            • RemoveForAllUsers: 
             
                
-               
              • 0 (default) – Package will be un-provisioned so that new users do not receive the package. The package will remain installed for current users. This is not currently supported.
                • 
-               
              • 1 – Package will be removed for all users only if it is a provisioned package.
                • 
+               
              • 0 (default) – Package will be unprovisioned so that new users don't receive the package. The package will remain installed for current users. This option isn't currently supported.
                • 
+               
              • 1 – Package will be removed for all users only if it's a provisioned package.
                • 
             
              
          
              • 
       
            
@@ -189,7 +189,7 @@ The following example removes a package for all users:
 ````
 
 **AppManagement/nonStore**  
-Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store.
+Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store.
 
 Supported operation is Get.
 
@@ -210,7 +210,7 @@ Added in Windows 10, version 1809. Interior node for the managing updates throug
 > ReleaseManagement settings only apply to updates through the Microsoft Store.
 
 **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**  
-Added in Windows 10, version 1809. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app.
 
 
 **AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**  
@@ -237,7 +237,7 @@ Added in Windows 10, version 1809. Returns the last user release ID on the devic
 Value type is string. Supported operation is Get.
 
 **.../***PackageFamilyName*  
-Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
 
 Supported operations are Get and Delete.
 
@@ -323,7 +323,7 @@ Required. Date the app was installed. Value type is string.
 Supported operation is Get.
 
 **.../*PackageFamilyName*/*PackageFullName*/ResourceID**  
-Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string.
+Required. Resource ID of the app. This value is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string.
 
 > [!Note]
 > Not applicable to XAP files.
@@ -334,10 +334,10 @@ Supported operation is Get.
 Required. Provides information about the status of the package. Value type is int. Valid values are:
 
 -   OK (0) - The package is usable.
--   LicenseIssue (1) - The license of the package is not valid.
+-   LicenseIssue (1) - The license of the package isn't valid.
 -   Modified (2) - The package payload was modified by an unknown source.
 -   Tampered (4) - The package payload was tampered intentionally.
--   Disabled (8) - The package is not available for use. It can still be serviced.
+-   Disabled (8) - The package isn't available for use. It can still be serviced.
 
 > [!Note]
 > Not applicable to XAP files.
@@ -345,7 +345,7 @@ Required. Provides information about the status of the package. Value type is in
 Supported operation is Get.
 
 **.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall**  
-Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int.
+Required. Specifies whether the package state has changed and requires a reinstallation of the app. This change of status can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int.
 
 > [!Note]
 > Not applicable to XAP files.
@@ -386,7 +386,7 @@ Added in Windows 10, version 1511. Interior node for all managed app setting val
 **.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT)  
 Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
 
-This setting only works for apps that support the feature and it is only supported in the user context.
+This setting only works for apps that support the feature and it's only supported in the user context.
 
 Value type is string. Supported operations are Add, Get, Replace, and Delete.
 
@@ -423,7 +423,7 @@ The following example gets all managed app settings for a specific app.
 ```
 
 **.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**  
-Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
+Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
 
 Supported operations are Add, Get, Delete, and Replace. Value type is integer.
 
@@ -439,14 +439,14 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M
 **.../_PackageFamilyName_/NonRemovable**  
 Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user. 
 
-This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.  
+This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This setting is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This setting is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.  
 
-NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
+NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
 
 Value type is integer. Supported operations are Add, Get, and Replace.
 
 Valid values:  
--   0 – app is not in the nonremovable app policy list
+-   0 – app isn't in the nonremovable app policy list
 -   1 – app is included in the nonremovable app policy list
 
 **Examples:**
@@ -492,7 +492,7 @@ Get the status for a particular app
 ```
 
 Replace an app in the nonremovable app policy list  
-Data 0 = app is not in the app policy list  
+Data 0 = app isn't in the app policy list  
 Data 1 = app is in the app policy list
 
 ```xml
@@ -519,7 +519,7 @@ Data 1 = app is in the app policy list
 Required node. Used to perform app installation.
 
 **AppInstallation/***PackageFamilyName*  
-Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+Optional node. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
 
 Supported operations are Get and Add.
 
@@ -533,7 +533,7 @@ Required. Command to perform an install of an app and a license from the Microso
 Supported operation is Execute, Add, Delete, and Get.
 
 **AppInstallation/*PackageFamilyName*/HostedInstall**  
-Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
+Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source).
 
 The following list shows the supported deployment options: 
 - ForceApplicationShutdown
@@ -541,10 +541,10 @@ The following list shows the supported deployment options:
 - InstallAllResources
 - ForceTargetApplicationShutdown 
 - ForceUpdateToAnyVersion
-- DeferRegistration="1". If the app is in use at the time of installation. This stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
+- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
 - StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
 - LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607. 
-- ValidateDependencies="1". This is used at provisioning/staging time. If it is set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies are not present. Available in the latest insider flight of 20H1.
+- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
 - ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
 
 Supported operation is Execute, Add, Delete, and Get.
@@ -555,7 +555,7 @@ Required. Last error relating to the app installation.
 Supported operation is Get.
 
 > [!Note]
-> This element is not present after the app is installed.
+> This element isn't present after the app is installed.
 
 
 
@@ -565,30 +565,30 @@ Required. Description of last error relating to the app installation.
 Supported operation is Get.
 
 > [!Note]
-> This element is not present after the app is installed.
+> This element isn't present after the app is installed.
 
 
 **AppInstallation/*PackageFamilyName*/Status**  
 Required. Status of app installation. The following values are returned:
 
--   NOT\_INSTALLED (0) - The node was added, but the execution has not completed.
--   INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated.
+-   NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed.
+-   INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, this value is updated.
 -   FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
--   INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
+-   INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean-up action hasn't completed, this state may briefly appear.
 
 Supported operation is Get.
 
 > [!Note]
-> This element is not present after the app is installed.
+> This element isn't present after the app is installed.
 
 
 **AppInstallation/*PackageFamilyName*/ProgessStatus**  
-Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
+Required. An integer that indicates the progress of the app installation. For https locations, this integer indicates the download progress. ProgressStatus isn't available for provisioning and it's only for user-based installations. ProgressStatus value is always 0 (zero) in provisioning.
 
 Supported operation is Get.
 
 > [!Note]
-> This element is not present after the app is installed.
+> This element isn't present after the app is installed.
 
 
 **AppLicenses**  
@@ -617,7 +617,7 @@ Supported operation is Get.
 Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values:
 
 -   Unknown - usage is unknown
--   Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
+-   Online - the license is only valid for online usage. This license is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
 -   Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
 -   Enterprise Root -
 
diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md
index f1dd261229..f3e01980bb 100644
--- a/windows/client-management/mdm/esim-enterprise-management.md
+++ b/windows/client-management/mdm/esim-enterprise-management.md
@@ -12,12 +12,12 @@ ms.topic: conceptual
 ---
 
 # How Mobile Device Management Providers support eSIM Management on Windows
-The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
+The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
  If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
 - Onboard to Azure Active Directory
-- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
-    - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
-    - [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub)
+- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
+    - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
+    - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub)
 - Assess solution type that you would like to provide your customers
 - Batch/offline solution
 - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 3ac910ac33..aea59b7da0 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -1,6 +1,6 @@
 ---
 title: eUICCs CSP
-description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees.
+description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@@ -14,9 +14,9 @@ manager: dansimp
 # eUICCs CSP
 
 
-The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
+The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
 
-The following shows the eUICCs configuration service provider in tree format.
+The following example shows the eUICCs configuration service provider in tree format.
 ```
 ./Device/Vendor/MSFT
 eUICCs
@@ -48,12 +48,12 @@ eUICCs
 Root node. 
 
 **_eUICC_**  
-Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
+Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
 
 Supported operation is Get.
 
 **_eUICC_/Identifier**  
-Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID.
+Required. Identifies an eUICC in an implementation-specific manner, for example, this identification could be an SHA-256 hash of the EID.
 
 Supported operation is Get. Value type is string.
 
@@ -63,7 +63,7 @@ Required. Indicates whether this eUICC is physically present and active. Updated
 Supported operation is Get. Value type is boolean.
 
 **_eUICC_/PPR1Allowed**  
-Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.
+Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed.
 
 Supported operation is Get. Value type is boolean.
 
@@ -88,7 +88,7 @@ Required. Current state of the discovery operation for the parent ServerName (Re
 Supported operation is Get. Value type is integer. Default value is 1.
 
 **_eUICC_/DownloadServers/_ServerName_/AutoEnable**  
-Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
+Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created.
 
 Supported operations are Add, Get, and Replace. Value type is bool.
 
@@ -133,7 +133,7 @@ Required. Determines whether the local user interface of the LUI is available (t
 Supported operations are Get and Replace. Value type is boolean. Default value is true.
 
 **_eUICC_/Actions**  
-Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active).
+Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active).
 
 Supported operation is Get.
 
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index 254ba46424..6dc5301d1b 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -14,7 +14,7 @@ ms.date: 07/28/2017
 
 # Federated authentication device enrollment
 
-This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
+This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is used by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
 
 The `` element the discovery response message specifies web authentication broker page start URL.
 
@@ -75,9 +75,9 @@ After the device gets a response from the server, the device sends a POST reques
 
 The following logic is applied:
 
-1.  The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails.
-2.  If that fails, the device tries HTTP to see whether it is redirected:
-    -   If the device is not redirected, it prompts the user for the server address.
+1.  The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
+2.  If that fails, the device tries HTTP to see whether it's redirected:
+    -   If the device isn't redirected, it prompts the user for the server address.
     -   If the device is redirected, it prompts the user to allow the redirect.
 
 The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
@@ -126,12 +126,12 @@ The discovery response is in the XML format and includes the following fields:
 
 -   Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
 -   Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
--   In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
+-   In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
 
 > [!Note]
 > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
 
-When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
+When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
 
 > [!Note]
 > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
@@ -157,12 +157,12 @@ AuthenticationServiceUrl?appru=&login_hint=
 ```
 
 - `` is of the form ms-app://string
-- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
+- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign-in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
 
 After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
 
 > [!NOTE]
-> To make an application compatible with strict Content Security Policy, it is usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed.
+> To make an application compatible with strict Content Security Policy, it's usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed.
 
 ```html
 HTTP/1.1 200 OK 
@@ -191,9 +191,9 @@ Content-Length: 556
 
 ```
 
-The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string.
+The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it's just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string.
 
-The following example shows a response received from the discovery web service which requires authentication via WAB.
+The following example shows a response received from the discovery web service that requires authentication via WAB.
 
 ```xml
 ` element defined in \[WSS\] section 5. The `` element must be a child of the `` element.
 -   wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header.
 
-As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server.
+As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server.
 
 The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. 
 
@@ -248,7 +248,7 @@ The `` element contains a base64-encoded string. The e
 
 - wsse:BinarySecurityToken/attributes/EncodingType: The `` EncodingType attribute must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary`.
 
-The following is an enrollment policy request example with a received security token as client credential.
+The following example is an enrollment policy request with a received security token as client credential.
 
 ```xml
  [!NOTE]
 > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
@@ -381,11 +381,11 @@ The following snippet shows the policy web service response.
 
 This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
 
-The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully.
+The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully.
 
-Note that the RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section.
+The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more information, see the Response section.
 
-The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
+The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
 
 > [!Note]
 > The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
@@ -485,13 +485,13 @@ The provisioning XML contains:
 -   The requested certificates (required)
 -   The DM client configuration (required)
 
-The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there is one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
+The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
 
-Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. Additional root and intermediate CA certificates could be provisioned during an OMA DM session.
+Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. More root and intermediate CA certificates could be provisioned during an OMA DM session.
 
-When provisioning root and intermediate CA certificates, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning.
+When root and intermediate CA certificates are being provisioned, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning.
 
-Here is a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section.
+Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section.
 
 The following example shows the enrollment web service response.
 
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 65b65a3326..a9735120d7 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -14,13 +14,13 @@ manager: dansimp
 # Firewall configuration service provider (CSP)
 
 
-The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device.  Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.  This CSP was added Windows 10, version 1709.
+The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device.  Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.  This CSP was added Windows 10, version 1709.
  
 Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
 
-For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac).
+For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac).
 
-The following shows the Firewall configuration service provider in tree format. 
+The following example shows the Firewall configuration service provider in tree format. 
 ```
 ./Vendor/MSFT
 Firewall
@@ -113,11 +113,11 @@ Firewall
 
            Supported operations are Get. 
            
 
 **MdmStore/Global/PolicyVersionSupported**
-
            Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
            
+
            Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
            
 
            Value type in integer. Supported operation is Get.
            
 
 **MdmStore/Global/CurrentProfiles**
-
            Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
            
+
            Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it's not merged and has no merge law.
            
 
            Value type in integer. Supported operation is Get.
            
 
 **MdmStore/Global/DisableStatefulFtp**
@@ -126,40 +126,40 @@ Firewall
 
            Data type is bool. Supported operations are Add, Get, Replace, and Delete. 
            
 
 **MdmStore/Global/SaIdleTime**
-
            This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
            
+
            This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
            
 
            Default value is 300.
            
 
            Value type is integer. Supported operations are Add, Get, Replace, and Delete.
            
 
 **MdmStore/Global/PresharedKeyEncoding**
-
            Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
            
+
            Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
            
 
            Default value is 1.
            
 
            Value type is integer. Supported operations are Add, Get, Replace, and Delete.
            
 
 **MdmStore/Global/IPsecExempt**
-
            This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
            
+
            This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
            
 
            Default value is 0.
            
 
            Value type is integer. Supported operations are Add, Get, Replace, and Delete.
            
 
 **MdmStore/Global/CRLcheck**
-
            This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
            
+
            This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value. Valid valued:
            
 
              
 
            • 0 disables CRL checking
              • 
-
            • 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
              • 
+
            • 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
              • 
 
            • 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
              • 
 
            
 
            Default value is 0.
            
 
            Value type is integer. Supported operations are Add, Get, Replace, and Delete.
            
 
 **MdmStore/Global/PolicyVersion**
-
            This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
            
+
            This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.
            
 
            Value type is string. Supported operation is Get.
            
 
 **MdmStore/Global/BinaryVersionSupported**
-
            This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
            
+
            This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
            
 
            Value type is string. Supported operation is Get.
            
 
 **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
-
            This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
            
+
            This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
            
 
            Boolean value. Supported operations are Add, Get, Replace, and Delete.
            
 
 **MdmStore/Global/EnablePacketQueue**
@@ -184,12 +184,12 @@ Firewall
 
            Interior node. Supported operation is Get.
            
 
 **/EnableFirewall**
-
            Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
            
+
            Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
            
 
            Default value is true.
            
 
            Value type is bool. Supported operations are Add, Get and Replace.
            
 
 **/DisableStealthMode**
-
            Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
            
+
            Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
            
 
            Default value is false.
            
 
            Value type is bool. Supported operations are Add, Get and Replace.
            
 
@@ -199,22 +199,22 @@ Firewall
 
            Value type is bool. Supported operations are Get and Replace.
            
 
 **/DisableUnicastResponsesToMulticastBroadcast**
-
            Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
            
+
            Boolean value. If it's true, unicast responses to multicast broadcast traffic are blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
            
 
            Default value is false.
            
 
            Value type is bool. Supported operations are Add, Get and Replace.
            
 
 **/DisableInboundNotifications**
-
            Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
            
+
            Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port.  If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
            
 
            Default value is false.
            
 
            Value type is bool. Supported operations are Add, Get and Replace.
            
 
 **/AuthAppsAllowUserPrefMerge**
-
            Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
            
+
            Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
            
 
            Default value is true.
            
 
            Value type is bool. Supported operations are Add, Get and Replace.
            
 
 **/GlobalPortsAllowUserPrefMerge**
-
            Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
            
+
            Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.
            
 
            Default value is true.
            
 
            Value type is bool. Supported operations are Add, Get and Replace.
            
 
@@ -229,7 +229,7 @@ Firewall
 
            Value type is bool. Supported operations are Add, Get and Replace.
            
 
 **/DefaultOutboundAction**
-
            This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
            
+
            This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block.
            
 
              
 
            • 0x00000000 - allow
              • 
 
            • 0x00000001 - block
              • 
@@ -262,7 +262,7 @@ Sample syncxml to provision the firewall settings to evaluate
 
 ```
 **/DefaultInboundAction**
-
              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
              
+
              This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.
              
 
                
 
              • 0x00000000 - allow
                • 
 
              • 0x00000001 - block
                • 
@@ -271,7 +271,7 @@ Sample syncxml to provision the firewall settings to evaluate
 
                Value type is integer. Supported operations are Add, Get and Replace.
                
 
 **/DisableStealthModeIpsecSecuredPacketExemption**
-
                Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
                
+
                Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
                
 
                Default value is true.
                
 
                Value type is bool. Supported operations are Add, Get and Replace.
                
 
@@ -306,7 +306,7 @@ Sample syncxml to provision the firewall settings to evaluate
 
                Value type is string. Supported operations are Add, Get, Replace, and Delete.
                
 
 **FirewallRules/_FirewallRuleName_/App/ServiceName**
-
                This is a service name used in cases when a service, not an application, is sending or receiving traffic.
                
+
                This parameter is a service name used in cases when a service, not an application, is sending or receiving traffic.
                
 
                Value type is string. Supported operations are Add, Get, Replace, and Delete.
                
 
 **FirewallRules/_FirewallRuleName_/Protocol**
@@ -325,9 +325,9 @@ Sample syncxml to provision the firewall settings to evaluate
 
                Value type is string. Supported operations are Add, Get, Replace, and Delete.
                
 
 **FirewallRules/*FirewallRuleName*/LocalAddressRanges**
-
                Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
                
+
                Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
                
 
                  
-
                • "*" indicates any local address. If present, this must be the only token included.
                  • 
+
                • "*" indicates any local address. If present, the local address must be the only token included.
                  • 
 
                • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
                  • 
 
                • A valid IPv6 address.
                  • 
 
                • An IPv4 address range in the format of "start address - end address" with no spaces included.
                  • 
@@ -339,7 +339,7 @@ Sample syncxml to provision the firewall settings to evaluate
 **FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
 
                  List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
                  
 
                    
-
                  • "*" indicates any remote address. If present, this must be the only token included.
                    • 
+
                  • "*" indicates any remote address. If present, the address must be the only token included.
                    • 
 
                  • "Defaultgateway"
                    • 
 
                  • "DHCP"
                    • 
 
                  • "DNS"
                    • 
@@ -348,7 +348,7 @@ Sample syncxml to provision the firewall settings to evaluate
 
                  • "RmtIntranet"
                    • 
 
                  • "Internet"
                    • 
 
                  • "Ply2Renders"
                    • 
-
                  • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
                    • 
+
                  • "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive.
                    • 
 
                  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
                    • 
 
                  • A valid IPv6 address.
                    • 
 
                  • An IPv4 address range in the format of "start address - end address" with no spaces included.
                    • 
@@ -411,7 +411,7 @@ Sample syncxml to provision the firewall settings to evaluate
 
                    Value type is bool. Supported operations are Add, Get, Replace, and Delete.
                    
 
 **FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**
-
                    Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
                    
+
                    Specifies the list of authorized local users for this rule. This list is a string in Security Descriptor Definition Language (SDDL) format.
                    
 
                    Value type is string. Supported operations are Add, Get, Replace, and Delete.
                    
 
 **FirewallRules/_FirewallRuleName_/Status**
diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md
index d7167f4626..5f70d09f93 100644
--- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md
+++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md
@@ -1,6 +1,6 @@
 ---
 title: Get seats assigned to a user
-description: The Get seats assigned to a user operation retrieves information about assigned seats in the Micosoft Store for Business.
+description: The Get seats assigned to a user operation retrieves information about assigned seats in the Microsoft Store for Business.
 ms.assetid: CB963E44-8C7C-46F9-A979-89BBB376172B
 ms.reviewer: 
 manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
 
 # Get seats assigned to a user
 
-The **Get seats assigned to a user** operation retrieves information about assigned seats in the Micosoft Store for Business.
+The **Get seats assigned to a user** operation retrieves information about assigned seats in the Microsoft Store for Business.
 
 ## Request
 
@@ -39,7 +39,7 @@ The following parameters may be specified in the request URI.
 
 ### Response body
 
-The response body contain [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
+The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
 
 |Error code|Description|Retry|Data field|
 |--- |--- |--- |--- |
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 2513599a28..4933026bdc 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -16,7 +16,7 @@ ms.date:
 
 The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
 
-The following is a list of functions performed by the Device HealthAttestation CSP:
+The following list is a description of the functions performed by the Device HealthAttestation CSP:
 
 -   Collects device boot logs, Trusted Platform Module (TPM) audit trails and the TPM certificate (DHA-BootData) from a managed device
 -   Forwards DHA-BootData to a Device Health Attestation Service (DHA-Service)
@@ -25,7 +25,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 
 ## Windows 11 Device health attestation
 
-Windows 11 introduces an update to the device health attestation feature. This helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces additional child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation.
+Windows 11 introduces an update to the device health attestation feature. This update helps add support for deeper insights to Windows boot security, supporting a zero trust approach to device security. Device health attestation on Windows can be accessed by using the HealthAttestation CSP. This CSP helps assess if a device is booted to a trusted and compliant state and then to take appropriate action. Windows 11 introduces more child nodes to the HealthAttestation node for the MDM providers to connect to the Microsoft Azure Attestation service, which provides a simplified approach to attestation.
 
 The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device.
 
@@ -48,7 +48,7 @@ The attestation report provides a health assessment of the boot-time properties
 
 - **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint.
 
-- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
+- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it's digitally signed. JWTs can be signed using a secret or a public/private key pair.
 
 ### Attestation Flow with Microsoft Azure Attestation Service
 
@@ -126,9 +126,9 @@ Data fields:
 
 - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
 - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
-- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
+- nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks.
 - aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.
-- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
+- cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes.
 
 Sample Data:
 
@@ -182,7 +182,7 @@ Example: 0x80072efd,  WININET_E_CANNOT_CONNECT
 
 Node type: GET
 
-This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
+This node will retrieve the attestation report per the call made by the TriggerAttestation, if there's any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
 
 Templated SyncML Call:
 
@@ -217,7 +217,7 @@ OR Sync ML 404 error if not cached report available.
 
 Node type: GET
 
-This node will retrieve the service-generated correlation IDs for the given MDM provider. If there is more than one correlation ID, they are separated by “;” in the string.
+This node will retrieve the service-generated correlation IDs for the given MDM provider. If there's more than one correlation ID, they're separated by “;” in the string.
 
 Templated SyncML Call:
 
@@ -249,7 +249,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
 ```
 
 > [!NOTE]
-> > MAA CSP nodes are available on arm64 but is not currently supported.
+> > MAA CSP nodes are available on arm64 but isn't currently supported.
 
 
 ### MAA CSP Integration Steps
@@ -372,7 +372,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
     // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
     c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
     c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
-    [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present
+    [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it's not present
 
     //Finding the Boot App SVN
     // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
@@ -490,7 +490,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
 
   - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
   - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
-  - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
+  - DHA-SignedBlob: it's a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
   - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
 
     - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
@@ -510,7 +510,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
   - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
   - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
 
-- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
+- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties can't be spoofed.
 
   The following list of operations is performed by DHA-CSP:
 
@@ -535,8 +535,8 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
 |DHA-Service type|Description|Operation cost|
 |--- |--- |--- |
 |Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
                  • Available in Windows for free
                  • Running on a high-availability and geo-balanced cloud infrastructure 
                  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
                  • Accessible to all enterprise-managed devices via following:
                    • FQDN = has.spserv.microsoft.com port
                    • Port = 443
                    • Protocol = TCP|No cost
                    • |
-|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
                  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) 
                  • Hosted on an enterprise owned and managed server device/hardware
                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                  • Accessible to all enterprise-managed devices via following:
                    • FQDN = (enterprise assigned)
                    • Port = (enterprise assigned)
                    • Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
                    • |
-|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
                  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios 
                  • Accessible to all enterprise-managed devices via following:
                       
                    • FQDN = (enterprise assigned)
                    • Port = (enterprise assigned)
                    • Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
                    • |
+|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
                  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) 
                  • Hosted on an enterprise owned and managed server device/hardware
                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                  • Accessible to all enterprise-managed devices via following settings:
                    • FQDN = (enterprise assigned)
                    • Port = (enterprise assigned)
                    • Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
                    • |
+|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
                  • Offered to Windows Server 2016 customers with no extra licensing cost (no added licensing cost for enabling/running DHA-Service)
                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios 
                  • Accessible to all enterprise-managed devices via following settings:
                       
                    • FQDN = (enterprise assigned)
                    • Port = (enterprise assigned)
                    • Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
                    • |
 
 ### CSP diagram and node descriptions  
 
@@ -578,7 +578,7 @@ The following list shows some examples of supported values. For the complete lis
 
 -   0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
 -   1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
--   2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
+-   2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
 -   3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
 
 **ForceRetrieve** (Optional)  
@@ -609,7 +609,7 @@ Value type is integer, the minimum value is - 2,147,483,648 and the maximum valu
 
 **HASEndpoint** (Optional)
 
-Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN isn't assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
 
 Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
 
@@ -638,7 +638,7 @@ Each step is described in detail in the following sections of this topic.
 
 Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS).
 
-You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service:
+You can use OpenSSL to validate access to DHA-Service. Here's a sample OpenSSL command and the response that was generated by DHA-Service:
 
 ```console
 PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443
@@ -736,7 +736,7 @@ The following example shows a sample call that triggers collection and verificat
 
 ```
 
-### Step 4: Take action based on the clients response
+### Step 4: Take action based on the client's response
 
 
 After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
@@ -744,7 +744,7 @@ After the client receives the health attestation request, it sends a response. T
 - If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
 - If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
 
-Here is a sample alert that is issued by DHA_CSP:
+Here's a sample alert that is issued by DHA_CSP:
 
 ```xml
 
@@ -762,14 +762,14 @@ Here is a sample alert that is issued by DHA_CSP:
     
 
 ```
-- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
+- If the response to the status node isn't 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
 
 ### Step 5: Instruct the client to forward health attestation data for verification
 
 
 Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
 
-Here is an example:
+Here's an example:
 
 ```xml
 
@@ -876,7 +876,7 @@ The following list of data points is verified by the DHA-Service in DHA-Report v
 \*\*  Reports if BitLocker was enabled during initial boot.    
 \*\*\* The "Hybrid Resume" must be disabled on the device. Reports first-party ELAM "Defender" was loaded during boot.
 
-Each of these are described in further detail in the following sections, along with the recommended actions to take.
+Each of these data points is described in further detail in the following sections, along with the recommended actions to take.
 
 **Issued**
 
@@ -907,7 +907,7 @@ This attribute reports the number of times a PC device has rebooted.
 
 A device can be trusted more if the DEP Policy is enabled on the device.
 
-Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+Data Execution Prevention (DEP) Policy defines a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
 
 DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
 
@@ -927,9 +927,9 @@ If DEPPolicy = 0 (Off), then take one of the following actions that align with y
 
 When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
 
-Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer isn't tampered with, even if it's left unattended, lost, or stolen.
 
-If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM has verified the state of the computer.
 
 If BitLockerStatus = 1 (On), then allow access.
 
@@ -955,7 +955,7 @@ If BootManagerRevListVersion != [CurrentVersion], then take one of the following
 
 **CodeIntegrityRevListVersion**
 
-This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it's exposed to security risks (revoked), and enforce an appropriate policy action.
 
 If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
 
@@ -968,7 +968,7 @@ If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the followi
 
 **SecureBootEnabled**  
 
-When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
+When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this requirement before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.
 
 If SecureBootEnabled = 1 (True), then allow access.
 
@@ -1014,7 +1014,7 @@ If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions t
 
 When code integrity is enabled, code execution is restricted to integrity verified code.
 
-Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
 
 On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
 
@@ -1029,7 +1029,7 @@ If CodeIntegrityEnabled = 0 (False), then take one of the following actions that
 
 **TestSigningEnabled**
 
-When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
+When test signing is enabled, the device doesn't enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
 
 Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
 
@@ -1116,7 +1116,7 @@ This attribute identifies the security version number of the Boot Application th
 
 If reported BootAppSVN equals an accepted value, then allow access.
 
-If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootAppSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.
@@ -1127,7 +1127,7 @@ This attribute identifies the security version number of the Boot Manager that w
 
 If reported BootManagerSVN equals an accepted value, then allow access.
 
-If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootManagerSVN doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.
@@ -1142,7 +1142,7 @@ This attribute identifies the version of the TPM that is running on the attested
 Based on the reply you receive from TPMVersion node:
 
 - If reported TPMVersion equals an accepted value, then allow access.
-- If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+- If reported TPMVersion doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
     - Disallow all access
     - Direct the device to an enterprise honeypot, to further monitor the device's activities.
 
@@ -1150,13 +1150,13 @@ Based on the reply you receive from TPMVersion node:
 
 The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
 
-Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
+Enterprise managers can create an allowlist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allowlist, and then make a trust decision based on the result of the comparison.
 
-If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
+If your enterprise doesn't have an allowlist of accepted PCR[0] values, then take no action.
 
-If PCR[0] equals an accepted allow list value, then allow access.
+If PCR[0] equals an accepted allowlist value, then allow access.
 
-If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+If PCR[0] doesn't equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Direct the device to an enterprise honeypot, to further monitor the device's activities.
@@ -1165,9 +1165,9 @@ If PCR[0] does not equal any accepted listed value, then take one of the followi
 
 SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
 
-If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
+If SBCPHash isn't present, or is an accepted allow-listed value, then allow access.
 
-If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is present in DHA-Report, and isn't an allowlisted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Place the device in a watch list to monitor the device more closely for potential risks.
@@ -1176,9 +1176,9 @@ If SBCPHash is present in DHA-Report, and is not an allow-listed value, then tak
 
 This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
 
-If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+If CIPolicy isn't present, or is an accepted allow-listed value, then allow access.
 
-If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
+If CIPolicy is present and isn't an allow-listed value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Place the device in a watch list to monitor the device more closely for potential risks.
@@ -1189,7 +1189,7 @@ This attribute identifies the Boot Revision List that was loaded during initial
 
 If reported BootRevListInfo version equals an accepted value, then allow access.
 
-If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.
@@ -1200,7 +1200,7 @@ This attribute identifies the Operating System Revision List that was loaded dur
 
 If reported OSRevListInfo version equals an accepted value, then allow access.
 
-If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.  
@@ -1209,12 +1209,12 @@ If reported OSRevListInfo version does not equal an accepted value, then take on
 
 HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
 
-In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+If an issue is detected, a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
 
 ### Device HealthAttestation CSP status and error codes
 
 Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED  
-Error description: This is the initial state for devices that have never participated in a DHA-Session.
+Error description: This state is the initial state for devices that have never participated in a DHA-Session.
 
 Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED  
 Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
@@ -1241,13 +1241,13 @@ Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL
 Error description: Deprecated in Windows 10, version 1607.
 
 Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION  
-Error description: Invalid TPM version (TPM version is not 1.2 or 2.0)
+Error description: Invalid TPM version (TPM version isn't 1.2 or 2.0)
 
 Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL  
-Error description: Nonce was not found in the registry.
+Error description: Nonce wasn't found in the registry.
 
 Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL  
-Error description: Correlation ID was not found in the registry.
+Error description: Correlation ID wasn't found in the registry.
 
 Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL  
 Error description: Deprecated in Windows 10, version 1607.
@@ -1331,7 +1331,7 @@ Error code: 400 | Error name: Bad_Request_From_Client
 Error description: DHA-CSP has received a bad (malformed) attestation request.
 
 Error code: 404 | Error name: Endpoint_Not_Reachable
-Error description: DHA-Service is not reachable by DHA-CSP
+Error description: DHA-Service isn't reachable by DHA-CSP
 
 ### DHA-Report V3 schema
 
@@ -1473,6 +1473,10 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
 
 ```
 
+## Security Considerations
+DHA anchors its trust in the TPM and its measurements. If TPM measurements can be spoofed or tampered, DHA can't provide any guarantee of device health for that device.
+For more information, see [PC Client TPM Certification](https://trustedcomputinggroup.org/resource/pc-client-tpm-certification/).
+
 ## Related topics
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 396d3ea018..35bed03a19 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -20,7 +20,7 @@ The Windows version of mobile application management (MAM) is a lightweight solu
 
 MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  
 
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.  
+MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.  
 
 On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.  
 
@@ -28,7 +28,7 @@ Regular non-admin users can enroll to MAM. 
 
 ## Integration with Windows Information Protection 
 
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  
+MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.  
 
 To make applications WIP-aware, app developers need to include the following data in the app resource file.  
 
@@ -42,22 +42,25 @@ To make applications WIP-aware, app developers need to include the following dat
 
 ## Configuring an Azure AD tenant for MAM enrollment
 
-MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  
+MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  
 
 :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
 
-MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  
+MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. 
+
+> [!NOTE]
+> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  
 
 ## MAM enrollment
 
 MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  
 
 Below are protocol changes for MAM enrollment:  
-- MDM discovery is not supported.  
+- MDM discovery isn't supported.  
 - APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional.
-- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. 
+- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. 
 
-Here is an example provisioning XML for MAM enrollment.  
+Here's an example provisioning XML for MAM enrollment.  
 
 ```xml
  
@@ -97,10 +100,10 @@ MAM on Windows supports the following configuration service providers (CSPs). Al
 
 MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. 
 
-We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: 
+We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: 
 
-- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS.
-- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
+- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies, and reports compliance with EAS.
+- If the device is found to be compliant, EAS will report compliance with the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance doesn't require device admin rights.
 - If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
 - If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both.
 
@@ -110,10 +113,10 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
 
 ## Change MAM enrollment to MDM
 
-Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM.
+Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM.
 
 > [!NOTE]
-> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
+> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade.
 
 To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
 
@@ -123,11 +126,11 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f
 - EDP CSP Enterprise ID is the same for both MAM and MDM.
 - EDP CSP RevokeOnMDMHandoff is set to false.
 
-If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
+If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected.
 
 ## Skype for Business compliance with MAM
 
-We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
+We've updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
 
 |Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products|
 |--- |--- |--- |--- |
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index bf8ff417c4..7fe9cd95eb 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -22,7 +22,7 @@ There are two parts to the Windows management component:
 -   The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
 -   The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
 
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
 
 ## MDM security baseline
 
@@ -52,7 +52,7 @@ For information about the MDM policies defined in the Intune security baseline,
 
 ## Learn about migrating to MDM
 
-When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy settings in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
+When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy setting in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
 
 
 ## Learn about device enrollment
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 408691f2ed..d210a1ee7e 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -46,13 +46,13 @@ The Store for Business provides services that enable a management tool to synchr
 
 ### Offline-licensed application distribution
 
-The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
+The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
 
 ![business store offline app distribution.](images/businessstoreportalservices2.png)
 
 ### Online-licensed application distribution
 
-The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application.
+The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application.
 
 ![business store online app distribution.](images/businessstoreportalservices3.png)
 
@@ -85,7 +85,7 @@ Here are the details for requesting an authorization token:
 
 ## Using the management tool
 
-After registering your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns:
+After you register your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns:
 
 -   First the ability to get new or updated applications.
 -   Second the ability to assign or reclaim applications.
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index e475077509..632623eed5 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -24,7 +24,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l
 
 ## Connect corporate-owned Windows 10-based devices
 
-You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
+You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
 
 ![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png)
 
@@ -33,11 +33,11 @@ You can connect corporate-owned devices to work by either joining the device to
 Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app.
 
 > [!NOTE]
-> Mobile devices cannot be connected to an Active Directory domain.
+> Mobile devices can't be connected to an Active Directory domain.
 
 ### Out-of-box-experience 
 
-Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) is not supported. To join a domain:
+Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain:
 
 1.  On the **Who Owns this PC?** page, select **My work or school owns it**.
 
@@ -81,14 +81,14 @@ To create a local account and connect the device:
 
 ### Help with connecting to an Active Directory domain
 
-There are a few instances where your device cannot be connected to an Active Directory domain.
+There are a few instances where your device can't be connected to an Active Directory domain.
 
 | Connection issue                                                | Description                                                                                                                                                                                                               |
 |-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time.                                                                                                                                          |
-| Your device is connected to an Azure AD domain.                 | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously.                                                                                       |
-| You are logged in as a standard user.                           | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue.                                                    |
-| Your device is running Windows 10 Home.                         | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
+| Your device is connected to an Azure AD domain.                 | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously.                                                                                       |
+| You're logged in as a standard user.                           | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue.                                                    |
+| Your device is running Windows 10 Home.                         | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
 
  
 
@@ -108,11 +108,11 @@ To join a domain:
 
     ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png)
 
-3.  Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services.
+3.  Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services.
 
-    If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
+    If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
 
-    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
+    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
 
     ![azure ad signin.](images/unifiedenrollment-rs1-13.png)
 
@@ -136,43 +136,43 @@ To create a local account and connect the device:
 
     ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png)
 
-5.  Under **Alternate Actions**, selct **Join this device to Azure Active Directory**.
+5.  Under **Alternate Actions**, select **Join this device to Azure Active Directory**.
 
     ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
 
-6.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
+6.  Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
 
     ![azure ad sign in.](images/unifiedenrollment-rs1-19.png)
 
-7.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
+7.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM.
+    If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM.
 
-    After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username.
+    After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username.
 
     ![corporate sign in screen](images/unifiedenrollment-rs1-20.png)
 
 ### Help with connecting to an Azure AD domain
 
-There are a few instances where your device cannot be connected to an Azure AD domain.
+There are a few instances where your device can't be connected to an Azure AD domain.
 
 | Connection issue                                                | Description                                                                                                                                                                                                                |
 |-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Your device is connected to an Azure AD domain.                 | Your device can only be connected to a single Azure AD domain at a time.                                                                                                                                                   |
-| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously.                                                                                        |
-| Your device already has a user connected to a work account.     | You can either connect to an Azure AD domain or connect to a work or school account. You cannot connect to both simultaneously.                                                                                            |
-| You are logged in as a standard user.                           | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue.                                                     |
+| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously.                                                                                        |
+| Your device already has a user connected to a work account.     | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously.                                                                                            |
+| You're logged in as a standard user.                           | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue.                                                     |
 | Your device is already managed by MDM.                          | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. |
-| Your device is running Windows 10 Home.                         | This feature is not available on Windows 10 Home, so you will be unable to connect to an Azure AD domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue.          |
+| Your device is running Windows 10 Home.                         | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue.          |
 
  
 
 ## Connect personally owned devices 
 
 
-Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school.
+Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school.
 
 ### Connect to a work or school account
 
@@ -194,17 +194,17 @@ To create a local account and connect the device:
 
     ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png)
 
-4.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
+4.  Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services.
 
     ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png)
 
-5.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
+5.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
-    If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM.
+    If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM.
 
-    Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
+    Starting in Windows 10, version 1709, you'll see the status page that shows the progress of your device being set up.
 
     ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png)
 
@@ -240,9 +240,9 @@ To create a local account and connect the device:
 
    ![set up work or school account screen](images/unifiedenrollment-rs1-32.png)
 
-6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
+6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information.
 
-   Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
+   Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen.
 
    ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png)
 
@@ -255,10 +255,10 @@ There are a few instances where your device may not be able to connect to work.
 | Error Message                                                                                                                                                                              | Description                                                                                         |
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
 | Your device is already connected to your organization’s cloud.                                                                                                                             | Your device is already connected to either Azure AD, a work or school account, or an AD domain.     |
-| We could not find your identity in your organization’s cloud.                                                                                                                              | The username you entered was not found on your Azure AD tenant.                                     |
+| We couldn't find your identity in your organization’s cloud.                                                                                                                              | The username you entered wasn't found on your Azure AD tenant.                                     |
 | Your device is already being managed by an organization.                                                                                                                                   | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager.                |
-| You don’t have the right privileges to perform this operation. Please talk to your admin.                                                                                                  | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. |
-| We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered.  |
+| You don’t have the right privileges to perform this operation. Talk to your admin.                                                                                                  | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
+| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered.  |
 
  
 ## Connect your Windows 10-based device to work using a deep link
@@ -277,10 +277,10 @@ The deep link used for connecting your device to work will always use the follow
 | mode      | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory Joined (AADJ).                                       |
 |username  | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
 | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
-| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
-| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID |
-| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string |
-| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned |
+| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
+| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID |
+| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string |
+| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned |
 
 > [!NOTE]
 > AWA and AADJ values for mode are only supported on Windows 10, version 1709 and later. 
@@ -291,13 +291,13 @@ The deep link used for connecting your device to work will always use the follow
 > [!NOTE]
 > Deep links only work with Internet Explorer or Microsoft Edge browsers. When connecting to MDM using a deep link, the URI you should use is:
 > **ms-device-enrollment:?mode=mdm** 
-> **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=**
+> **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<`https://example.server.com`>**
 
 To connect your devices to MDM using deep links:
 
 1.  Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**:
 
-    (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
+    (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
 
     - IT admins can add this link to a welcome email that users can select to enroll into MDM.
 
@@ -311,7 +311,7 @@ To connect your devices to MDM using deep links:
 
     ![set up a work or school account screen](images/deeplinkenrollment3.png)
 
-3.  If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
+3.  If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
     After you complete the flow, your device will be connected to your organization's MDM.
 
@@ -326,15 +326,15 @@ To manage your work or school connections, select **Settings** > **Accounts** >
 
 ### Info
 
-The **Info** button can be found on work or school connections involving MDM. This includes the following scenarios:
+The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios:
 
 -   Connecting your device to an Azure AD domain that has auto-enroll into MDM configured.
 -   Connecting your device to a work or school account that has auto-enroll into MDM configured.
 -   Connecting your device to MDM.
 
-Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which forces your device to communicate to the MDM server and fetch any updates to policies if needed.
+Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed.
 
-Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
+Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot.
 
 ![work or school info.](images/unifiedenrollment-rs1-35-b.png)
 
@@ -343,10 +343,10 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a
 
 ### Disconnect
 
-The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this:
+The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality:
 
--   Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
--   On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device.
+-   Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
+-   On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device.
 
 > [!WARNING]
 > Disconnecting might result in the loss of data on the device.
@@ -356,7 +356,7 @@ The **Disconnect** button can be found on all work connections. Generally, selec
 
 You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files.
 
-Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here.
+Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here.
 
 ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png)
 
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 10c37d020b..7a55677360 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -33,7 +33,7 @@ The enrollment process includes the following steps:
 
 ## Enrollment protocol
 
-There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
 
 The enrollment process involves the following steps:
 
@@ -56,7 +56,7 @@ The following topics describe the end-to-end enrollment process using various au
 -   [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
 
 > [!Note]
-> As a best practice, do not use hardcoded server-side checks on values such as:
+> As a best practice, don't use hardcoded server-side checks on values such as:
 > -   User agent string
 > -   Any fixed URIs that are passed during enrollment
 > -   Specific formatting of any value unless otherwise noted, such as the format of the device ID.
@@ -67,11 +67,11 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
 
 ## Disable MDM enrollments
 
-In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
+In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. With the GP editor being used, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
 
 ![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
 
-Here is the corresponding registry key:
+Here's the corresponding registry key:
 
 HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
 
@@ -79,10 +79,10 @@ Value: DisableRegistration
 
 ## Enrollment scenarios not supported
 
-The following scenarios do not allow MDM enrollments:
+The following scenarios don't allow MDM enrollments:
 
-- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
-- Standard users cannot enroll in MDM. Only admin users can enroll.
+- Built-in administrator accounts on Windows desktop can't enroll into MDM.
+- Standard users can't enroll in MDM. Only admin users can enroll.
 
 ## Enrollment error messages
 
@@ -128,7 +128,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
 - **Namespace**: `s:`
   - **Subcode**: Authorization
   - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR
-  - **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
+  - **Description**: The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
   - **HRESULT**: 80180003
 
 - **Namespace**: `s:`
@@ -155,7 +155,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
   - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
   - **HRESULT**: 80180007
 
-In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
+In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here's an example:
 
 ```xml
 
@@ -224,7 +224,7 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
   - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
   - **HRESULT**: 80180019
 
-TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
+TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
 
 ## Related topics
 
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index e3edb1b0d1..c29289fd2b 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -19,9 +19,9 @@ The NAP (Network Access Point) Configuration Service Provider is used to manage
 > [!Note]
 > This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
 
-For the NAP CSP, you cannot use the Replace command unless the node already exists.
+For the NAP CSP, you can't use the Replace command unless the node already exists.
 
-The following shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+The following example shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
 
 ```console
 ./Vendor/MSFT
@@ -67,7 +67,7 @@ Root node.
 ***NAPX***  
 Required. Defines the name of the network access point.
 
-It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
+It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead).
 
 ***NAPX*/NAPID**  
 Required. Specifies the identifier of the destination network.
@@ -105,13 +105,13 @@ Optional. Specifies the user name and domain to be used during authentication. T
 ***NAPX*/AuthInfo/AuthSecret**  
 Optional. Specifies the password used during authentication.
 
-Queries of this field will return a string composed of sixteen asterisks (\*).
+Queries of this field will return a string composed of 16 asterisks (\*).
 
 ***NAPX*/Bearer**  
 Node.
 
 ***NAPX*/Bearer/BearerType**  
-Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
+Required. Specifies the network type of the destination network. This parameter's value can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
 
 ## Related articles
 
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 341c72e038..075e0f6619 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -21,7 +21,7 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
 > 
 > This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application. 
 
-The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
+The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol isn't supported by this configuration service provider.
 
 ```console
 NAPDEF
@@ -39,7 +39,7 @@ NAPDEF
 ----NAPID
 ```
 
-The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
+The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol isn't supported by this configuration service provider.
 
 ```console
 NAPDEF
@@ -74,7 +74,7 @@ Specifies the protocol used to authenticate the user.
 The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
 
 > [!Note]
-> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. 
+> **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change. 
 
 **BEARER**  
 Specifies the type of bearer.
@@ -82,11 +82,11 @@ Specifies the type of bearer.
 Only Global System for Mobile Communication (GSM) and GSM-General Packet Radio Services (GPRS) are supported.
 
 **INTERNET**  
-Optional. Specifies whether this is an AlwaysOn connection.
+Optional. Specifies whether this connection is an AlwaysOn connection.
 
-If **INTERNET** exists, the connection is an AlwaysOn connection and does not require a connection manager policy.
+If **INTERNET** exists, the connection is an AlwaysOn connection and doesn't require a connection manager policy.
 
-If **INTERNET** does not exist, the connection is not an AlwaysOn connection and the connection requires a connection manager connection policy to be set.
+If **INTERNET** doesn't exist, the connection isn't an AlwaysOn connection and the connection requires a connection manager connection policy to be set.
 
 **LOCAL-ADDR**  
 Required for GPRS. Specifies the local address of the WAP client for GPRS access points.
@@ -115,7 +115,7 @@ The maximum length of the **NAPID** value is 16 characters.
 ***NAPID***  
 Required for bootstrapping updating. Defines the name of the NAP.
 
-The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It is required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1.
+The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It's required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1.
 
 ## Microsoft Custom Elements
 
@@ -123,7 +123,7 @@ The following table shows the Microsoft custom elements that this configuration
 
 |Elements|Available|
 |--- |--- |
-|Parm-query|Yes 
                    Note that some GPRS parameters will not necessarily contain the exact same value as was set.|
+|Parm-query|Yes 
                    Some GPRS parameters won't necessarily contain the exact same value as was set.|
 |Noparm|Yes|
 |Nocharacteristic|Yes|
 |Characteristic-query|Yes|
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 464a920e6d..cf15fbcacc 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -1,6 +1,6 @@
 ---
 title: NetworkQoSPolicy CSP
-description: he NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703.
+description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@@ -31,7 +31,7 @@ The following actions are supported:
 > 
 > The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004.
 
-The following shows the NetworkQoSPolicy configuration service provider in tree format.
+The following example shows the NetworkQoSPolicy configuration service provider in tree format.
 ```
 ./Device/Vendor/MSFT
 NetworkQoSPolicy
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index a982810497..90157cf9e6 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -20,7 +20,7 @@ ms.date: 10/20/2020
 
 This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions.
 
-For details about Microsoft mobile device management protocols for Windows 10 and Windows 11 see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). 
+For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). 
 
 
 ## What’s new in MDM for Windows 11, version 21H2
@@ -33,17 +33,17 @@ For details about Microsoft mobile device management protocols for Windows 10 a
 
 ## Breaking changes and known issues
 
-### Get command inside an atomic command is not supported
+### Get command inside an atomic command isn’t supported
 
-In Windows 10 and Windows 11, a Get command inside an atomic command is not supported. 
+In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. 
 
 ### Apps installed using WMI classes are not removed
 
-Applications installed using WMI classes are not removed when the MDM account is removed from device.
+Applications installed using WMI classes aren't removed when the MDM account is removed from device.
 
 ### Passing CDATA in SyncML does not work
 
-Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11.
+Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11.
 
 ### SSL settings in IIS server for SCEP must be set to "Ignore"
 
@@ -53,7 +53,7 @@ The certificate setting under "SSL Settings" in the IIS server for SCEP must be
 
 ### MDM enrollment fails on the Windows device when traffic is going through proxy
 
-When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network.
+When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network.
 
 ### Server-initiated unenrollment failure
 
@@ -63,26 +63,26 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act
 
 ### Certificates causing issues with Wi-Fi and VPN
 
-In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
+In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue.
 
 ### Version information for Windows 11
 
-The software version information from **DevDetail/Ext/Microsoft/OSPlatform** does not match the version in **Settings** under **System/About**.
+The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**.
 
 ### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11
 
-In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
+In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
 
-Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:
+Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as:
 
 -   The user may be prompted to select the certificate.
 -   The wrong certificate may get auto selected and cause an authentication failure.
 
 A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
 
-EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
+EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
 
--   For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
+-   For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
 -   For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
 
 For information about EAP Settings, see .
@@ -98,14 +98,14 @@ The following list describes the prerequisites for a certificate to be used with
 -   The certificate must have at least one of the following EKU (Extended Key Usage) properties:
 
     -   Client Authentication.
-    -   As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
+    -   As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
     -   Any Purpose.
-    -   An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
+    -   An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
     -   All Purpose.
-    -   As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
+    -   As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
 -   The user or the computer certificate on the client chains to a trusted root CA.
--   The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
--   The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
+-   The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
+-   The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
 -   The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
 
 The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
@@ -219,14 +219,14 @@ Alternatively you can use the following procedure to create an EAP Configuration
 
 1.  Follow steps 1 through 7 in [EAP configuration](eap-configuration.md).
 
-2.  In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
+2.  In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
 
     :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
 
     > [!NOTE]
     > For PEAP or TTLS, select the appropriate method and continue following this procedure.
 
-3.  Click the **Properties** button underneath the drop down menu.
+3.  Click the **Properties** button underneath the drop-down menu.
 
 4.  In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
 
@@ -246,17 +246,17 @@ Alternatively you can use the following procedure to create an EAP Configuration
 > You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
 
 
-### MDM client will immediately check-in with the MDM server after client renews WNS channel URI
+### MDM client will immediately check in with the MDM server after client renews WNS channel URI
 
 After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
 
 ### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices
 
-In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
+In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design.
 
 ### Requirements to note for VPN certificates also used for Kerberos Authentication
 
-If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. 
+If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. 
 
 ### Device management agent for the push-button reset is not working
 
@@ -267,25 +267,26 @@ The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-
 
 
 ### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11?
+
 No. Only one MDM is allowed.
 
 ### How do I set the maximum number of Azure Active Directory joined devices per user?
-1.  Login to the portal as tenant admin: https://manage.windowsazure.com.
-2.  Click Active Directory on the left pane.
-3.  Choose your tenant.
-4.  Click **Configure**.
-5.  Set quota to unlimited.
 
-	:::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png":::
- 
+1. Sign in to the portal as tenant admin: https://portal.azure.com.
+2. Select Active Directory on the left pane.
+3. Choose your tenant.
+4. Select **Configure**.
+5. Set quota to unlimited.
+
+  :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png":::
 
 ### What is dmwappushsvc?
 
 Entry | Description
 --------------- | --------------------
-What is dmwappushsvc? | It is a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
-What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.|
-How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.|
+What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service doesn't send telemetry.|
+How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
 
 
 
@@ -337,7 +338,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 | [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
 | [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
 | [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
-| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. |
+| [SUPL CSP](supl-csp.md) | Added three new certificate nodes in Windows 10, version 1809. |
 | [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
 | [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
 | [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index 4ac44047b0..039ac5d742 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -25,9 +25,9 @@ application/x-nodemon-sha256
 
 ```
 
-NodeCache will hash the values and compare with a hash value that was sent down by the server. This supports checking a parent node and its children recursively.
+NodeCache will hash the values and compare with a hash value that was sent down by the server. This process supports checking a parent node and its children recursively.
 
-The following shows the NodeCache configuration service provider in tree format.
+The following example shows the NodeCache configuration service provider in tree format.
 ```
 ./User/Vendor/MSFT
 NodeCache
@@ -69,7 +69,7 @@ NodeCache
 ----------------AutoSetExpectedValue
 ```
 **./Device/Vendor/MSFT and ./User/Vendor/MSFT**  
-Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax.
+Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
 
 ***ProviderID***  
 Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.
@@ -82,14 +82,14 @@ Optional. Character string representing the cache version set by the server. Sco
 Data type is string. Supported operations are Get, Add, and Replace.
 
 ***ProviderID*/ChangedNodes**  
-Optional. List of nodes whose values do not match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic.
+Optional. List of nodes whose values don't match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic.
 
 Data type is string. Supported operation is Get.
 
 ***ProviderID*/ChangedNodesData**  
-Added in Windows 10, version 1703. Optional. XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue.
+Added in Windows 10, version 1703. Optional. XML containing nodes whose values don't match their expected values as specified in /NodeID/ExpectedValue.
 
-Suppported operation is Get.
+Supported operation is Get.
 
 ***ProviderID*/Nodes**  
 Required. Root node for cached nodes. Scope is dynamic.
@@ -107,7 +107,7 @@ Required. This node's value is a complete OMA DM node URI. It can specify either
 Data type is string. Supported operations are Get, Add, and Delete.
 
 **/*NodeID*/ExpectedValue**  
-Required. This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent.
+Required. The server expects this value to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent.
 
 Supported operations are Get, Add, and Delete.
 
@@ -129,7 +129,7 @@ Here's an example for setting the ExpectedValue to nonexistent.
 ```
 
 **/*NodeID*/AutoSetExpectedValue**  
-Added in Windows 10, version 1703. Required. This automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI.
+Added in Windows 10, version 1703. Required. This parameter's value automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI.
 
 Supported operations are Add, Get, and Delete.
 
@@ -166,7 +166,7 @@ Supported operations are Add, Get, and Delete.
 
     1.  If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device.
 
-    2.  If a value does not exist in the server-side cache, do the following:
+    2.  If a value doesn't exist in the server-side cache, do the following tasks:
 
         1.  Create a new entry with a unique *NodeID* in the server-side cache.
 
@@ -370,12 +370,12 @@ For AutoSetExpectedValue, a Replace operation with empty data will query the ./D
 
 A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue returns what the Device Name was when the AutoSet was called.
 
-A Get operation on the ChangedNodesData returns an encoded XML. Here is example:
+A Get operation on the ChangedNodesData returns an encoded XML. Here's an example:
 
 ```xml
 U09NRU5FV1ZBTFVF
 ```
-It represents this:
+It represents this example:
 
 ```xml
 
@@ -383,10 +383,10 @@ It represents this:
     U09NRU5FV1ZBTFVF
 
 ```
-Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking.
-If a Uri is not set, the node will always be reported as changed, as in Node id 10.
+Id is the node Id that was added by the MDM server, and Uri is the path that the node is tracking.
+If a Uri isn't set, the node will always be reported as changed, as in Node Id 10.
 
-The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
+The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName didn't match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously.
 
 
 ## Related topics
diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index 8249c0eca9..04d615adff 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -25,12 +25,12 @@ The following table shows the OMA DM standards that Windows uses.
 |--- |--- |
 |Data transport and session|
                  • Client-initiated remote HTTPS DM session over SSL.
                  • Remote HTTPS DM session over SSL.
                  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
                  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
 |Bootstrap XML|OMA Client Provisioning XML.|
-|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                  • Add (Implicit Add supported)
                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                  • Exec: Invokes an executable on the client device
                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                  • Replace: Overwrites data on the client device
                  • Result: Returns the data results of a Get command to the DM server
                  • Sequence: Specifies the order in which a group of commands must be processed
                  • Status: Indicates the completion status (success or failure) of an operation

                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                  • SyncBody
                  • Atomic
                  • Sequence

                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

                    If Atomic elements are nested, the following status codes are returned:
                  • The nested Atomic command returns 500.
                  • The parent Atomic command returns 507.

                    For more information about the Atomic command, see OMA DM protocol common elements.
                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.

                    LocURI cannot start with `/`.

                    Meta XML tag in SyncHdr is ignored by the device.|
+|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                  • Add (Implicit Add supported)
                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element isn't supported. Nested Atomic and Get commands aren't allowed and will generate error code 500.
                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                  • Exec: Invokes an executable on the client device
                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                  • Replace: Overwrites data on the client device
                  • Result: Returns the data results of a Get command to the DM server
                  • Sequence: Specifies the order in which a group of commands must be processed
                  • Status: Indicates the completion status (success or failure) of an operation

                    If an XML element that isn't a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                  • SyncBody
                  • Atomic
                  • Sequence

                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

                    If Atomic elements are nested, the following status codes are returned:
                  • The nested Atomic command returns 500.
                  • The parent Atomic command returns 507.

                    For more information about the Atomic command, see OMA DM protocol common elements.
                    Performing an Add command followed by Replace on the same node within an Atomic element isn't supported.

                    LocURI can't start with `/`.

                    Meta XML tag in SyncHdr is ignored by the device.|
 |OMA DM standard objects|DevInfo
                  • DevDetail
                  • OMA DM DMS account objects (OMA DM version 1.2)|
 |Security|
                  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
                  • Application layer Basic and MD5 client authentication
                  • Authenticate server with MD5 credential at application level
                  • Data integrity and authentication with HMAC at application level
                  • SSL level certificate-based client/server authentication, encryption, and data integrity check|
-|Nodes|In the OMA DM tree, the following rules apply for the node name:
                  • "." can be part of the node name.
                  • The node name cannot be empty.
                  • The node name cannot be only the asterisk (*) character.|
-|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).

                    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                    **Note**
                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                    |
-|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
+|Nodes|In the OMA DM tree, the following rules apply for the node name:
                  • "." can be part of the node name.
                  • The node name can't be empty.
                  • The node name can't be only the asterisk (`*`) character.|
+|Provisioning Files|Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf).

                    If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                    **Note**
                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                    |
+|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.|
 |Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
 
 
@@ -52,7 +52,7 @@ Common elements are used by other OMA DM element types. The following table list
 |MsgID|Specifies a unique identifier for an OMA DM session message.|
 |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
 |RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
-|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
                    **Note**
                      If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
                    |
+|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
                    **Note**
                      If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
                    |
 |Source|Specifies the message source address.|
 |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
 |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|
@@ -64,13 +64,13 @@ Common elements are used by other OMA DM element types. The following table list
 
 A Device Management (DM) session consists of a series of commands exchanged between a DM server and a client device. The server sends commands indicating operations that must be performed on the client device's management tree. The client responds by sending commands that contain the results and any requested status information.
 
-A short DM session can be summarized as the following:
+A short DM session can be summarized as:
 
 A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents.
 
 A DM session can be divided into two phases:
 1.  **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
-2.  **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
+2.  **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
 
 The following information shows the sequence of events during a typical DM session.
 
@@ -92,7 +92,7 @@ The following information shows the sequence of events during a typical DM sessi
 
 The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
 
-During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
+During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. If the MD5 authentication occurs, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
 
 If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request.
 
@@ -101,13 +101,13 @@ For more information about Basic or MD5 client authentication, MD5 server authen
 
 ## User targeted vs. Device targeted configuration
 
-For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the login status via a device alert (1224) with Alert type = in DM pkg\#1.
+For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1.
 
 The data part of this alert could be one of following strings:
 
--   User – the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
--   Others – another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
--   None – no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login).
+- User: the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
+- Others: another user sign in but that user doesn't have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
+- None: no active user sign in. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user sign in).
 
 Below is an alert example:
 
@@ -117,46 +117,46 @@ Below is an alert example:
     1224
     
         
-            com.microsoft/MDM/LoginStatus
-            chr
+            com.microsoft/MDM/LoginStatus
+            chr
         
         user
     
 
 ```
 
-The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration.
+The server notifies the device whether it's a user-targeted or device-targeted configuration by a prefix to the management node's LocURL, with `./user` for user-targeted configuration, or `./device` for device-targeted configuration. By default, if no prefix with `./device` or `./user`, it's a device-targeted configuration.
 
-The following LocURL shows a per user CSP node configuration: **./user/vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/<PackageFamilyName>/StoreInstall**
+The following LocURL shows a per user CSP node configuration: `./user/vendor/MSFT/EnterpriseModernAppManagement/AppInstallation//StoreInstall`
 
-The following LocURL shows a per device CSP node configuration: **./device/vendor/MSFT/RemoteWipe/DoWipe**
+The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe`
 
 
 
 ## SyncML response status codes
 
-When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
+When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
 
 | Status code | Description |
 |---|----|
 | 200         | The SyncML command completed successfully.  |
-| 202         | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application.  |
-| 212         | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. |
+| 202         | Accepted for processing. This code denotes an asynchronous operation, such as a request to run a remote execution of an application.  |
+| 212         | Authentication accepted. Normally you'll only see this code in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this code if you look at OMA DM logs, but CSPs don't typically generate this code. |
 | 214         | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. |
-| 215         | Not executed. A command was not executed as a result of user interaction to cancel the command.  |
+| 215         | Not executed. A command wasn't executed as a result of user interaction to cancel the command.  |
 | 216         | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully.  |
-| 400         | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed.  |
-| 401         | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error.  |
+| 400         | Bad request. The requested command couldn't be performed because of malformed syntax. CSPs don't usually generate this error, however you might see it if your SyncML is malformed.  |
+| 401         | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs don't usually generate this error.  |
 | 403         | Forbidden. The requested command failed, but the recipient understood the requested command.  |
-| 404         | Not found. The requested target was not found. This code will be generated if you query a node that does not exist.   |
+| 404         | Not found. The requested target wasn't found. This code will be generated if you query a node that doesn't exist.   |
 | 405         | Command not allowed. This respond code will be generated if you try to write to a read-only node.  |
 | 406         | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support.  |
 | 415         | Unsupported type or format. This response code can result from XML parsing or formatting errors.  |
 | 418         | Already exists. This response code occurs if you attempt to add a node that already exists.  |
-| 425         | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code.  |
-| 500         | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code.       |
+| 425         | Permission Denied. The requested command failed because the sender doesn't have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code.  |
+| 500         | Command failed. Generic failure. The recipient encountered an unexpected condition, which prevented it from fulfilling the request. This response code will occur when the SyncML DPU can't map the originating error code.       |
 | 507         | `Atomic` failed. One of the operations in an `Atomic` block failed.  |
-| 516         | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully.  |
+| 516         | `Atomic` roll back failed. An `Atomic` operation failed and the command wasn't rolled back successfully.  |
 
 ## Related topics
 
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 68bd28dd1e..21cc92b117 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -14,14 +14,14 @@ ms.date: 07/19/2019
 
 # PassportForWork CSP
 
-The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
+The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to sign in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
 
 > [!IMPORTANT]
 > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
  
 ### User configuration diagram
 
-The following shows the PassportForWork configuration service provider in tree format.
+The following example shows the PassportForWork configuration service provider in tree format.
 
 ```console
 ./User/Vendor/MSFT
@@ -44,7 +44,7 @@ PassportForWork
 
 ### Device configuration diagram
 
-The following shows the PassportForWork configuration service provider in tree format.
+The following example shows the PassportForWork configuration service provider in tree format.
 
 ```console
 ./Device/Vendor/MSFT
@@ -88,7 +88,7 @@ PassportForWork
 Root node for PassportForWork configuration service provider.
 
 ***TenantId***  
-A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+A globally unique identifier (GUID), without curly braces (`{`, `}`), that's used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
 
 ***TenantId*/Policies**  
 Node for defining the Windows Hello for Business policy settings.
@@ -96,14 +96,14 @@ Node for defining the Windows Hello for Business policy settings.
 ***TenantId*/Policies/UsePassportForWork**  
 Boolean value that sets Windows Hello for Business as a method for signing into Windows.
 
-Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business.
+Default value is true. If you set this policy to false, the user can't provision Windows Hello for Business.
 
 Supported operations are Add, Get, Delete, and Replace.
 
 ***TenantId*/Policies/RequireSecurityDevice**  
-Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices.
+Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an extra security benefit over software so that data stored in it can't be used on other devices.
 
-Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you don't configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -116,7 +116,7 @@ Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are comp
 
 Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
 
-If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
+If you disable or don't configure this policy setting, TPM revision 1.2 modules will be used with Windows Hello for Business.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -126,7 +126,7 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
 
 Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
 
-If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+If you disable or don't configure this policy setting, the PIN recovery secret won't be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -135,7 +135,7 @@ Boolean value that enables Windows Hello for Business to use certificates to aut
 
 If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
 
-If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+If you disable or don't configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -145,7 +145,7 @@ Node for defining PIN settings.
 ***TenantId*/Policies/PINComplexity/MinimumPINLength**  
 Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
 
-If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4.
+If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 4.
 
 > [!NOTE]
 > If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
@@ -156,7 +156,7 @@ Value type is int. Supported operations are Add, Get, Delete, and Replace.
 ***TenantId*/Policies/PINComplexity/MaximumPINLength**  
 Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
 
-If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127.
+If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127.
 
 > [!NOTE]
 > If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
@@ -170,10 +170,10 @@ Integer value that configures the use of uppercase letters in the Windows Hello
 Valid values:
 
 -   0 - Allows the use of uppercase letters in PIN.
--   1 - Requires the use of at least one uppercase letters in PIN.
--   2 - Does not allow the use of uppercase letters in PIN.
+-   1 - Requires the use of at least one uppercase letter in PIN.
+-   2 - Doesn't allow the use of uppercase letters in PIN.
 
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -183,10 +183,10 @@ Integer value that configures the use of lowercase letters in the Windows Hello
 Valid values:
 
 -   0 - Allows the use of lowercase letters in PIN.
--   1 - Requires the use of at least one lowercase letters in PIN.
--   2 - Does not allow the use of lowercase letters in PIN.
+-   1 - Requires the use of at least one lowercase letter in PIN.
+-   2 - Doesn't allow the use of lowercase letters in PIN.
 
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -197,9 +197,9 @@ Valid values:
 
 -   0 - Allows the use of special characters in PIN.
 -   1 - Requires the use of at least one special character in PIN.
--   2 - Does not allow the use of special characters in PIN.
+-   2 - Doesn't allow the use of special characters in PIN.
 
-Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -210,16 +210,16 @@ Valid values:
 
 -   0 - Allows the use of digits in PIN.
 -   1 - Requires the use of at least one digit in PIN.
--   2 - Does not allow the use of digits in PIN.
+-   2 - Doesn't allow the use of digits in PIN.
 
-Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets aren't allowed. If all character sets are allowed but none's explicitly required, then the default PIN complexity behavior will apply.
 
 Supported operations are Add, Get, Delete, and Replace.
 
 ***TenantId*/Policies/PINComplexity/History**  
-Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511.
+Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required. This node was added in Windows 10, version 1511.
 
-The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset.
+The current PIN of the user is included in the set of PINs associated with the user account. PIN history isn't preserved through a PIN reset.
 
 Default value is 0.
 
@@ -248,7 +248,7 @@ Supported operations are Add, Get, Delete, and Replace.
 ***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)  
 Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
 
-If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
 
 Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
 
@@ -262,7 +262,7 @@ Node for defining biometric settings. This node was added in Windows 10, versi
 *Not supported on Windows Holographic and Windows Holographic for Business.*
 
 **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)  
-Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
+Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use if there are failures. This node was added in Windows 10, version 1511.
 
 Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
 
@@ -277,9 +277,9 @@ Boolean value used to enable or disable enhanced anti-spoofing for facial featur
 
 Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
 
-If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
+If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that don't support enhanced anti-spoofing.
 
-Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
+Enhanced anti-spoofing for Windows Hello face authentication isn't required on unmanaged devices.
 
 Supported operations are Add, Get, Delete, and Replace.
 
@@ -324,7 +324,7 @@ Scope is permanent. Supported operation is Get.
 
 
 **SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)  
-Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
+Added in Windows 10, version 1903. Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
 
 Scope is dynamic. Supported operations are Add, Get, Replace, and Delete.
 
@@ -550,7 +550,3 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
           
         
 ```
-
- 
-
- 
\ No newline at end of file
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 67b7f88ce5..ff76751aef 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -20,7 +20,7 @@ This CSP was added in Windows 10, version 1703.
 > [!Note]
 > Personalization CSP is supported in Windows 10 Enterprise and Education SKUs. It works in Windows 10 Pro and Windows 10 Pro in S mode if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
 
-The following shows the Personalization configuration service provider in tree format.
+The following example shows the Personalization configuration service provider in tree format.
 ```
 ./Vendor/MSFT
 Personalization
@@ -33,7 +33,7 @@ Personalization
 
                    Defines the root node for the Personalization configuration service provider.
                    
 
 **DesktopImageUrl**  
-
                    Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
                    
+
                    Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
                    
 
                    Value type is string. Supported operations are Add, Get, Delete, and Replace.
                    
 
 **DesktopImageStatus**  
@@ -53,7 +53,7 @@ Personalization
 > This setting is only used to query status. To set the image, use the DesktopImageUrl setting.
 
 **LockScreenImageUrl**  
-
                    Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
                    
+
                    Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
                    
 
                    Value type is string. Supported operations are Add, Get, Delete, and Replace.
                    
 
 
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index da3f1feee3..96ba99c053 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -980,7 +980,7 @@ ms.date: 10/08/2020
 - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy)
 - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy)
 - [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy)
-- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
+- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](./policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
 - [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1)
 - [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2)
 - [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
index 4241ee2ff7..58fffbd813 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 ms.date: 09/17/2019
 ---
 
-# Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
+# Policies in Policy CSP supported by HoloLens (first gen) Commercial Suite
 
 > [!div class="op_single_selector"]
 >
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
index ce8155a947..7d67b45cd3 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
 ms.date: 07/18/2019
 ---
 
-# Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
+# Policies in Policy CSP supported by HoloLens (first gen) Development Edition
 
 > [!div class="op_single_selector"]
 >
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 6c81fc9eb0..206b52f009 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -1,6 +1,6 @@
 ---
 title: Policy CSP - ActiveXControls
-description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10.
+description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10.
 ms.author: dansimp
 ms.localizationpriority: medium
 ms.topic: article
@@ -65,10 +65,10 @@ This policy setting determines which ActiveX installation sites standard users i
 
 If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. 
 
-If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. 
+If you disable or don't configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. 
 
->[!Note]
-> Wild card characters cannot be used when specifying the host URLs.
+> [!Note]
+> Wild card characters can't be used when specifying the host URLs.
 
 
 
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
index caad440929..bc9d52e929 100644
--- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -66,9 +66,9 @@ This policy setting controls the installation of ActiveX controls for sites in T
 
 If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting.
 
-If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. 
+If you disable or don't configure this policy setting, ActiveX controls prompt the user before installation. 
 
-If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore.
+If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If a trusted site has a certificate error but you want to trust it anyway, you can select the certificate errors that you want to ignore.
 
 > [!NOTE]
 > This policy setting applies to all sites in Trusted zones.
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index 28216b6769..c31c112030 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -93,7 +93,7 @@ The policy setting specifies the category of programs that appears when users op
 
 To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.
 
-If you disable this setting or don't configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they're most likely to need. 
+If you disable this setting or don't configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they're most likely to need.
 
 > [!NOTE]
 > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled.
@@ -148,12 +148,12 @@ ADMX Info:
 
 
 
-This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
+This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This feature removal prevents users from using Add or Remove Programs to install programs from removable media.
 
-If you disable this setting or don't configure it, the "Add a program from CD-ROM or floppy disk" option will be available to all users. This setting doesn't prevent users from using other tools and methods to add or remove program components.
+If you disable this setting or don't configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting doesn't prevent users from using other tools and methods to add or remove program components.
 
 > [!NOTE]
-> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting.
+> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users can't add programs from removable media, regardless of this setting.
 
 
 
@@ -324,7 +324,7 @@ ADMX Info:
 
 This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
 
-If you disable this setting or don't configure it, the Add New Programs button will be available to all users. This setting doesn't prevent users from using other tools and methods to install programs.
+If you disable this setting or don't configure it, the Add New Programs button is available to all users. This setting doesn't prevent users from using other tools and methods to install programs.
 
 
 
@@ -434,7 +434,7 @@ ADMX Info:
 
 This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. 
 
-If you disable this setting or don't configure it, the Set Program Access and Defaults button is available to all users. This setting doesn't prevent users from using other tools and methods to change program access or defaults. This setting doesn't prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
+If you disable this setting or don't configure it, the **Set Program Access and Defaults** button is available to all users. This setting doesn't prevent users from using other tools and methods to change program access or defaults. This setting doesn't prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
 
 
 
@@ -548,7 +548,7 @@ This policy setting prevents users from using Add or Remove Programs to configur
 If you disable this setting or don't configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting doesn't prevent users from using other methods to configure services.
 
 > [!NOTE]
-> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
+> When "Set up services" doesn't appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
 
 
 
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index c4a14678bd..09fc5c811d 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -102,7 +102,7 @@ If the status is set to Enabled, the MS-DOS subsystem is prevented from running,
 
 If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer.
 
-If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run.
+If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this setting prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run.
 
 > [!NOTE]
 > This setting appears only in Computer Configuration.
@@ -198,11 +198,11 @@ The policy setting controls the state of the Application Telemetry engine in the
 
 Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.
 
-Turning Application Telemetry off by selecting "enable" will stop the collection of usage data.
+Turning off Application Telemetry by selecting "enable" will stop the collection of usage data.
 
 If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set.
 
-Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine.
+Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, reboot your machine.
 
 
 
@@ -300,11 +300,11 @@ This policy setting controls the state of the application compatibility engine i
 
 The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a known problem.
 
-Turning off the application compatibility engine will boost system performance.  However, this will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed.
+Turning off the application compatibility engine will boost system performance. However, this turn-off will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. For example, this prevention of blocking may result in a blue screen if an old anti-virus application is installed.
 
 The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations won't be applied to applications and their installers and these applications may fail to install or run properly.
 
-This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they're using.  It's particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
+This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they're using. It's useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential.
 
 > [!NOTE]
 > Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes.
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index ba5bd6916e..c55966c2f8 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -65,7 +65,7 @@ This policy setting determines what information is logged in security audit even
 
 If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
 
-If you disable or don't configure this policy setting, the process's command line information will not be included in Audit Process Creation events.  
+If you disable or don't configure this policy setting, the process's command line information won't be included in Audit Process Creation events.
 
 Default is Not configured.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index e3301c9321..5aaff2305b 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -107,7 +107,7 @@ If you enable this policy setting, the BITS client doesn't use Windows Branch Ca
 If you disable or don't configure this policy setting, the BITS client uses Windows Branch Cache.
 
 > [!NOTE]
-> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely.
+> This policy setting doesn't affect the use of Windows Branch Cache by applications other than BITS. This policy setting doesn't apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely.
     
 
 
@@ -249,7 +249,7 @@ ADMX Info:
 
 This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner.
 
-If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server.
+If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When a download job is being transferred, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server.
 
 If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it's possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect.
 
@@ -298,7 +298,7 @@ ADMX Info:
 
 This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting doesn't affect transfers from the origin server).
 
-To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100-Mbps network card and a 56-Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. 
+To prevent any negative impact to a computer caused by serving other peers, by default, BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100-Mbps network card and a 56-Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps.
 
 You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching.
 
@@ -495,7 +495,7 @@ ADMX Info:
 
 
 
-Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that haven't been accessed in the past 90 days.
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default, BITS removes any files in the peer cache that haven't been accessed in the past 90 days.
 
 If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days.
 
@@ -547,7 +547,7 @@ This policy setting limits the amount of time that Background Intelligent Transf
 
 The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state.
 
-By default BITS uses a maximum download time of 90 days (7,776,000 seconds).
+By default, BITS uses a maximum download time of 90 days (7,776,000 seconds).
 
 If you enable this policy setting, you can set the maximum job download time to a specified number of seconds.
 
@@ -600,7 +600,7 @@ If you enable this policy setting, BITS will limit the maximum number of files a
 If you disable or don't configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain.
 
 > [!NOTE]
-> BITS Jobs created by services and the local administrator account do not count toward this limit.
+> BITS Jobs created by services and the local administrator account don't count toward this limit.
 
 
 
@@ -649,7 +649,7 @@ If you enable this policy setting, BITS will limit the maximum number of BITS jo
 If you disable or don't configure this policy setting, BITS will use the default BITS job limit of 300 jobs.
 
 > [!NOTE]
-> BITS jobs created by services and the local administrator account do not count toward this limit.
+> BITS jobs created by services and the local administrator account don't count toward this limit.
 
 
 
@@ -698,7 +698,7 @@ If you enable this policy setting, BITS will limit the maximum number of BITS jo
 If you disable or don't configure this policy setting, BITS will use the default user BITS job limit of 300 jobs.
 
 > [!NOTE]
-> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit.
+> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account don't count toward this limit.
 
 
 
@@ -747,7 +747,7 @@ If you enable this policy setting, BITS will limit the maximum number of ranges
 If you disable or don't configure this policy setting, BITS will limit ranges to 500 ranges per file.
 
 > [!NOTE]
-> BITS Jobs created by services and the local administrator account do not count toward this limit.
+> BITS Jobs created by services and the local administrator account don't count toward this limit.
 
 
 
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index 0ff16b2feb..8f008a5bcd 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -235,7 +235,7 @@ ADMX Info:
 
 
 
-This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
+This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those items you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
 
 To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
index d2b7755488..5b902e0ec5 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
@@ -66,7 +66,7 @@ manager: dansimp
 
 
 
-This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?"
+This policy setting allows Internet-connected users to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?"
 
 If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface.
 
@@ -116,7 +116,7 @@ This policy setting allows users to access and run the troubleshooting tools tha
 
 If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.
 
-If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel.
+If this policy setting is disabled, the users cannot access or run the troubleshooting tools from the Control Panel.
 
 >[!Note]
 >This setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files.
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index b47eb8adc5..8f4e9a4209 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -3686,7 +3686,7 @@ ADMX Info:
 
 
 
-This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}).
+This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`).
 
 You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
 
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 97bb3385de..5deb121be6 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -2116,7 +2116,7 @@ Most restricted value: 0
 > This policy has no effect when the Browser/HomePages policy isn't configured. 
  
 > [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy).
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy).
 
 
 
@@ -2866,7 +2866,7 @@ Define a default list of favorites in Microsoft Edge. In this case, the Save a F
 To define a default list of favorites:
 1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
 2. Click **Import from another browser**, click **Export to file** and save the file.
-3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. 
                    Specify the URL as:
                    • HTTP location: "SiteList"=
                    • Local network: "SiteList"="\network\shares\URLs.html"
                    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
                    
+3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. 
                    Specify the URL as:
                    • HTTP location: "SiteList"=``
                    • Local network: "SiteList"="\network\shares\URLs.html"
                    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
                    
 
 
 >[!IMPORTANT]
@@ -2975,7 +2975,7 @@ Most restricted value: 0
 [!INCLUDE [set-default-search-engine-shortdesc](../includes/set-default-search-engine-shortdesc.md)]
 
 > [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy).
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy).
 
 
 Most restricted value:  0
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index d5df4315c1..c556897ebb 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -649,7 +649,7 @@ ADMX Info:
 
 
 
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to  to determine if the device can communicate with the Internet.  This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com.
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to `` to determine if the device can communicate with the Internet.  This policy disables the NCSI active probe, preventing network connectivity to `www.msftconnecttest.com`.
 
 Value type is integer.
 
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 036aa82cdc..a4b2b54bee 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1960,7 +1960,7 @@ Internet Explorer has 4 security zones, numbered 1-4, and these are used by this
 
 If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information:
 
-Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter  as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter `` as the valuename, other protocols are not affected. If you enter just `www.contoso.com,` then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for `www.contoso.com` and `www.contoso.com/mail` would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
 
 Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
 
@@ -2002,8 +2002,8 @@ ADMX Info:
 ```
 
 Value and index pairs in the SyncML example:  
-- http://adfs.contoso.org 1
-- https://microsoft.com 2
+- `https://adfs.contoso.org 1`
+- `https://microsoft.com 2`
 
 
 
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 6b1bf6a7d3..30eb1c679f 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -272,6 +272,8 @@ ADMX Info:
 |Enterprise|Yes|Yes|
 |Education|Yes|Yes|
 
+Added to HoloLens 2 in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2).
+
 
 
                    
 
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 6dd30d5940..118dd3a3a7 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -58,7 +58,7 @@ This policy setting enables process mitigation options on svchost.exe processes.
 
 If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.
 
-This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.  
+These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.  
 
 > [!IMPORTANT]
 > Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index d600b89da2..383f6aedfb 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -60,6 +60,9 @@ manager: dansimp
   
                    
     Storage/WPDDevicesDenyWriteAccessPerUser
   
                    
+  
                    
+    StorageHealthMonitor/DisableStorageHealthMonitor
+  
                    
 
 
 
@@ -839,3 +842,50 @@ ADMX Info:
 
                    
 
 
+
+**StorageHealthMonitor/DisableStorageHealthMonitor**  
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|Yes|Yes|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+Note: Versions prior to 21H2 will not support this policy
+
+
+
                    
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
                    
+
+
+
+Allows disable of Storage Health Monitor.
+
+Value type is integer.
+
+
+
+
+The following list shows the supported values:
+
+-   0 - Storage Health Monitor is Enabled
+-   1 - Storage Health Monitor is Disabled
+
+
+
+
+
                    
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index a824fde8d4..a2830db2e2 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -529,7 +529,7 @@ The following list shows the supported values:
 
 This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data.
 
-For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data.md).
+For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data).
 
 This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop.
 
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 46fceb630a..fbc41ad17a 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -266,7 +266,7 @@ ms.collection: highpri
 Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time.
 
 > [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** below for more information.
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** below for more information.
 
 Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
 
@@ -361,7 +361,7 @@ ADMX Info:
 Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
 
 > [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** above for more information.
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured.  See **Update/ActiveHoursMaxRange** above for more information.
 
 Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
 
@@ -426,12 +426,12 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart.
-- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart.
-- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
-- 5 – Turn off automatic updates.
+- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
+- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
+- 5 - Turn off automatic updates.
 
 
 > [!IMPORTANT]
@@ -536,8 +536,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 – Not configured.
-- 1 – Allowed. Accepts updates received through Microsoft Update.
+- 0 - Not configured.
+- 1 - Allowed. Accepts updates received through Microsoft Update.
 
 > [!NOTE]
 > Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:.
@@ -588,8 +588,8 @@ This policy is specific to desktop and local publishing via WSUS for third-party
 
 The following list shows the supported values:
 
-- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
+- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
 
 
 
@@ -629,7 +629,7 @@ Even when Windows Update is configured to receive updates from an intranet updat
 Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
 
 > [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
 
 
 
@@ -643,8 +643,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 – Update service isn't allowed.
-- 1 (default) – Update service is allowed.
+- 0 - Update service isn't allowed.
+- 1 (default) - Update service is allowed.
 
 
 
@@ -856,8 +856,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 1 (default) – Auto Dismissal.
-- 2 – User Dismissal.
+- 1 (default) - Auto Dismissal.
+- 2 - User Dismissal.
 
 
 
@@ -1306,7 +1306,7 @@ Defers Feature Updates for the specified number of days.
 Supported values are 0-365 days.
 
 > [!IMPORTANT]
-> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
 
 
 
@@ -1393,7 +1393,7 @@ ADMX Info:
 
 
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
 
 
 Allows IT Admins to specify update delays for up to four weeks.
@@ -1471,7 +1471,7 @@ ADMX Info:
 
 
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
 
 
 Allows IT Admins to specify other upgrade delays for up to eight months.
@@ -1616,18 +1616,18 @@ The following list shows the supported values:
 
 
 
-Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
+Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards.
 
 Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
 
 The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
 
-IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy. 
+IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy. 
 
 > [!NOTE]
 > Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
 >
-> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. 
+> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. 
 >
 > Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues.
 
@@ -2069,8 +2069,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – Allow Windows Update drivers.
-- 1 – Exclude Windows Update drivers.
+- 0 (default) - Allow Windows Update drivers.
+- 1 - Exclude Windows Update drivers.
 
 
 
@@ -2121,8 +2121,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – Disabled.
-- 1 – Enabled.
+- 0 (default) - Disabled.
+- 1 - Enabled.
 
 
 
@@ -2164,8 +2164,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
 
 The following list shows the supported values:
 
-- 0 (default) – Don't ignore MO download limit for apps and their updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+- 0 (default) - Don't ignore MO download limit for apps and their updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates.
 
 
 
@@ -2217,8 +2217,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
 
 The following list shows the supported values:
 
-- 0 (default) – Don't ignore MO download limit for OS updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
+- 0 (default) - Don't ignore MO download limit for OS updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates.
 
 
 
@@ -2312,7 +2312,7 @@ The following list shows the supported values:
 
 
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
 
 
 Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
@@ -2333,8 +2333,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – Deferrals aren't paused.
-- 1 – Deferrals are paused.
+- 0 (default) - Deferrals aren't paused.
+- 1 - Deferrals are paused.
 
 
 
@@ -2383,8 +2383,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – Feature Updates aren't paused.
-- 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
+- 0 (default) - Feature Updates aren't paused.
+- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
 
 
 
@@ -2476,8 +2476,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – Quality Updates aren't paused.
-- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
+- 0 (default) - Quality Updates aren't paused.
+- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
 
 
 
@@ -2580,7 +2580,7 @@ ADMX Info:
 
 
 
-Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
+Value type is a string containing a Windows product, for example, "Windows 11" or "11" or "Windows 10".
 
 
 
@@ -2624,7 +2624,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
 
 
 > [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
 
 
 Allows the IT admin to set a device to General Availability Channel train.
@@ -2640,8 +2640,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – User gets upgrades from General Availability Channel (Targeted).
-- 1 – User gets upgrades from General Availability Channel.
+- 0 (default) - User gets upgrades from General Availability Channel (Targeted).
+- 1 - User gets upgrades from General Availability Channel.
 
 
 
@@ -2675,7 +2675,7 @@ The following list shows the supported values:
 
 
 > [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. 
 
 
 Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
@@ -2686,8 +2686,8 @@ Supported operations are Get and Replace.
 
 The following list shows the supported values:
 
-- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+- 0 - Not configured. The device installs all applicable updates.
+- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
 
 
 
@@ -2769,7 +2769,7 @@ Supported values are 15, 30, or 60 (minutes).
 
 
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
 
 
 Allows the IT Admin to specify the period for autorestart warning reminder notifications.
@@ -2839,14 +2839,14 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
-- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
+- 0 (default) - Every day
+- 1 - Sunday
+- 2 - Monday
+- 3 - Tuesday
+- 4 - Wednesday
+- 5 - Thursday
+- 6 - Friday
+- 7 - Saturday
 
 
 
@@ -3110,7 +3110,7 @@ ADMX Info:
 
 
 > [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
 
 
 Enables the IT admin to schedule the time of the update installation.
@@ -3178,8 +3178,8 @@ ADMX Info:
 
 The following list shows the supported values:
 
-- 0 (default) – Enabled
-- 1 – Disabled
+- 0 (default) - Enabled
+- 1 - Disabled
 
 
 
@@ -3675,9 +3675,9 @@ Display options for update notifications. This policy allows you to define what
 
 Options: 
 
--  0 (default) – Use the default Windows Update notifications
--  1 – Turn off all notifications, excluding restart warnings
--  2 – Turn off all notifications, including restart warnings
+-  0 (default) - Use the default Windows Update notifications
+-  1 - Turn off all notifications, excluding restart warnings
+-  2 - Turn off all notifications, including restart warnings
 
 > [!IMPORTANT]
 > If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md
index 13294f3ce5..43c7d7baf5 100644
--- a/windows/client-management/mdm/push-notification-windows-mdm.md
+++ b/windows/client-management/mdm/push-notification-windows-mdm.md
@@ -18,37 +18,37 @@ ms.date: 09/22/2017
 
 # Push notification support for device management
 
-The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
+The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
 
-To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device.
+To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device.
 
 For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification).
 
 Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)).
 
-Note the following restrictions related to push notifications and WNS:
+The following restrictions are related to push notifications and WNS:
 
--   Push for device management uses raw push notifications. This means that these raw push notifications do not support or utilize push notification payloads.
--   Receipt of push notifications are sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated.
--   A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It is strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server will not attempt to use a ChannelURI that has expired.
--   Push is not a replacement for having a polling schedule.
+-   Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads.
+-   Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated.
+-   A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired.
+-   Push isn't a replacement for having a polling schedule.
 -   WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support.
 -   On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel.
 
-    To workaround this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue.
+    To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue.
 
 -   On Windows 10, version 1511, we use the following retry logic for the DMClient:
-    -   If ExpiryTime is greater than 15 days a schedule is set for when 15 days are left.
-    -   If ExpiryTime is between now and 15 days a schedule set for 4 +/- 1 hours from now.
-    -   If ExpiryTime has passed a schedule is set for 1 day +/- 4 hours from now.
+    -   If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left.
+    -   If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now.
+    -   If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now.
 
 
--   On Windows 10, version 1607, we check for network connectivity before retrying. We do not check for internet connectivity. If network connectivity is not available we will skip the retry and set schedule for 4+/-1 hours to try again.
+-   On Windows 10, version 1607, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again.
 
 
 ## Get WNS credentials and PFN for MDM push notification
 
-To get a PFN and WNS credentials, you must create an Microsoft Store app.
+To get a PFN and WNS credentials, you must create a Microsoft Store app.
 
 1.  Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account.
 
@@ -68,8 +68,8 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app.
 6.  Click **Live Services site**. A new window opens for the **Application Registration Portal** page.
 
     ![mdm push notification6.](images/push-notification6.png)
-7.  In the **Application Registration Portal** page, you will see the properties for the app that you created, such as:
-    -   Application Id
+7.  In the **Application Registration Portal** page, you'll see the properties for the app that you created, such as:
+    -   Application ID
     -   Application Secrets
     -   Microsoft Store Package SID, Application Identity, and Publisher.
 
@@ -80,6 +80,6 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app.
 11. From the left nav, expand **App management** and then click **App identity**.
 
     ![mdm push notification10.](images/push-notification10.png)
-12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.
+12. In the **App identity** page, you'll see the **Package Family Name (PFN)** of your app.
 
  
diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
index 573988546e..5c0940030d 100644
--- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
@@ -29,7 +29,7 @@ The following table shows the OMA DM versions that are supported.
 
 ## File format
 
-The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain extra XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification.
+The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/OMA-TS-DM_Protocol-V1_2_1-20080617-A.pdf) specification.
 
 ```xml
 
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 52db501db8..6f4815ab07 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -16,12 +16,12 @@ manager: dansimp
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809.
 
-The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes.
+The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant if accidental or intentional resets or wipes occur.
 
 > [!NOTE]
 > The forced network connection is only applicable to devices after reset (not new).
 
-The following shows the TenantLockdown configuration service provider in tree format.
+The following example shows the TenantLockdown configuration service provider in tree format.
 ```
 ./Vendor/MSFT
 TenantLockdown
@@ -31,13 +31,13 @@ TenantLockdown
 The root node.
 
 **RequireNetworkInOOBE**  
-Specifies whether to require a network connection during the out-of-box experience (OOBE) at first logon.
+Specifies whether to require a network connection during the out-of-box experience (OOBE) at first sign in.
 
-When RequireNetworkInOOBE is true, when the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option.
+When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option.
 
 Value type is bool. Supported operations are Get and Replace.
 
--  true - Require network in OOBE  
--  false - No network connection requirement in OOBE
+-  True - Require network in OOBE  
+-  False - No network connection requirement in OOBE
 
-Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
+Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they're required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There's no option to skip the network connection and create a local account.
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 6c01205868..0c7915fe7c 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -1,6 +1,6 @@
 ---
 title: TPMPolicy CSP
-description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components.
+description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@@ -14,11 +14,11 @@ manager: dansimp
 # TPMPolicy CSP
 
 
-The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
 
 The TPMPolicy CSP was added in Windows 10, version 1703.
 
-The following shows the TPMPolicy configuration service provider in tree format.
+The following example shows the TPMPolicy configuration service provider in tree format.
 ```
 ./Vendor/MSFT
 TPMPolicy
@@ -28,13 +28,13 @@ TPMPolicy
 
                    Defines the root node.
                    
 
 **IsActiveZeroExhaust**  
-
                    Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
                    
+
                    Boolean value that indicates that network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). The default value is false. Examples of zero-exhaust configuration and the conditions it requires are described below:
                    
 
 
                      
 
                    • There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected. 
                      • 
-
                    • There should be no traffic during installation of Windows and first logon when local ID is used.
                      • 
-
                    • Launching and using a local app (Notepad, Paint, and so on.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.
                      • 
-
                    • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on.) to Microsoft.
                      • 
+
                    • There should be no traffic during installation of Windows and first sign in when local ID is used.
                      • 
+
                    • Launching and using a local app (Notepad, Paint, and so on) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, and so on.) should not send any traffic.
                      • 
+
                    • Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic data, and so on) to Microsoft.
                      • 
 
                    
 
 Here is an example:
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index fa91e9823e..efba4330c5 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -560,7 +560,7 @@ The XML below is for Windows 10, version 1803.
           
           
             Roll back Latest Quality Update, if the machine meets the following conditions:
-            Condition 1: Device must be WUfB Connected
+            Condition 1: Device must be Windows Update for Business connected
             Condition 2: Device must be in a Paused State
             Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
             If the conditions are not true, the device will not Roll Back the Latest Quality Update.
@@ -588,7 +588,7 @@ The XML below is for Windows 10, version 1803.
           
           
             Roll Back Latest Feature Update, if the machine meets the following conditions:
-            Condition 1: Device must be WUfB Connected
+            Condition 1: Device must be Windows Update for Business connected
             Condition 2: Device must be in Paused State
             Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
             Condition 4: Machine should be within the uninstall period
diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
index ccd2424347..d9ef683424 100644
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@@ -17,7 +17,7 @@ ms.date: 06/26/2017
 
 # Enterprise settings, policies, and app management
 
-The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).
+The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/).
 
 Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](configuration-service-provider-reference.md).
 
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 35613face4..79a75c3f90 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -507,7 +507,7 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Wi
 
 Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md).
 
-If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
+If you use Microsoft Intune for MDM, you can [configure custom policies](/mem/intune/configuration/custom-settings-configure) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10).
 
 No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference.
 
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index a0f5f57b42..81396fc528 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -1,159 +1,144 @@
 ---
-title: Advanced troubleshooting for Stop error or blue screen error issue
-ms.reviewer: 
-manager: dansimp
-description: Learn advanced options for troubleshooting Stop errors, also known as blue screen errors or bug check errors.
+title: Advanced troubleshooting for stop or blue screen errors
+description: Learn advanced options for troubleshooting stop errors, also known as blue screen errors or bug check errors.
 ms.prod: w10
-ms.mktglfcycl:
-ms.sitesec: library
+ms.technology: windows
 ms.topic: troubleshooting
-author: dansimp
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
+ms.reviewer: 
 ms.localizationpriority: medium
-ms.author: dansimp
 ms.collection: highpri
 ---
 
-# Advanced troubleshooting for Stop error or blue screen error issue
+# Advanced troubleshooting for stop or blue screen errors
 
->[!NOTE]
->If you're not a support agent or IT professional, you'll find more helpful information about Stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238).
+> [!NOTE]
+> If you're not a support agent or IT professional, you'll find more helpful information about stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
 
- 
-## What causes Stop errors?
+## What causes stop errors?
 
-A Stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers:
+A stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers:
 
 - `atikmpag.sys`
 - `igdkmd64.sys`
 - `nvlddmkm.sys`
 
-There's no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually aren't caused by Microsoft Windows components. Instead, these errors are related to malfunctioning hardware drivers or drivers that are installed by third-party software. These drivers include video cards, wireless network cards, security programs, and so on.
+There's no simple explanation for the cause of stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that stop errors usually aren't caused by Microsoft Windows components. Instead, these errors are related to malfunctioning hardware drivers or drivers that are installed by third-party software. These drivers include video cards, wireless network cards, security programs, and so on.
 
 Our analysis of the root causes of crashes indicates that:
 
-- 70 percent are caused by third-party driver code
-- 10 percent are caused by hardware issues 
-- 5 percent are caused by Microsoft code
-- 15 percent have unknown causes (because the memory is too corrupted to analyze)
+- 70% are caused by third-party driver code.
+- 10% are caused by hardware issues.
+- 5% are caused by Microsoft code.
+- 15% have unknown causes, because the memory is too corrupted to analyze.
 
 > [!NOTE]
-> The root cause of Stop errors is never a user-mode process. While a user-mode process (such as Notepad or Slack) may trigger a Stop error, it is merely exposing the underlying bug which is always in a driver, hardware, or the OS.
+> The root cause of stop errors is never a user-mode process. While a user-mode process (such as Notepad or Slack) may trigger a stop error, it is merely exposing the underlying bug which is always in a driver, hardware, or the OS.
 
 ## General troubleshooting steps
 
-To troubleshoot Stop error messages, follow these general steps:
+To troubleshoot stop error messages, follow these general steps:
 
-1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem.
+1. Review the stop error code that you find in the event logs. Search online for the specific stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem.
 
-2. As a best practice, we recommend that you do the following steps:
+1. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system. For example:
 
-    1. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
+    - [Windows 10, version 21H2](https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb)
+    - [Windows 10, version 21H1](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11)
+    - [Windows 10, version 20H2](https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3)
 
-        - [Windows 10, version 21H2](https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb)
-        - [Windows 10, version 21H1](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11)
-        - [Windows 10, version 20H2](https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3)
-        - [Windows 10, version 2004](https://support.microsoft.com/help/4555932)  
-        - [Windows 10, version 1909](https://support.microsoft.com/help/4529964)
-        - [Windows 10, version 1903](https://support.microsoft.com/help/4498140)
-        - [Windows 10, version 1809](https://support.microsoft.com/help/4464619)
-        - [Windows 10, version 1803](https://support.microsoft.com/help/4099479)
-        - [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
-        - [Windows 10, version 1703](https://support.microsoft.com/help/4018124)
-        - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825)
-        - [Windows 10, version 1511](https://support.microsoft.com/help/4000824)
-        - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470)
-        - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469)
+1. Make sure that the BIOS and firmware are up-to-date.
 
-     1. Make sure that the BIOS and firmware are up-to-date.
+1. Run any relevant hardware and memory tests.
 
-     1. Run any relevant hardware and memory tests.
+1. Run [Microsoft Safety Scanner](/microsoft-365/security/intelligence/safety-scanner-download) or any other virus detection program that includes checks of the MBR for infections.
 
-3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
+1. Make sure that there's sufficient free space on the hard disk. The exact requirement varies, but we recommend 10-15 percent free disk space.
 
-4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
+1. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios:
 
-5. Make sure that there's sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space.
+    - The error message indicates that a specific driver is causing the problem.
+    - You're seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash.
+    - You have made any software or hardware changes.
 
-6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios:
-  
-   - The error message indicates that a specific driver is causing the problem.
-   - You're seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash.
-   - You have made any software or hardware changes.
-
-     >[!NOTE]
-     >If there are no updates available from a specific manufacturer, it is recommended that you disable the related service.
-     >
-     >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135).
-     >
-     >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](/troubleshoot/windows-server/performance/deactivate-kernel-mode-filter-driver).
-     >
-     >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)).
+    > [!NOTE]
+    > If there are no updates available from a specific manufacturer, we recommend that you disable the related service.
+    >
+    > For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
+    >
+    > You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](/troubleshoot/windows-server/performance/deactivate-kernel-mode-filter-driver).
+    >
+    > You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll back a device driver to a previous version](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)).
 
 ### Memory dump collection
 
 To configure the system for memory dump files, follow these steps:
 
-1. [Download DumpConfigurator tool](https://codeplexarchive.blob.core.windows.net/archive/projects/WinPlatTools/WinPlatTools.zip).
+1. Select the Taskbar search box, type **Advanced system settings**, and then press **Enter**.
 
-2. Extract the .zip file and navigate to **Source Code** folder.
+2. On the **Advanced** tab on the System Properties box, select the **Settings** button that appears in the section **Startup and Recovery**.
 
-3. Run the tool DumpConfigurator.hta, and then select **Elevate this HTA**.
+3. In the new window, select the drop-down below the option **Write debugging information**.
 
-4. Select **Auto Config Kernel**.
+4. Choose **Automatic memory dump**.
 
-5. Restart the computer for the setting to take effect. 
+5. Select **OK**.
 
-6. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written. 
+6. Restart the computer for the setting to take effect.
 
 7. If the server is virtualized, disable auto reboot after the memory dump file is created. This disablement lets you take a snapshot of the server in-state and also if the problem recurs.
 
 The memory dump file is saved at the following locations:
 
-| Dump file type | Location |
-|----------------|----------|
-|(none) | %SystemRoot%\MEMORY.DMP (inactive, or grayed out) |
-|Small memory dump file (256 kb) | %SystemRoot%\Minidump |
-|Kernel memory dump file | %SystemRoot%\MEMORY.DMP |
-| Complete memory dump file | %SystemRoot%\MEMORY.DMP |
-| Automatic memory dump file | %SystemRoot%\MEMORY.DMP |
-| Active memory dump file | %SystemRoot%\MEMORY.DMP |
+| Dump file type                  | Location                                            |
+|---------------------------------|-----------------------------------------------------|
+| (none)                          | `%SystemRoot%\MEMORY.DMP` (inactive, or grayed out) |
+| Small memory dump file (256 kb) | `%SystemRoot%\Minidump`                             |
+| Kernel memory dump file         | `%SystemRoot%\MEMORY.DMP`                           |
+| Complete memory dump file       | `%SystemRoot%\MEMORY.DMP`                           |
+| Automatic memory dump file      | `%SystemRoot%\MEMORY.DMP`                           |
+| Active memory dump file         | `%SystemRoot%\MEMORY.DMP`                           |
 
-You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files aren't corrupted or invalid. For more information, see the following video:

                    
+You can use the Microsoft Crash Dump File Checker (DumpChk) tool to verify that the memory dump files aren't corrupted or invalid. For more information, see the following video:
 
->[!video https://www.youtube.com/embed/xN7tOfgNKag]
+> [!VIDEO https://www.youtube.com/embed/xN7tOfgNKag]
 
-More information on how to use Dumpchk.exe to check your dump files:
+For more information on how to use Dumpchk.exe to check your dump files, see the following articles:
 
 - [Using DumpChk](/windows-hardware/drivers/debugger/dumpchk)
-- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
+- [Download DumpChk](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
 
-### Pagefile Settings
+### Pagefile settings
 
-- [Introduction of page file in Long-Term Servicing Channel and General Availability Channel of Windows](/windows/client-management/introduction-page-file) 
-- [How to determine the appropriate page file size for 64-bit versions of Windows](/windows/client-management/determine-appropriate-page-file-size) 
-- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](/windows/client-management/generate-kernel-or-complete-crash-dump)
+For more information on pagefile settings, see the following articles:
+
+- [Introduction to page files](introduction-page-file.md)
+- [How to determine the appropriate page file size for 64-bit versions of Windows](determine-appropriate-page-file-size.md)
+- [Generate a kernel or complete crash dump](generate-kernel-or-complete-crash-dump.md)
 
 ### Memory dump analysis
 
 Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in various symptoms.
 
-When a Stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the Stop error again. If you can replicate the problem, you can usually determine the cause.
+When a stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the stop error again. If you can replicate the problem, you can usually determine the cause.
 
-You can use the tools such as Windows Software Development KIT (SDK) and Symbols to diagnose dump logs. The next section discusses how to use this tool.
+You can use the tools such as Windows Software Development Kit (SDK) and symbols to diagnose dump logs. The next section discusses how to use this tool.
 
 ## Advanced troubleshooting steps
 
->[!NOTE]
->Advanced troubleshooting of crash dumps can be very challenging if you aren't experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, see [Advanced Windows Debugging](https://channel9.msdn.com/Blogs/Charles/Advanced-Windows-Debugging-An-Introduction) and [Debugging Kernel Mode Crashes and Hangs](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps). Also see the advanced references listed below.
+> [!NOTE]
+> Advanced troubleshooting of crash dumps can be very challenging if you aren't experienced with programming and internal Windows mechanisms. We have attempted to provide a brief insight here into some of the techniques used, including some examples. However, to really be effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, [Debugging kernel mode crashes and hangs](/shows/defrag-tools/defragtools-137-debugging-kernel-mode-dumps). Also see the advanced references listed below.
 
 ### Advanced debugging references
 
-- [Advanced Windows Debugging](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460)
-- [Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](/windows-hardware/drivers/debugger/index)
+- [Advanced Windows Debugging, first edition book](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460)
+- [Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](/windows-hardware/drivers/debugger/)
 
 ### Debugging steps
 
-1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. For more information, see the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump). 
+1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. For more information, see [Method 1: Memory dump](troubleshoot-windows-freeze.md#method-1-memory-dump).
 
 2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another computer.
 
@@ -161,29 +146,30 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols
 
 4. Start the install and choose **Debugging Tools for Windows**. The WinDbg tool is installed.
 
-5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
+5. Go to the **File** menu and select **Symbol File Path** to open the WinDbg tool and set the symbol path.
 
-    1. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This method is the recommended one.
+    1. If the computer is connected to the internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols): `https://msdl.microsoft.com/download/symbols` and select **OK**. This method is recommended.
 
-    1. If the computer isn't connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path).
+    1. If the computer isn't connected to the internet, specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path).
 
-6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below.
+6. Select **Open Crash Dump**, and then open the memory.dmp file that you copied.
 
-   :::image type="content" alt-text="WinDbg img." source="images/windbg.png" lightbox="images/windbg.png":::
+    :::image type="content" alt-text="Example output in WinDbg when opening a crash dump file." source="images/windbg.png" lightbox="images/windbg.png":::
 
-7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. The command !analyze -v is entered in the prompt at the bottom of the page.
+7. Under **Bugcheck Analysis**, select **`!analyze -v`**. The command `!analyze -v` is entered in the prompt at the bottom of the page.
 
-8. A detailed bugcheck analysis will appear. See the example below.
+8. A detailed bug check analysis appears.
 
-    :::image type="content" alt-text="Bugcheck analysis." source="images/bugcheck-analysis.png" lightbox="images/bugcheck-analysis.png":::
+    :::image type="content" alt-text="An example detailed bug check analysis." source="images/bugcheck-analysis.png" lightbox="images/bugcheck-analysis.png":::
 
-9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL.
+9. Scroll down to the **STACK_TEXT** section. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash. If applicable, it also says what service is crashing the DLL.
 
-10. See [Using the !analyze Extension](/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output.
+10. For more information about how to interpret the STACK_TEXT output, see [Using the !analyze Extension](/windows-hardware/drivers/debugger/using-the--analyze-extension).
 
-There are many possible causes of a bugcheck and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22:
+There are many possible causes of a bug check and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22:
 
-(HEX data is removed here and lines are numbered for clarity)
+> [!NOTE]
+> HEX data is removed here and lines are numbered for clarity.
 
 ```console
 1  : nt!KeBugCheckEx
@@ -217,62 +203,114 @@ There are many possible causes of a bugcheck and each case is unique. In the exa
 29 : ntdll!RtlUserThreadStart+0x21
 ```
 
-The problem here is with **mpssvc** which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies. 
+This issue is because of the **mpssvc** service, which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies.
 
-More examples are provided in the [Debugging examples](#debugging-examples) section at the bottom of this article.
+For more examples, see [Debugging examples](#debugging-examples).
 
 ## Video resources
 
 The following videos illustrate various troubleshooting techniques for analyzing dump files.
 
-- [Analyze Dump File](https://www.youtube.com/watch?v=s5Vwnmi_TEY)
-- [Installing Debugging Tool for Windows (x64 and x86)](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive/player#time=22m29s:paused)
-- [Debugging kernel mode crash memory dumps](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps)
-- [Special Pool](https://www.youtube.com/watch?v=vHXYS9KdU1k)
- 
+- [Analyze dump file](https://www.youtube.com/watch?v=s5Vwnmi_TEY)
+- [Installing debugging tool for Windows (x64 and x86)](/shows/defrag-tools/building-your-usb-thumbdrive)
+- [Debugging kernel mode crash memory dumps](/shows/defrag-tools/defragtools-137-debugging-kernel-mode-dumps)
+- [Special pool](https://www.youtube.com/watch?v=vHXYS9KdU1k)
+
 ## Advanced troubleshooting using Driver Verifier
 
-We estimate that about 75 percent of all Stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception to let that part of the code be examined further.
+We estimate that about 75 percent of all stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception. It can then further examine that part of the code.
 
->[!WARNING]
->Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a Stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created.
+> [!WARNING]
+> Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created.
 >
->Don’t try to verify all the drivers at one time. This can degrade performance and make the system unusable. This also limits the effectiveness of the tool.
+> Don't try to verify all the drivers at one time. This action can degrade performance and make the system unusable. It also limits the effectiveness of the tool.
 
 Use the following guidelines when you use Driver Verifier:  
 
-- Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic).
+- Test any "suspicious" drivers. For example, drivers that were recently updated or that are known to be problematic.
 
 - If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers.
 
-- Enable concurrent verification on groups of 10–20 drivers.
+- Enable concurrent verification on groups of 10-20 drivers.
 
 - Additionally, if the computer can't boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This solution is because the tool can't run in Safe mode.
 
 For more information, see [Driver Verifier](/windows-hardware/drivers/devtest/driver-verifier).
 
-## Common Windows Stop errors
+## Common Windows stop errors
 
 This section doesn't contain a list of all error codes, but since many error codes have the same potential resolutions, your best bet is to follow the steps below to troubleshoot your error.
 
-The following table lists general troubleshooting procedures for common Stop error codes.
+The following sections list general troubleshooting procedures for common stop error codes.
 
-Stop error message and code | Mitigation
---- | ---
-VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
                    Stop error code 0x00000141, or 0x00000117 | Contact the vendor of the listed display driver to get an appropriate update for that driver.
-DRIVER_IRQL_NOT_LESS_OR_EQUAL 
                    Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys.
-PAGE_FAULT_IN_NONPAGED_AREA 
                    Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup.
-SYSTEM_SERVICE_EXCEPTION 
                    Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files.  For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files).
-NTFS_FILE_SYSTEM 
                    Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this step, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button. We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. 
-KMODE_EXCEPTION_NOT_HANDLED 
                    Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added. 

                    If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To disable the driver, follow these steps:

                    Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option.
-DPC_WATCHDOG_VIOLATION 
                    Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that doesn't complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for other error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump.  
-USER_MODE_HEALTH_MONITOR 
                    Stop error code 0x0000009E		| This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
                    This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
                    Event ID: 4870
                    Source: Microsoft-Windows-FailoverClustering
                    Description: User mode health monitoring has detected that the system isn't being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang. 
                    For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw).
+### VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
+
+Stop error code 0x00000141, or 0x00000117
+
+Contact the vendor of the listed display driver to get an appropriate update for that driver.
+
+### DRIVER_IRQL_NOT_LESS_OR_EQUAL
+
+Stop error code 0x0000000D1
+
+Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website. Update an outdated network driver. Virtualized VMware systems often run "Intel(R) PRO/1000 MT Network Connection" (e1g6032e.sys). You can download this driver from the [Intel Download Drivers & Software website](https://downloadcenter.intel.com). Contact the hardware vendor to update the network driver for a resolution. For VMware systems, use the VMware integrated network driver instead of Intel's e1g6032e.sys. For example, use VMware types `VMXNET`, `VMXNET2`, or `VMXNET3`.
+
+### PAGE_FAULT_IN_NONPAGED_AREA
+
+Stop error code 0x000000050
+
+If a driver is identified in the stop error message, contact the manufacturer for an update. If no updates are available, disable the driver, and monitor the system for stability. Run `chkdsk /f /r` to detect and repair disk errors. Restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys. If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup.
+
+### SYSTEM_SERVICE_EXCEPTION
+
+Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down.
+
+Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files.  For more information, see [Use the System File Checker tool](https://support.microsoft.com/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e).
+
+### NTFS_FILE_SYSTEM
+
+Stop error code 0x000000024
+
+This stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this step, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button. Update the NTFS file system driver (Ntfs.sys). Apply the latest cumulative updates for the current operating system that's experiencing the problem.
+
+### KMODE_EXCEPTION_NOT_HANDLED
+
+Stop error code 0x0000001E
+
+If a driver is identified in the stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.
+
+If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use safe mode to disable the driver in Device Manager. To disable the driver, follow these steps:
+
+1. Go to **Settings > Update & security > Recovery**.
+1. Under **Advanced startup**, select **Restart now**.
+1. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**.
+1. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in safe mode. If you intend to use the internet while in safe mode, press **5** or **F5** for the **Safe Mode with Networking** option.
+
+### DPC_WATCHDOG_VIOLATION
+
+Stop error code 0x00000133
+
+This stop error code is caused by a faulty driver that doesn't complete its work within the allotted time frame in certain conditions. To help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for other error messages that might help identify the device or driver that's causing stop error 0x133. Verify that any new hardware that's installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the `c:\windows\memory.dmp` file into the debugger. Then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump.
+
+### USER_MODE_HEALTH_MONITOR
+
+Stop error code 0x0000009E
+
+This stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
+
+This stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe. Check the event logs for any storage failures to identify the failing process. Try to update the component or process that's indicated in the event logs. You should see the following event recorded:
+
+- Event ID: 4870
+- Source: Microsoft-Windows-FailoverClustering
+- Description: User mode health monitoring has detected that the system isn't being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID '%1', for '%2' seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
+
+For more information, see ["0x0000009E" Stop error on cluster nodes in a Windows Server-based multi-node failover cluster environment](https://support.microsoft.com/topic/-0x0000009e-stop-error-on-cluster-nodes-in-a-windows-server-based-multi-node-failover-cluster-environment-7e0acceb-b498-47f8-e004-96de6e497cba) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw).
 
 ## Debugging examples
 
 ### Example 1
 
-This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver).  The **IMAGE_NAME** tells you the faulting driver, but since this driver is Microsoft driver it can't be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again.
+This bug check is caused by a driver hang during upgrade, resulting in a bug check D1 in NDIS.sys, which is a Microsoft driver. The **IMAGE_NAME** tells you the faulting driver, but since this driver is s Microsoft driver, it can't be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again.
 
 ```console
 2: kd> !analyze -v
@@ -431,7 +469,7 @@ Followup:     ndiscore
 
 ### Example 2
 
-In this example, a non-Microsoft driver caused page fault, so we don’t have symbols for this driver.  However, looking at **IMAGE_NAME** and or **MODULE_NAME** indicates it’s **WwanUsbMP.sys** that caused the issue.  Disconnecting the device and retrying the upgrade is a possible solution.
+In this example, a non-Microsoft driver caused page fault, so we don't have symbols for this driver. However, looking at **IMAGE_NAME** and or **MODULE_NAME** indicates it's **WwanUsbMP.sys** that caused the issue. Disconnecting the device and retrying the upgrade is a possible solution.
 
 ```console
 1: kd> !analyze -v
@@ -607,4 +645,4 @@ ReadVirtual: 812d1248 not properly sign extended
 
 ## References
 
-[Bug Check Code Reference](/windows-hardware/drivers/debugger/bug-check-code-reference2)
+[Bug check code reference](/windows-hardware/drivers/debugger/bug-check-code-reference2)
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index b5ef8d16f6..ed7f973fef 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -101,7 +101,7 @@ You should open up a range of ports above port 5000. Port numbers below 5000 may
 >Description:
 >The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.'
  
-If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/).
+If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/rpc-over-it-pro/ba-p/399898).
  
  
 ## Troubleshooting RPC error
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index c5605425da..9820130606 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -1,288 +1,257 @@
 --- 
-title: Advanced troubleshooting for Windows-based computer freeze issues 
-ms.reviewer: 
-manager: dansimp
+title: Advanced troubleshooting for Windows freezes
 description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers. Also, you can learn how to diagnose, identify, and fix these issues.
 ms.prod: w10 
-ms.mktglfcycl: 
-ms.sitesec: library 
+ms.technology: windows
 ms.topic: troubleshooting 
-author: dansimp
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
+ms.reviewer: 
 ms.localizationpriority: medium 
-ms.author: dansimp
 ms.collection: highpri
 --- 
 
-# Advanced troubleshooting for Windows-based computer freeze issues 
+# Advanced troubleshooting for Windows freezes
 
-This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. 
+This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues.
 
 > [!NOTE]
-> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. 
+> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
 
-## Identify the problem  
+## Identify the problem
 
-*   Which computer is freezing? (Example: The impacted computer is a physical server, virtual server, and so on.) 
-*   What operation was being performed when the freezes occurred? (Example: This issue occurs when you shut down GUI, perform one or more operations, and so on.) 
-*   How often do the errors occur? (Example: This issue occurs every night at 7 PM, every day around 7 AM, and so on.) 
-*   On how many computers does this freeze occur? (Example: All computers, only one computer, 10 computers, and so on.) 
+- Which computer is freezing? For example, the affected computer is a physical server or a virtual server.
+- What operation happened when it froze? For example, this issue occurs when you shut down.
+- How often do the errors occur? For example, this issue occurs every night at 7 PM.
+- On how many computers does this freeze occur? For example, all computers or only one computer.
 
-## Troubleshoot the freeze issues  
+## Troubleshoot the freeze issues
 
-To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods. 
+To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods.
 
-### For the computer that's still running in a frozen state 
+### For the computer that's still running in a frozen state
 
-If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: 
+If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting:
 
-*   Try to access the computer through Remote Desktop, Citrix, and so on. 
-*   Use the domain account or local administrator account to sign in to the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). 
-*   Test ping to the computer. Packet dropping and high network latency may be observed. 
-*   Access administrative shares (\\\\**ServerName**\\c$). 
-*   Press Ctrl + Alt + Delete command and check response. 
-*   Try to use Remote Admin tools such as Computer Management, remote Server Manager, and Wmimgmt.msc.   
+- Try to access the computer through a remote desktop connection.
+- Use a domain account or local administrator account to sign in to the computer with the hardware manufacturer's remote access solution. For example, Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA).
+- Test ping to the computer. Look for dropped packets and high network latency.
+- Access administrative shares, for example `\\ServerName\c$`.
+- Press **Ctrl** + **Alt** + **Delete** and check the response.
+- Try to use Windows remote administration tools. For example, Computer Management, Server Manager, and Wmimgmt.msc.
 
-### For the computer that is no longer frozen 
+### For the computer that's no longer frozen
 
-If the physical computer or virtual machine froze but is now running in a good state, use one or more of the following methods for troubleshooting.  
+If the physical computer or virtual machine froze, but is now running in a good state, use one or more of the following methods for troubleshooting.
 
-#### For a physical computer 
+#### For a physical computer
 
-*   Review the System and Application logs from the computer that is having the issue. Check the event logs for the relevant Event ID:
+- Review the System and Application logs from the computer that's having the issue. Check the event logs for the relevant Event ID:
 
-    - Application event log: Application Error (suggesting Crash or relevant System Process)
-    - System Event logs, Service Control Manager Error event IDs for Critical System Services
-    - Error Event IDs 2019/2020 with source Srv/Server
+  - Application event log: Application Error, which suggests a crash or relevant system process
+  - System Event logs, Service Control Manager Error event IDs for critical system services
+  - Error Event IDs 2019/2020 with source Srv/Server
 
-*   Generate a System Diagnostics report by running the perfmon /report command. 
+- Generate a System Diagnostics report by running `perfmon /report`.
 
-#### For a virtual machine 
+#### For a virtual machine
 
-*   Review the System and Application logs from the computer that is having the issue.  
-*   Generate a System Diagnostics report by running the perfmon /report command. 
-*   Check history in virtual management monitoring tools. 
+- Review the System and Application logs from the computer that is having the issue.
+- Generate a System Diagnostics report by running `perfmon /report`.
+- Check the system's history in virtual management monitoring tools.
 
+## Collect data for the freeze issues
 
-## Collect data for the freeze issues 
+To collect data for a server freeze, check the following table, and use one or more of the suggested methods.
 
-To collect data for a server freeze, check the following table, and use one or more of the suggested methods. 
+|Computer type and state    |Data collection method |
+|-------------------------|--------------------|
+|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.|
+|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).|
+|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state). 
                     XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.|
+|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.|
 
-|Computer type and state    |Data collection method | 
-|-------------------------|--------------------| 
-|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.| 
-|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).| 
-|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state). 
                     XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.| 
-|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.| 
+### Method 1: Memory dump
 
+> [!IMPORTANT]
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692) in case problems occur.
 
-### Method 1: Memory dump 
+A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected.
+
+If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump.
 
 > [!NOTE]
-> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.   
+> If you have a restart feature that's enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process.
 
-A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected.   
+1. Make sure that the computer is set up to get a complete memory dump file.
 
-If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump.   
+    1. Go to **Run** and enter `Sysdm.cpl`, and then press enter.
 
-> [!NOTE]
-> If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process.   
+    1. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**. Select **Change** to check or change the virtual memory.
 
+    1. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**.
 
-1. Ensure that the computer is set up to get a complete memory dump file. To do this setup, follow these steps:
+    1. In the **Write Debugging Information** section, select **Complete Memory Dump**.
 
-   1.  Go to **Run** and enter `Sysdm.cpl`, and then press enter.
-    
-   2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. 
+    1. Select **Overwrite any existing file**.
 
-   2.  Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. 
+    1. Make sure that there's a paging file (pagefile.sys) on the system drive and that it's at least 100 MB over the installed RAM (Initial and Maximum Size).
 
-   3.  In the **Write Debugging Information** section, select **Complete Memory Dump**. 
+    1. Make sure that there's more available space on the system drive than there's physical RAM.
 
-       > [!NOTE]
-       > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD):
-       >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled**   
+1. To allow the system to generate a dump file by using the keyboard, enable the `CrashOnCtrlScroll` registry value.
 
-   4.  Select **Overwrite any existing file**. 
+    1. Open the Registry Editor, and then locate the following registry keys:
 
-   5.  Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). 
+        - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters`
 
-       Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). 
+        - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters`
 
-   6.  Make sure that there's more available space on the system drive than there's physical RAM. 
+    1. Create the following `CrashOnCtrlScroll` registry entry in the two registry keys:
 
-2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this enablement, follow these steps: 
+        - **Value Name**: `CrashOnCtrlScroll`
+        - **Data Type**: `REG_DWORD`
+        - **Value**: `1`
 
-   1. Go to Registry Editor, and then locate the following registry keys: 
+    1. Close the Registry Editor and restart the computer.
 
-      *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` 
+1. On some physical computers running earlier versions of Windows, you may generate a nonmakeable interruption (NMI) from a web interface feature such as DRAC, iLo, or RSA. However, by default, this setting will stop the system without creating a memory dump.
 
-      *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` 
+    > [!NOTE]
+    > For currently supported versions of Windows, the `NMICrashDump` registry key is no longer required. An NMI causes a [Stop error that follows a memory dump data collection](/troubleshoot/windows-client/performance/nmi-hardware-failure-error).
 
-   2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: 
+1. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file.
 
-      - **Value Name**: `CrashOnCtrlScroll`    
-      - **Data Type**: `REG_DWORD`      
-      - **Value**: `1`  
- 
-   3. Exit Registry Editor. 
+    > [!NOTE]
+    > By default, the dump file is located in the following path: `%SystemRoot%\MEMORY.DMP`
 
-   4. Restart the computer. 
+### Method 2: Data sanity check
 
-3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump.   
-
-   To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change.   
-
-   > [!NOTE]
-   > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](/troubleshoot/windows-client/performance/nmi-hardware-failure-error).   
-
-4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file.   
-
-   > [!NOTE]
-   > By default, the dump file is located in the following path:
                     
-   > %SystemRoot%\MEMORY.DMP 
-
-
-### Method 2: Data sanity check 
-
-Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files aren't corrupted or invalid. 
+Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file. It can also verify that the file was created correctly and isn't corrupted or invalid.
 
 - [Using DumpChk](/windows-hardware/drivers/debugger/dumpchk)
-- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
+- [Download DumpChk](https://developer.microsoft.com/windows/downloads/windows-10-sdk)
 
-Learn how to use Dumpchk.exe to check your dump files: 
+Learn how to use Dumpchk.exe to check your dump files:
 
-> [!video https://www.youtube-nocookie.com/embed/xN7tOfgNKag] 
+> [!VIDEO https://www.youtube.com/embed/xN7tOfgNKag]
 
+### Method 3: Performance Monitor
 
-### Method 3: Performance Monitor 
+You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator:
 
-You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator: 
+```command
+Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00
+```
 
-```console
-Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00  
-``` 
+```command
+Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10
+```
 
-```console 
-Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10  
-``` 
+Then, you can start or stop the log by running the following commands:
 
-Then, you can start or stop the log by running the following commands: 
+```command
+logman start LOGNAME_Long / LOGNAME_Short
+logman stop LOGNAME_Long / LOGNAME_Short
+```
 
-```console
-logman start LOGNAME_Long / LOGNAME_Short   
-logman stop LOGNAME_Long / LOGNAME_Short  
-``` 
+The Performance Monitor log is located in the path: `C:\PERFLOGS`
 
-The Performance Monitor log is located in the path: C:\PERFLOGS   
+### Other methods to collect data
 
-### Method 4: Microsoft Support Diagnostics 
-
-1.  In the search box of the [Microsoft Support Diagnostics Self-Help Portal](https://home.diagnostics.support.microsoft.com/selfhelp), type Windows Performance Diagnostic. 
-
-2.  In the search results, select **Windows Performance Diagnostic**, and then click **Create**. 
-
-3.  Follow the steps of the diagnostic. 
-
-
-### Additional methods to collect data 
-
-#### Use memory dump to collect data for the physical computer that's running in a frozen state 
+#### Use memory dump to collect data for the physical computer that's running in a frozen state
 
 > [!WARNING]
-> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.   
+> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692) in case problems occur.
 
-If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: 
+If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump:
 
+1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network.
 
-1. Ensure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this setup, follow these steps:   
-   > [!NOTE]
-   > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified.   
+    > [!NOTE]
+    > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI. The result of the action may not collect a memory dump file if some of the following settings aren't qualified.
 
-   1. Try to access the desktop of the computer by any means.   
-
-      > [!NOTE]
-      > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured.   
-
-   2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: 
-
-      * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled`   
-
-         Make sure that the [CrashDumpEnabled](/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`.            
-
-      * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump`   
-
-        On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). 
-
-      * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles`   
-
-        If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys).   
-
-        If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size.   
+    1. Try to access the desktop of the computer by any means.
 
         > [!NOTE]
-        > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). 
+        > In case accessing the OS isn't possible, try to remotely access Registry Editor on the computer. You can then check the type of memory dump file and page file with which the computer is currently configured.
 
-   3. Ensure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. 
+    1. From a remote computer that's preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the affected computer, and verify the following settings:
 
-   4. Ensure that there's more free space on the hard disk drives of the computer than there's physical RAM. 
+        - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled`
 
-2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this enablement, follow these steps: 
+            Make sure that the [CrashDumpEnabled](/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`.
 
-   1.  From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: 
+        - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump`
 
-       *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` 
+            On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management provider such as DRAC, iLo, and RSA.
 
-       *   `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` 
+        - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles`
 
-   2.  Create the following CrashOnCtrlScroll registry entry in the two registry keys: 
+            If the value of the **Pagefile** registry entry is system-managed, the size won't be reflected in the registry. For example, `?:\pagefile.sys)`
 
-       **Value Name**: `CrashOnCtrlScroll`     
-       **Data Type**: `REG_DWORD`     
-       **Value**: `1`  
+            If the page file is customized, the size will be reflected in the registry, such as `?:\pagefile.sys 1024 1124`. In this example, `1024` is the initial size and `1124` is the max size.
 
-   3.  Exit Registry Editor. 
+            > [!NOTE]
+            > If the size isn't reflected in the Registry, try to access an administrative share where the page file is located. For example, `\\ServerName\C$`
 
-   4.  Restart the computer. 
+    1. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM.
 
-3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump.  
-   > [!NOTE]
-   > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP 
+    1. Make sure that there's more free space on the hard disk drives of the computer than there's physical RAM.
 
-### Use Pool Monitor to collect data for the physical computer that is no longer frozen 
+1. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard.
 
-Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.   
+    1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the affected computer and locate the following registry keys:
 
-Learn [how to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398). 
+        - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters`
 
-### Use memory dump to collect data for the virtual machine that's running in a frozen state 
+        - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters`
 
-Use the one of the following methods for the application on which the virtual machine is running.   
+    1. Create the following `CrashOnCtrlScroll` registry entry in the two registry keys:
 
-#### Microsoft Hyper-V 
+        **Value Name**: `CrashOnCtrlScroll`
+        **Data Type**: `REG_DWORD`
+        **Value**: `1`
 
-If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump.   
+    1. Close the Registry Editor and restart the computer.
 
-To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: 
+1. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump.
 
-```powershell 
+    > [!NOTE]
+    > By default, the dump file is located in the path: `%SystemRoot%\MEMORY.DMP`
+
+### Use Pool Monitor to collect data for the physical computer that is no longer frozen
+
+Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.
+
+For more information, see [How to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/topic/4f4a05c2-ef8a-fca4-3ae0-670b940af398).
+
+### Use memory dump to collect data for the virtual machine that's running in a frozen state
+
+Use the one of the following methods for the application on which the virtual machine is running.
+
+#### Microsoft Hyper-V
+
+You can also use the built-in NMI feature through a [Debug-VM](/powershell/module/hyper-v/debug-vm) cmdlet to debug and get a memory dump.
+
+To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell:
+
+```powershell
 Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname  
-``` 
+```
 
-> [!NOTE]
-> This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section.  
+#### VMware
 
-#### VMware 
+You can use VMware snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. Use VMware's [Checkpoint To Core Tool (vmss2core)](https://flings.vmware.com/vmss2core) to convert both suspend (`.vmss`) and snapshot (`.vmsn`) state files to a dump file. Then analyze the file by using the standard Windows debugging tools.
 
-You can use VMware Snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. By using [Checkpoint To Core Tool (vmss2core)](https://labs.vmware.com/flings/vmss2core), you can convert both suspend (.vmss) and snapshot (.vmsn) state files to a dump file and then analyze the file by using the standard Windows debugging tools.   
+#### Citrix XenServer
 
-#### Citrix XenServer 
+The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination. For more information, see Method 1 of [How to Trigger a Memory Dump from a Windows Virtual Machine Running on XenServer](https://support.citrix.com/article/ctx123177) from Citrix.
 
-The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177).   
+## Space limitations on the system drive in Windows Server
 
-## Space limitations on the system drive in Windows Server 2008 
+On a Windows Server, you may not have enough free disk space to generate a complete memory dump file on the system volume.
+There's a second option if the system drive doesn't have sufficient space. You can use the DedicatedDumpFile registry entry. For more information, see [Configure the destination path for a memory dump](/windows-server/administration/server-core/server-core-memory-dump#step-2-configure-the-destination-path-for-a-memory-dump).
 
-On Windows Server 2008, you may not have enough free disk space to generate a complete memory dump file on the system volume. There's a [hotfix](https://support.microsoft.com/help/957517) that allows for the data collection even though there isn't sufficient space on the system drive to store the memory dump file.   
-
-Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](/windows/client-management/generate-kernel-or-complete-crash-dump).   
-
-For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
\ No newline at end of file
+For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](/archive/blogs/ntdebugging/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump).
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 2191c4fad4..805a227811 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -22,7 +22,7 @@ Cortana integration is a Preview feature that's available for your test or dev e
 ![Cortana at work, showing the sales data pulled from Dynamics CRM.](../images/cortana-crm-screen.png)
 
 ## Turn on Cortana with Dynamics CRM in your organization
-You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)?
+You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](/dynamics365/marketing/marketing-preview-features).
 
 **To turn on Cortana with Dynamics CRM**
 
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index dc82e43b86..7ec5869bf1 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -46,7 +46,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
 
 ## Guidelines for web browsers
 
-Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
+In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode).
+
+In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
 
 In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. 
 
@@ -82,7 +84,8 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat
 > 
 > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
 > 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). 
-> 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). 
+> 3. Insert the null character string in between each URL 
+(e.g `www.bing.com` and `www.contoso.com`). 
 > 4. Save the XML file.
 > 5. Open the project again in Windows Configuration Designer.
 > 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
@@ -120,8 +123,8 @@ The following table describes the results for different combinations of blocked
 
 Blocked URL rule |  Block URL exception rule | Result
 --- | --- | ---
-`*` | `contoso.com`
                    `fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains.
-`contoso.com` | `mail.contoso.com`
                    `.contoso.com`
                    `.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain.
+`*` | `contoso.com`
                    `fabrikam.com` | All requests are blocked unless it is to `contoso.com, fabrikam.com,` or any of their subdomains.
+`contoso.com` | `mail.contoso.com`
                    `.contoso.com`
                    `.www.contoso.com` | Block all requests to `contoso.com,` except for the main page and its mail subdomain.
 `youtube.com` | `youtube.com/watch?v=v1`
                    `youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
 
 The following table gives examples for blocked URLs. 
@@ -129,11 +132,11 @@ The following table gives examples for blocked URLs.
 
 |          Entry           |                                    Result                                     |
 |--------------------------|-------------------------------------------------------------------------------|
-|      `contoso.com`       | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com  |
+|      `contoso.com`       | Blocks all requests to contoso.com, `www.contoso.com,` and sub.www.contoso.com  |
 |       `https://*`        |                   Blocks all HTTPS requests to any domain.                    |
-|    `mail.contoso.com`    | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com |
+|    `mail.contoso.com`    | Blocks requests to mail.contoso.com but not to `www.contoso.com` or `contoso.com` |
 |      `.contoso.com`      |    Blocks contoso.com but not its subdomains, like subdomain.contoso.com.     |
-|    `.www.contoso.com`    |                Blocks www.contoso.com but not its subdomains.                 |
+|    `.www.contoso.com`    |                Blocks `www.contoso.com` but not its subdomains.                 |
 |           `*`            |    Blocks all requests except for URLs in the Blocked URL Exceptions list.    |
 |         `*:8080`         |                       Blocks all requests to port 8080.                       |
 |   `contoso.com/stuff`    |         Blocks all requests to contoso.com/stuff and its subdomains.          |
@@ -155,6 +158,12 @@ You can create your own web browser Windows app by using the WebView class. Lear
 
 Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
 
+## Customize your breakout sequence
+
+Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience.
+
+There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used.
+
 ## App configuration
 
 Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. 
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index e002ead309..179c44499b 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -342,3 +342,8 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
 `HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
 
 To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
+
+> [!NOTE]
+> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
+
+The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample).
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 7dd54085f1..f6ddb6a2d4 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -254,16 +254,40 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
 
 ```
 
+## Microsoft Edge Kiosk XML Sample
+```xml
+
+
+  
+    
+      
+        
+    
+  
+  
+    
+      EdgeKioskUser
+      
+    
+  
+
+```
+
 ## Global Profile Sample XML
 
 Global Profile is supported on:
 
-- Windows 10 version 2004+
 - Windows 11
+- Windows 10, version 2004 and later
 
-Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
+Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user.
 
-This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
+This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in.
 
 ```xml
 
@@ -642,13 +666,12 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
 
 ## XSD for AssignedAccess configuration XML
 
->[!NOTE]
->Updated for Windows 10, version 1903+.
+> [!NOTE]
+> Updated for Windows 10, version 1903 and later.
 
-The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release:
+The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release:
 
 ```xml
-
 
 
     
     
+    
 
     
         
@@ -670,8 +695,14 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
 
     
         
+        
     
 
+    
+        
+        
+    
+
     
         
             
@@ -680,7 +711,19 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
                 
                 
             
-            
+            
+                
+                    
+                        
+                        
+                    
+                    
+                        
+                        
+                    
+                
+                
+            
         
         
         
@@ -781,6 +824,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
     
         
             
+            
         
     
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 54a3969108..ef2974bbc5 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,18 +1,14 @@
 ---
-title: Set up a multi-app kiosk on Windows 10 | Microsoft Docs
+title: Set up a multi-app kiosk on Windows 10
 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
-ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
-ms.reviewer: sybruckm
-manager: dougeby
-keywords: ["lockdown", "app restrictions", "applocker"]
 ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: edu, security
+ms.technology: windows
 author: aczechowski
-ms.localizationpriority: medium
 ms.author: aaroncz
-ms.topic: article
+manager: dougeby
+ms.reviewer: sybruckm
+ms.localizationpriority: medium
+ms.topic: how-to
 ms.collection: highpri
 ---
 
@@ -24,8 +20,9 @@ ms.collection: highpri
 
 > [!NOTE]
 > [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
+> The use of multiple monitors isn't supported for multi-app kiosk mode.
 
-A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
+A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.
 
 The following table lists changes to multi-app kiosk in recent updates.
 
@@ -85,11 +82,11 @@ Let's start by looking at the basic structure of the XML file.
 
 - Multiple config sections can be associated to the same profile.
 
-- A profile has no effect if it’s not associated to a config section.
+- A profile has no effect if it's not associated to a config section.
 
     ![profile = app and config = account.](images/profile-config.png)
 
-You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
+You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
 
 ```xml
 
@@ -120,7 +117,7 @@ You can start your file by pasting the following XML (or any other examples in t
 There are two types of profiles that you can specify in the XML:
 
 - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
-- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
+- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode.
 
 A lockdown profile section in the XML has the following entries:
 
@@ -155,25 +152,25 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
 **AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
 
 - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout).
-- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
-- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”.
+- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`.
+- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`.
 - To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
 
 When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
 
 1. Default rule is to allow all users to launch the signed package apps.
-2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
+2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
 
-    >[!NOTE]
-    >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
+    > [!NOTE]
+    > You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
     >
-    >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
+    > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
 
 Here are the predefined assigned access AppLocker rules for **desktop apps**:
 
 1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
-2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
-3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
+2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
+3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
 
 The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
 
@@ -195,7 +192,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
 
 ##### FileExplorerNamespaceRestrictions
 
-Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported.  This can also be set using Microsoft Intune.
+Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported.  This behavior can also be set using Microsoft Intune.
 
 The following example shows how to allow user access to the Downloads folder in the common file dialog box.
 
@@ -225,13 +222,18 @@ The following example shows how to allow user access to the Downloads folder in
     
 
 ```
-FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the [Assigned access XML reference.](kiosk-xml.md) for full samples. The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace https://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace https://schemas.microsoft.com/AssignedAccess/2020/config.
 
-* When FileExplorerNamespaceRestrictions node is not used, or used but left empty, user will not be able to access any folder in common dialog (e.g. Save As in Microsoft Edge browser).
+`FileExplorerNamespaceRestriction` has been extended in current Windows 10 Prerelease for finer granularity and easier use. For more information and full samples, see [Assigned access XML reference](kiosk-xml.md). By using new elements, you can configure whether a user can access the Downloads folder or removable drives, or have no restrictions at all.
+
+> [!NOTE]
+> - `FileExplorerNamespaceRestrictions` and `AllowedNamespace:Downloads` are available in namespace `https://schemas.microsoft.com/AssignedAccess/201810/config`.
+> - `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace `https://schemas.microsoft.com/AssignedAccess/2020/config`.
+
+* When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser.
 * When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder.
-* When AllowRemovableDrives is used, user will be to access removable drives.
-* When NoRestriction is used, no restriction will be applied to the dialog.
-* AllowRemovableDrives and AllowedNamespace:Downloads can be used at the same time.
+* When `AllowRemovableDrives` is used, user will be to access removable drives.
+* When `NoRestriction` is used, no restriction will be applied to the dialog.
+* `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time.
 
 ##### StartLayout
 
@@ -243,10 +245,10 @@ A few things to note here:
 
 - The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
 - Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
-- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration.
-- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
+- There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration.
+- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
 
-This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
+The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start:
 
 ```xml
 
@@ -311,9 +313,9 @@ The following example hides the taskbar:
 
 #### Configs
 
-Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
+Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
 
-The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
+The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in.
 
 You can assign:
 
@@ -361,7 +363,7 @@ Individual accounts are specified using ``.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
-- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. AzureAD\someone@contoso.onmicrosoft.com.
+- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
 
 >[!WARNING]
 >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
@@ -369,7 +371,7 @@ Individual accounts are specified using ``.
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 >[!NOTE]
->For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+>For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
 ```xml
 
@@ -382,9 +384,9 @@ Before applying the multi-app configuration, make sure the specified user accoun
 
 ##### Config for group accounts
 
-Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience.
+Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience.
 
-- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied.
+- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
 
   ```xml
   
@@ -416,15 +418,16 @@ Group accounts are specified using ``. Nested groups are not supporte
 
 
 
-#### [Preview] Global Profile
-Global profile is added in Windows 10. There are times when IT Admin wants to everyone who logging into a specific devices are assigned access users, even there is no dedicated profile for that user, or there are times that Assigned Access could not identify a profile for the user and a fallback profile is wished to use. Global Profile is designed for these scenarios.
+#### [Preview] Global profile
 
-Usage is demonstrated below, by using the new xml namespace and specify GlobalProfile from that namespace. When GlobalProfile is configured, a non-admin account logs in, if this user does not have designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, global profile will be applied for the user.
+Global profile is available in Windows 10. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios.
 
-Note:
-1. GlobalProfile can only be multi-app profile
-2. Only one GlobalProfile can be used in one AssignedAccess Configuration Xml
-3. GlobalProfile can be used as the only config, or it can be used among with regular user or group Config.
+Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user.
+
+> [!NOTE]
+> 1. `GlobalProfile` can only be a multi-app profile.
+> 2. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML.
+> 3. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config.
 
 ```xml
 
@@ -486,25 +489,25 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 >[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
-1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`.
 
 2. Choose **Advanced provisioning**.
 
-3. Name your project, and click **Next**.
+3. Name your project, and select **Next**.
 
-4. Choose **All Windows desktop editions** and click **Next**.
+4. Choose **All Windows desktop editions** and select **Next**.
 
-5. On **New project**, click **Finish**. The workspace for your package opens.
+5. On **New project**, select **Finish**. The workspace for your package opens.
 
 6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
 
-7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
+7. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created.
 
    ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png)
 
-8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
+8. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
 
-9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
+9. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
 
 10. On the **File** menu, select **Save.**
 
@@ -518,22 +521,22 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
     - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
 
-14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
+14. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
 
-    Optionally, you can click **Browse** to change the default output location.
+    Optionally, you can select **Browse** to change the default output location.
 
-15. Click **Next**.
+15. Select **Next**.
 
-16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+16. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
 
-    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+    If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
 
 17. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
 
     If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
 
-    - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-    - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+    - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this action, select **Back** to change the output package name and path, and then select **Next** to start another build.
+    - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
 
 18. Copy the provisioning package to the root directory of a USB drive.
 
@@ -573,16 +576,16 @@ Provisioning packages can be applied to a device during the first-run experience
 1. Sign in with an admin account.
 2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
 
->[!NOTE]
->if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
+> [!NOTE]
+> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
 
-![add a package option.](images/package.png)
+![Add a package option.](images/package.png)
 
 ### Use MDM to deploy the multi-app configuration
 
 Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
 
-If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
+If your device is enrolled with an MDM service that supports applying the assigned access configuration, you can use it to apply the setting remotely.
 
 The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
 
@@ -599,23 +602,23 @@ To create a multi-app kiosk that can run mixed reality apps, you must include th
 
 ```
 
-These are in addition to any mixed reality apps that you allow.
+These apps are in addition to any mixed reality apps that you allow.
 
-**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would not have permissions to download and so their setup of the Mixed Reality Portal would fail.
+**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user wouldn't have permissions to download and so their setup of the Mixed Reality Portal would fail.
 
 After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
 
-There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
+There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
 
 ## Policies set by multi-app kiosk configuration
 
-It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
+It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
 
-When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
+When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will affect other users on the device.
 
-### Group Policy
+### Group policy
 
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  This includes local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Azure Active Directory users.
 
 | Setting | Value |
 | --- | --- |
@@ -651,7 +654,7 @@ Prevent access to drives from My Computer    |  Enabled - Restrict all drivers
 
 ### MDM policy
 
-Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
+Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system.
 
 Setting |   Value   | System-wide
  --- | --- | ---
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index 375cd82dcb..36bf667cc7 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -31,7 +31,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
 |[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the **SMISettings** category.
                    Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.|
 |[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.|
 |[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.
                  • Control over which processes are able to run will now be provided by AppLocker.
                  • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.|
-|[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.
                    Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**
                    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](https://go.microsoft.com/fwlink/p/?LinkID=616317) for **AboveLock/AllowActionCenterNotifications**.|
+|[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.
                    Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**
                    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](/mem/intune/configuration/custom-settings-windows-10) for **AboveLock/AllowActionCenterNotifications**.|
 |[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.|
 |[USB Filter](/previous-versions/windows/embedded/dn449350(v=winembedded.82)): restrict USB devices and peripherals on system|MDM and Group Policy|The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.
                     
                     Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Device Installation Restrictions**
                    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Removable storage**.|
 |[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.
                    In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

                    Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.|
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 3e9203b3fa..9147bc6b90 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -66,7 +66,7 @@ Many settings in Windows Configuration Designer will display documentation for t
 
 Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
 
-When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](https://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](https://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information.
+When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](/mem/intune/configuration/custom-settings-configure) to deploy settings. Intune documents [a partial list of settings](/mem/intune/configuration/custom-settings-windows-10) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information.
 
 ### CSPs in Lockdown XML
 
@@ -157,7 +157,6 @@ Here is a list of CSPs supported on Windows 10 Enterprise:
 -   [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp)
 -   [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp)
 -   [EnterpriseExt CSP](/windows/client-management/mdm/enterpriseext-csp)
--   [EnterpriseExtFileSystem CSP](/windows/client-management/mdm/enterpriseextfilessystem-csp)
 -   [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp)
 -   [FileSystem CSP](/windows/client-management/mdm/filesystem-csp)
 -   [HealthAttestation CSP](/windows/client-management/mdm/healthattestation-csp)
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 8d325e39cc..50a4533c63 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -70,7 +70,7 @@ The XML declaration must specify the XML version 1.0 attribute (<?xml version
 
 **Type: String**
 
-UE-V uses the https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the ```https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate``` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
 
 ``
 
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index 3bca49c75a..fa9dda05ab 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -189,10 +189,6 @@ To distribute a new Notepad template, you would perform these steps:
 
 4.  Import the generated CAB file into ConfigMgr using the console or PowerShell Import-CMBaseline.
 
-## Get the UE-V Configuration Pack
-
-You can download the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/download/details.aspx?id=40913) from the Microsoft Download Center.
-
 ## Related topics
 
 
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index ae5cd26af9..b2b109d6b6 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -313,7 +313,7 @@ The UE-V settings storage location and settings template catalog support storing
 
 -   The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see:
 
-    - [Information about roaming profiles from the Directory Services team](https://blogs.technet.microsoft.com/askds/tag/roaming-profiles/)
+    - [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles)
     
     - [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](/troubleshoot/windows-server/networking/support-policy-for-dfsr-dfsn-deployment)
 
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 83493203df..ea4f3d49bd 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -62,4 +62,4 @@ You can deploy UE-V settings location template with the following methods:
 
 -   **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md).
 
--   **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. For more information, see the guidance provided in the documentation for the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/download/details.aspx?id=40913).
+-   **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 54f74aba1c..ae172dc1c5 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -15,21 +15,59 @@ manager: dougeby
 
 # ADMXIngestion (Windows Configuration Designer reference)
 
-Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration). 
+Starting in Windows 10, version 1703, you can import (*ingest*) Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration). 
 
 - The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file. 
 - The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
 
 
 >[!IMPORTANT]
->Only per-device policies can be set using a provisioning package.
+>Only device scope policies (class="Machine" or class="Both") can be set using a provisioning package.
 
 ## Applies to
 
-| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Enterprise |
 | --- | :---: | :---: | :---: | :---: |
-| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy)  | ✔️ |  |  |  |
-| [ConfigOperations](#configoperations)  | ✔️ |  |   |   |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy)  | ✔️ |  |  | ✔️ |
+| [ConfigOperations](#configoperations)  | ✔️ |  |   | ✔️ |
+
+## ConfigOperations
+
+Use **ConfigOperations** to import ADMX policies from an ADMX file.
+
+1. Enter an app name, and then click **Add**. 
+
+    This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Chromium Edge, enter an app name.
+    
+    Example, `MSEdgeEfficiencyMode`
+
+2. Select the app name in the Customizations pane, select a setting type, and then click **Add**. 
+
+    The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add. 
+    
+3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+
+    The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future. 
+    
+    Example, `MSEdgeEfficiencyMode`
+
+    >[!NOTE]
+    >Keeping the AdmxFileUid and AppName the same will help prevent authorizing errors. 
+
+4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+
+    >[!NOTE]
+    >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).  
+    
+    Example, EfficiencyMode
+    ```XML
+                                                                                                                                                                                                                                                                                        
+    ```
+    
+5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+
+
+
 
 ## ConfigADMXInstalledPolicy
 
@@ -40,59 +78,121 @@ In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for tha
 
 1. Enter an area name, and then click **Add**. The structure of the area name is the following:
 
-    `AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX`
+    `~~`
     
     See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example. 
     
-    Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates`
+    Example: `MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance`
     
-2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`.
-3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, ``.
+2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. 
 
-## ConfigOperations
+    Example, `EfficiencyMode`.
 
-Use **ConfigOperations** to import an ADMX file or policies from an ADMX file.
+3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. 
 
-1. Enter an app name, and then click **Add**. 
+    Example, ``.
 
-    This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**.
 
-2. Select the app name in the Customizations pane, select a setting type, and then click **Add**. 
+## Category and policy in ADMX
 
-    The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add. 
-    
-3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+The following samples show the ADMX file for Chromium Edge used in the examples in the procedures above. The first sample highlights the category names.
 
-    The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future. 
+```XML
+  
+    
+    
+      
+    
+  
+```
+
 
-4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+The next sample highlights the specific policy.
 
-    >[!NOTE]
-    >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).  
-    
-5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+```XML
+    
+      
+      
+      
+        
+          
+            
+              
+            
+          
+          
+            
+              
+            
+          
+          
+            
+              
+            
+          
+          
+            
+              
+            
+          
+        
+      
+    
+```
+
 
-
 
 ## Convert multi-line to single line
 
 Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.
 
 ```PS
-$path="file path"
-(Get-Content $admxFile -Raw).Replace("`r`n","") | Set-Content $path -Force
+$outputFile = "output.admx"
+$inputFile = "input.admx"
+(Get-Content $inputFile -Raw).Replace("`r`n","") | Set-Content $outputFile -Force
 ```
 
-## Category and policy in ADMX
-
-The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
-
-![Snippet of ADMX shows category names highlighted.](../images/admx-category.png)
-
-The next image highlights the specific policy.
-
-![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)
-
+## Configuration Samples
+Example: Edge Efficiency Mode
+```XML
+
+
+  
+    {d1ab1e3e-6e6d-4bd5-b35b-34cca18d2e16}
+    MSEdgeEfficiencyMode
+    1.1
+    OEM
+    0
+    
+  
+  
+    
+      
+        
+          
+            
+              
+                <enabled/><data id="EfficiencyMode" value="2"/>
+              
+            
+          
+          
+            
+              
+                
+                  
+                    <?xml version="1.0" ?><policyDefinitions revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">  <!--microsoft_edge version: 96.0.1054.62-->  <policyNamespaces>    <target namespace="Microsoft.Policies.Edge" prefix="microsoft_edge"/>    <using namespace="Microsoft.Policies.Windows" prefix="windows"/>  </policyNamespaces>  <resources minRequiredRevision="1.0"/>  <supportedOn>    <definitions>      <definition displayName="$(string.SUPPORTED_WIN7_V96)" name="SUPPORTED_WIN7_V96"/>    </definitions>  </supportedOn>  <categories>    <category displayName="$(string.microsoft_edge)" name="microsoft_edge"/>    <category displayName="$(string.Performance_group)" name="Performance">      <parentCategory ref="microsoft_edge"/>    </category>  </categories>  <policies>    <policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)">      <parentCategory ref="Performance"/>      <supportedOn ref="SUPPORTED_WIN7_V96"/>      <elements>        <enum id="EfficiencyMode" valueName="EfficiencyMode">          <item displayName="$(string.EfficiencyMode_AlwaysActive)">            <value>              <decimal value="0"/>            </value>          </item>          <item displayName="$(string.EfficiencyMode_NeverActive)">            <value>              <decimal value="1"/>            </value>          </item>          <item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)">            <value>              <decimal value="2"/>            </value>          </item>          <item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)">            <value>              <decimal value="3"/>            </value>          </item>        </enum>      </elements>    </policy>  </policies></policyDefinitions>
+                  
+                
+              
+            
+          
+        
+      
+    
+  
+
+```
 
 ## Related topics
 
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index 0134eabef9..6c94aa8796 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -165,7 +165,7 @@ ImageOnly > MTU > DormancyTimeout1 | Enter the number of milliseconds to wait af
 ImageOnly > MTU > MTUDataSize |  Customize the TCP maximum segment size (MSS) by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
 ImageOnly > MTU > RoamingMTUDataSize | Customize the TCP maximum segment size (MSS) for roaming by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it for roaming by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
 ImageOnly > SuppressNwPSDetach | Configure whether to suppress reporting of network-initiated PS detach (appear attached to OS) until deregistered.
-SignalBarMapping Table | You can modify the percentage values used for the signal strength in the status bar per filter. For details, see [Custom percentages for signal strength bars](/windows-hardware/customize/mobile/mcsf/custom-percentages-for-signal-strength-bars).
+SignalBarMapping Table | You can modify the percentage values used for the signal strength in the status bar per filter.
 SRVCCAutoToggleWmRil | Configure whether to link SRVCC to VOLTE on/off.
 
 
@@ -216,7 +216,7 @@ UserEnabled | Select **Yes** to show the user setting if RCS is enabled on the d
 |                  AckExpirySeconds                  |                                                                                                                                                                                                                                                                                                                                                                                               Set the value, in seconds, for how long to wait for a client ACK before trying to deliver.                                                                                                                                                                                                                                                                                                                                                                                                |
 |                     DefaultMCC                     |                                                                                                                                                                                                                                                                                                                                                                                                                       Set the default mobile country code (MCC).                                                                                                                                                                                                                                                                                                                                                                                                                        |
 |          Encodings > GSM7BitEncodingPage           |                                                                                                                                                                 Enter the code page value for the 7-bit GSM default alphabet encoding. Values:

                    - Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)
                    - Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)                                                                                                                                                                 |
-|          Encodings > GSM8BitEncodingPage           |                                                                                                                                                                                                                                                                                         Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS](/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms).                                                                                                                                                                                                                                                                                          |
+|          Encodings > GSM8BitEncodingPage           |                                                                                                                                                                                                                                                                                         Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099.                                                                                                                                                                                                                                                                                          |
 |           Encodings > OctetEncodingPage            |                                                                                                                                                                                                                                                                                                                                                                                                                            Set the octet (binary) encoding.                                                                                                                                                                                                                                                                                                                                                                                                                             |
 |              Encodings > SendUDHNLSS               |                                                                                                                                                                                                                                                                                                                                                                                                                         Set the 7 bit GSM shift table encoding.                                                                                                                                                                                                                                                                                                                                                                                                                         |
 |                Encodings > UseASCII                |                                                                                                                                                                                                                                                                                                                                                                                 Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.                                                                                                                                                                                                                                                                                                                                                                                  |
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index 2f6e1ee31b..574f4d2a0d 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -27,4 +27,4 @@ Set to **True** or **False**.
 
 ## Related topics
 
-- [AllJoyn](https://developer.microsoft.com/windows/iot/docs/alljoyn)
+- [AllJoyn – Wikipedia](https://wikipedia.org/wiki/AllJoyn)
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 2e301a1898..d5c45465ba 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -25,7 +25,7 @@ ms.custom: seo-marvel-apr2020
 
 This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
 
-[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview.
+[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [M365 Enterprise poster](#m365-enterprise-poster) for an overview.
 
 For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
 
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 7197e67d4e..b007f111f0 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -61,7 +61,7 @@ On **CM01**:
 
 ## Add drivers for Windows 10
 
-This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
+This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement).
 
 For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
 
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index a77e74aa7a..e1650926b3 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
 
 On **MDT01**:
 
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
 4. Right-click the **Applications** node, and create a new folder named **Adobe**.
 
@@ -359,7 +359,7 @@ On **MDT01**:
    - Specify Product Key: Do not specify a product key at this time
    - Full Name: Contoso
    - Organization: Contoso
-   - Internet Explorer home page: https://www.contoso.com
+   - Internet Explorer home page: `https://www.contoso.com`
    - Admin Password: Do not specify an Administrator Password at this time
 
 ### Edit the Windows 10 task sequence
@@ -371,7 +371,7 @@ On **MDT01**:
    1.  Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
        1.  Name: Set DriverGroup001
        2.  Task Sequence Variable: DriverGroup001
-       3.  Value: Windows 10 x64\\%Manufacturer%\\%Model%
+       3.  Value: Windows 10 x64\\%Make%\\%Model%
 
    2.  Configure the **Inject Drivers** action with the following settings:
        - Choose a selection profile: Nothing
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index d2fbd1fd5a..9846a41bcf 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -974,9 +974,6 @@ write-output "" "Provisioning script complete."
 
 ## Considerations when using different USB keyboard layouts with Windows To Go
 
-
-Before provisioning your Windows To Go drive you need to consider if your workspace will boot on a computer with a non-English USB keyboard attached. As described in [KB article 927824](https://go.microsoft.com/fwlink/p/?LinkId=619176) there is a known issue where the plug and play ID causes the keyboard to be incorrectly identified as an English 101 key keyboard. To avoid this problem, you can modify the provisioning script to set the override keyboard parameters.
-
 In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout:
 
 ``` 
diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md
index cd25705e12..d2a8c14908 100644
--- a/windows/deployment/do/delivery-optimization-proxy.md
+++ b/windows/deployment/do/delivery-optimization-proxy.md
@@ -1,6 +1,6 @@
 ---
 title: Using a proxy with Delivery Optimization
-manager: laurawi
+manager: dansimp
 description: Settings to use with various proxy configurations to allow Delivery Optimization to work
 keywords: updates, downloads, network, bandwidth
 ms.prod: w10
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index d3311ce5e8..ce7b9f9219 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -190,7 +190,7 @@ Starting in Windows 10, version 1803, specifies the maximum foreground download
 
 ### Maximum Background Download Bandwidth
 
-Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
+Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set.
 
 ### Percentage of Maximum Download Bandwidth
 
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 2f0fd3dee0..5408351bda 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -121,28 +121,74 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
 | Key | Value |
 | --- | --- |
 | File ID | A GUID that identifies the file being processed |
-| Priority | Priority of the download; values are **foreground** or **background** |
 | FileSize | Size of the file |
+| FileSizeInCache | Size of the file in the cache |
 | TotalBytesDownloaded | The number of bytes from any source downloaded so far |
 | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
 | BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
 | BytesfromHTTP | Total number of bytes received over HTTP |
-| DownloadDuration | Total download time in seconds |
 | Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
+| Priority | Priority of the download; values are **foreground** or **background** |
+| BytesFromCacheServer | Total number of bytes received from cache server |
+| BytesFromLanPeers | Total number of bytes received from peers found on the LAN |
+| BytesFromGroupPeers | Total number of bytes received from peers found in the group |
+| BytesFromInternetPeers | Total number of bytes received from internet peers |
+| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN |
+| BytesToGroupPeers | Total number of bytes delivered from peers found in the group  |
+| BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN  |
+| DownloadDuration | Total download time in seconds |
+| HttpConnectionCount |  |
+| LanConnectionCount |  |
+| GroupConnectionCount |  |
+| InternetConnectionCount |  |
+| DownloadMode |  |
+| SourceURL | Http source for the file |
+| CacheHost | IP address for the cache server |
 | NumPeers | Indicates the total number of peers returned from the service. |
 | PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. |
 | ExpireOn | The target expiration date and time for the file. |
-| Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
+| IsPinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). |
 
 `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data:
 
-- Number of files downloaded
-- Number of files uploaded
-- Total bytes downloaded
-- Total bytes uploaded
-- Average transfer size (download); that is, the number bytes downloaded divided by the number of files
-- Average transfer size (upload); the number of bytes uploaded divided by the number of files
-- Peer efficiency; same as PercentPeerCaching
+| Key | Value |
+| --- | --- |
+| FilesDownloaded | Number of files downloaded |
+| FilesUploaded | Number of files uploaded |
+| Files | |
+| TotalBytesDownloaded | Total bytes downloaded |
+| TotalBytesUploaded | Total bytes uploaded |
+| AverageDownloadSize | Average transfer size (download); that is, the number bytes downloaded divided by the number of files |
+| AverageUploadSize | Average transfer size (upload); the number of bytes uploaded divided by the number of files |
+| DownloadMode | Delivery Optimization Download mode used to deliver file |
+| CacheSizeBytes |  |
+| TotalDiskBytes |  |
+| AvailableDiskBytes |  |
+| CpuUsagePct |  |
+| MemUsageKB |  |
+| NumberOfPeers |  |
+| CacheHostConnections |  |
+| CdnConnections |  |
+| LanConnections |  |
+| LinkLocalConnections |  |
+| GroupConnections |  |
+| InternetConnections |  |
+| DownlinkBps |  |
+| DownlinkUsageBps |  |
+| UplinkBps |  |
+| UplinkUsageBps |  |
+| ForegroundDownloadRatePct |  |
+| BackgroundDownloadRatePct |  |
+| UploadRatePct |  |
+| UplinkUsageBps |  |
+| ForegroundDownloadRatePct |  |
+| BackgroundDownloadRatePct |  |
+| UploadRatePct |  |
+| UploadCount |  |
+| ForegroundDownloadCount |  |
+| ForegroundDownloadsPending |  |
+| BackgroundDownloadCount |  |
+| BackgroundDownloadsPending |  |
 
 Using the `-Verbose` option returns additional information:
 
@@ -188,9 +234,9 @@ With no options, this cmdlet returns these data:
 - total number of files
 - number of foreground files
 - minimum file size for it to be cached
-- number of eligible files
-- number of files with peers
-- number of peering files [how different from the above?]
+- number of eligible (larger than the minimum size for peering) files
+- number of files that found peers
+- number of peering files (the number of files that got at least 1 byte from peers)
 - overall efficiency
 - efficiency in the peered files
 
diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
index 7c437cbf19..7b81a26b48 100644
--- a/windows/deployment/planning/compatibility-administrator-users-guide.md
+++ b/windows/deployment/planning/compatibility-administrator-users-guide.md
@@ -27,7 +27,7 @@ ms.custom: seo-marvel-mar2020
 - Windows Server 2012
 - Windows Server 2008 R2
 
-The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following:
+The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides:
 
 - Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues.
 
@@ -48,4 +48,4 @@ The following flowchart shows the steps for using the Compatibility Administrato
 |--- |--- |
 |[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)|This section provides information about using the Compatibility Administrator tool.|
 |[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)|This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.|
-|[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)|You must deploy your customized database (.Sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. Including, by using a logon script, by using Group Policy, or by performing file copy operations.|
+|[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)|Ensure that you deploy your customized database (.Sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including, by using a logon script, by using Group Policy, or by performing file copy operations.|
diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
index a0cd7d728f..6ca2e8566d 100644
--- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
+++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
@@ -4,7 +4,7 @@ ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
-description: Learn about deploying your compatibility fixes as part of an application-installation package or through a centralized compatibility-fix database.
+description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database.
 ms.prod: w10
 ms.mktglfcycl: plan
 ms.pagetype: appcompat
@@ -28,40 +28,43 @@ ms.custom: seo-marvel-mar2020
 -   Windows Server 2012
 -   Windows Server 2008 R2
 
-After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:
+To use fixes in application-compatibility mitigation strategy, define a strategy to manage your custom compatibility-fix database. Typically, you can use one of the two following approaches:
 
 -   Deploying your compatibility fixes as part of an application-installation package.
 
 -   Deploying your compatibility fixes through a centralized compatibility-fix database.
 
-Regardless of which approach you decide to use in your organization, Microsoft provides the following general recommendations for improving the management of your custom compatibility-fix databases:
+Microsoft provides general recommends the following remedies for improving the management of your custom compatibility-fix databases.
 
--   **Define standards for when you will apply compatibility fixes.**
+> [!NOTE]
+> These recommendations are not based on irrespective of the approach you decide to use. The following are the general recommendations.
 
-    You must define the standards and scenarios for using compatibility fixes, based on your specific business and technology needs.
+-   **Define standards for when you will apply compatibility fixes**
 
--   **Define standards for your custom compatibility-fix databases.**
+    Ensure that the standards and scenarios for using compatibility fixes are defined, based on your specific business and technology needs.
 
-    You must define how to associate your compatibility fixes to particular applications. For example, you might want to ensure that your compatibility fixes always include a version check, so that a fix will not be applied to newer versions of your applications.
+-   **Define standards for your custom compatibility-fix databases**
 
--   **Define your resources responsible for addressing questions and enforcing your standards.**
+     Compatibility fixes must include a version check, so that mapping to particular applications becomes easy. Ensure that your compatibility fixes always, so that the fix won't be applied to newer versions of your applications.
 
-    You must determine who will be responsible for staying current with the technology and standards related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, you must ensure that someone in your organization stays current with the relevant technology.
+-   **Define your resources responsible for addressing questions and enforcing your standards**
+
+    Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, ensure that someone in your organization stays current with the relevant technology.
 
 ## Strategies for Deploying Your Compatibility Fixes
 
 
-We recommend that you use one of two strategies to deploy your compatibility fixes into your organization. They are:
+We recommend the usage of one of the two strategies to deploy your compatibility fixes into your organization. They are:
 
 -   Deploying your compatibility fixes as part of an application-installation package.
 
 -   Deploying your compatibility fixes through a centralized compatibility-fix database.
 
-You must determine which method best meets your organization's deployment needs.
+Determine which method best meets your organization's deployment needs.
 
 ### Deploying Fixes as Part of an Application-Installation Package
 
-One strategy for deploying compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this is the most straightforward method of deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications.
+One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this method is the most straightforward one for deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications.
 
 If the following considerations apply to your organization, you should avoid this strategy and instead consider using a centralized compatibility-fix database, as described in the next section.
 
@@ -71,7 +74,7 @@ If the following considerations apply to your organization, you should avoid thi
 
 -   **Will you be able to track which applications are installed on which computer?**
 
-    You might determine that your initial set of compatibility fixes is not comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the additional issues. If you deployed the initial set by using the application-installation package, you will be required to locate each client computer that is running the application and replace the compatibility fix.
+    You might determine that your initial set of compatibility fixes isn't comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you'll be required to locate each client computer that is running the application and replace the compatibility fix.
 
 ### Deploying Fixes Through a Centralized Compatibility-Fix Database
 
@@ -79,23 +82,23 @@ The other recommended strategy for deploying compatibility fixes into your organ
 
 This approach tends to work best for organizations that have a well-developed deployment infrastructure in place, with centralized ownership of the process. We recommend that you consider the following before using this approach:
 
--   Does your organization have the tools required to deploy and update a compatibility-fix database for all of the effected computers?
+-   Does your organization have the tools required to deploy and update a compatibility-fix database for all of the affected computers?
 
     If you intend to manage a centralized compatibility-fix database, you must verify that your organization has the required tools to deploy and update all of the affected computers in your organization.
 
 -   Do you have centralized resources that can manage and update the centralized compatibility-fix database?
 
-    You must ensure that you have identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers.
+    Ensure that you've identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers.
 
 ### Merging Centralized Compatibility-Fix Databases
 
-If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process.
+If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This provision enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows® should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process.
 
 **To merge your custom-compatibility databases**
 
 1.  Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1.
 
-2.  If the tester determines that an application requires an additional compatibility fix that is not a part of the original compatibility-fix database, he or she must create a new custom compatibility database with all of the required information for that single fix. For example, Custom DB2.
+2.  If the tester determines that an application requires an extra compatibility fix that isn't a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2.
 
 3.  The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed.
 
@@ -114,7 +117,7 @@ If you decide to use the centralized compatibility-fix database deployment strat
 
 Deploying your custom compatibility-fix database into your organization requires you to perform the following actions:
 
-1.  Store your custom compatibility-fix database (.sdb file) in a location that is accessible to all of your organization's computers.
+1.  Store your custom compatibility-fix database (.sib file) in a location that is accessible to all of your organization's computers.
 
 2.  Use the Sdbinst.exe command-line tool to install the custom compatibility-fix database locally.
 
@@ -122,25 +125,25 @@ In order to meet the two requirements above, we recommend that you use one of th
 
 -   **Using a Windows Installer package and a custom script**
 
-    You can package your .sdb file and a custom deployment script into an .msi file, and then deploy the .msi file into your organization.
+    You can package your .sib file and a custom deployment script into a file with the .msi extension, and then deploy the .msi file into your organization.
 
     > [!IMPORTANT]
-    > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be:
+    > Ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be:
     >`msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)`
 
 
 -   **Using a network share and a custom script**
 
-You can store your .sdb file on your network share and then call to a script that resides on your specified computers.
+You can store the .sib file on your network share, and then call to a script available on your specified computers.
 
 > [!IMPORTANT]  
-> You must ensure that you call the script at a time when it will receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights.
+> Ensure that you call the script at a time when it can receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights.
 
 
 
-### Example Script for an Installation of the .sdb File based on an .msi File
+### Example Script for installation of .sib File based on .msi File
 
-The following examples show an installation of a custom compatibility-fix database based on an .msi file.
+The following examples show an installation of a custom compatibility-fix database based on a .msi file.
 
 ```
 'InstallSDB.vbs
@@ -161,7 +164,7 @@ End Function
 
 ### Initial Deployment and Updates
 
-Most of your testing of application-compatibility issues will happen prior to the deployment of a new Windows operating system into your environment. As such, a common approach is to include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Then, as you update your compatibility-fix database, you can provide the updates by using one of the two mechanisms described in the "Deploying Your Custom Compatibility Fix Databases" section earlier in this topic.
+Application-compatibility is tested, from which issues are reported, even before a new Windows operating system is deployed. To handle these issues, include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Later, update your compatibility-fix database; provide the updates by using one of the two mechanisms that are described in the "Deploying Your Custom Compatibility Fix Databases" section.
 
-## Related topics
+## Related articles
 [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
index 8718e0a7bf..f2d306f5bd 100644
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
@@ -30,43 +30,43 @@ One of the most important requirements to consider when you plan your Windows To
 ## Backup and restore
 
 
-As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement.
+When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement.
 
-If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
+If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
 
 ## BitLocker
 
 
-We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
+We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
 
 You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace.
 
 **Tip**  
-If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
+If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
 
  
 
-If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode.
+When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode.
 
 ## Disk discovery and data leakage
 
 
-We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an Auto-Play prompt will not be displayed to the user. This reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
+We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
 
-To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
+To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
 
 For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)).
 
 ## Security certifications for Windows To Go
 
 
-Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following topics.
+Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles.
 
 -   [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria)
 
 -   [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation)
 
-## Related topics
+## Related articles
 
 
 [Windows To Go: feature overview](windows-to-go-overview.md)
diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
index 15827d77de..2936429060 100644
--- a/windows/deployment/planning/sua-users-guide.md
+++ b/windows/deployment/planning/sua-users-guide.md
@@ -32,7 +32,7 @@ You can use Standard User Analyzer (SUA) to test your applications and monitor A
 
 You can use SUA in either of the following ways:
 
--   **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis.
+-   **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for more analysis.
 
 -   **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues.
 
@@ -40,7 +40,7 @@ You can use SUA in either of the following ways:
 
 |Topic|Description|
 |--- |--- |
-|[Using the SUA Wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.|
+|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.|
 |[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.|
 
 
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index 3a144c9fdf..498a0d4424 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -28,7 +28,7 @@ ms.topic: article
 -   Windows Server 2012
 -   Windows Server 2008 R2
 
-You must deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations.
+Deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations.
 
 After you deploy and store the customized databases on each of your local computers, you must register the database files.
 Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. 
@@ -63,12 +63,12 @@ The following table describes the available command-line options.
 |Option|Description|
 |--- |--- |
 |-?|Displays the Help for the Sdbinst.exe tool.
                    For example,
                    `sdbinst.exe -?`|
-|-p|Allows SDBs installation with Patches.
                    For example,
                    `sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`|
+|-p|Allows SDBs' installation with Patches.
                    For example,
                    `sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`|
 |-q|Does a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).
                    For example,
                    `sdbinst.exe -q`|
 |-u *filepath*|Does an uninstallation of the specified database.
                    For example,
                    `sdbinst.exe -u C:\example.sdb`|
 |-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).
                    For example,
                    `sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`|
 |-n *"name"*|Specifies the customized database to uninstall by file name.
                    For example,
                    `sdbinst.exe -n "My_Database"`|
 
-## Related topics
+## Related articles
 
 [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index 33008f5a3d..408504f26c 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -1,6 +1,6 @@
 ---
-title: Using the SUA Wizard (Windows 10)
-description: The Standard User Analyzer (SUA) Wizard, although it does not offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
+title: Using the SUA wizard (Windows 10)
+description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
 ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c
 ms.reviewer: 
 manager: dougeby
@@ -15,7 +15,7 @@ ms.date: 04/19/2017
 ms.topic: article
 ---
 
-# Using the SUA Wizard
+# Using the SUA wizard
 
 
 **Applies to**
@@ -27,30 +27,30 @@ ms.topic: article
 -   Windows Server 2012
 -   Windows Server 2008 R2
 
-The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.
+The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.
 
 For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md).
 
-## Testing an Application by Using the SUA Wizard
+## Testing an Application by Using the SUA wizard
 
 
-You must install Application Verifier before you can use the SUA Wizard. If Application Verifier is not installed on the computer that is running the SUA Wizard, the SUA Wizard notifies you. You must also install the Microsoft® .NET Framework 3.5 or later before you can use the SUA Wizard.
+Install Application Verifier before you can use the SUA wizard. If Application Verifier isn't installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard.
 
-The following flowchart shows the process of using the SUA Wizard.
+The following flowchart shows the process of using the SUA wizard.
 
 ![act sua wizard flowchart.](images/dep-win8-l-act-suawizardflowchart.jpg)
 
-**To test an application by using the SUA Wizard**
+**To test an application by using the SUA wizard**
 
-1.  On the computer where the SUA Wizard is installed, log on by using a non-administrator account.
+1.  On the computer where the SUA wizard is installed, sign in by using a non-administrator account.
 
-2.  Run the Standard User Analyzer Wizard.
+2.  Run the Standard User Analyzer wizard.
 
 3.  Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application.
 
 4.  Click **Launch**.
 
-    If you are prompted, elevate your permissions. The SUA Wizard may require elevation of permissions to correctly diagnose the application.
+    If you're prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application.
 
     If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
 
@@ -58,11 +58,11 @@ The following flowchart shows the process of using the SUA Wizard.
 
 6.  After you finish testing, exit the application.
 
-    The SUA Wizard displays a message that asks whether the application ran without any issues.
+    The SUA wizard displays a message that asks whether the application ran without any issues.
 
 7.  Click **No**.
 
-    The SUA Wizard shows a list of potential remedies that you might use to fix the application.
+    The SUA wizard shows a list of potential remedies that you might use to fix the application.
 
 8.  Select the fixes that you want to apply, and then click **Launch**.
 
@@ -70,15 +70,15 @@ The following flowchart shows the process of using the SUA Wizard.
 
 9.  Test the application again, and after you finish testing, exit the application.
 
-    The SUA Wizard displays a message that asks whether the application ran without any issues.
+    The SUA wizard displays a message that asks whether the application ran without any issues.
 
 10. If the application ran correctly, click **Yes**.
 
-    The SUA Wizard closes the issue as resolved on the local computer.
+    The SUA wizard closes the issue as resolved on the local computer.
 
-    If the remedies do not fix the issue with the application, click **No** again, and the wizard may offer additional remedies. If the additional remedies do not fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for additional investigation, see [Using the SUA Tool](using-the-sua-tool.md).
+    If the remedies don't fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies don't fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md).
 
-## Related topics
+## Related articles
 [SUA User's Guide](sua-users-guide.md)
 
  
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 77cff2e5a0..a1b074a935 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -27,7 +27,7 @@ Windows 10 will be compatible with most existing PC hardware; most devices runn
 
 For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
 
-Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Some applications that interface with Windows at a low level, those that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
+Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Those applications that interface with Windows at a low level, those applications that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
 
 Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
 
@@ -36,13 +36,13 @@ For web apps and sites, modern HTML5-based sites should also have a high degree
 ## Recommended application testing process
 
 
-Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to leverage more optimized testing processes, which reflects the higher levels of compatibility that are expected. At a high level:
+Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to use more optimized testing processes, which reflect the higher levels of compatibility that are expected. At a high level:
 
--   Identify mission-critical applications and websites, those that are absolutely essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
+-   Identify mission-critical applications and websites, those applications and websites that are essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
 
--   For less critical applications, leverage an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
+-   For less critical applications, apply an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
 
-## Related topics
+## Related articles
 
 
 [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 117d670e45..0662961ade 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -137,7 +137,7 @@ sections:
           The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include:
           - Start menu is a launching point for access to apps.
           - Universal apps now open in windows instead of full screen.
-          - [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
+          - [Multitasking is improved with adjustable Snap](https://blogs.windows.com/windows-insider/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
           - Tablet Mode to simplify using Windows with a finger or pen by using touch input.
           
   - name: Help and support
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 6bec0bfcd0..bfe6fbc509 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -1,6 +1,6 @@
 ---
 title: Windows 10 infrastructure requirements (Windows 10)
-description: Review the specific infrastructure requirements to deploy and manage Windows 10,  prior to significant Windows 10 deployments within your organization.
+description: Review the infrastructure requirements for deployment and management of Windows 10,  prior to significant Windows 10 deployments within your organization.
 ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
 ms.reviewer: 
 manager: dougeby
@@ -22,11 +22,11 @@ ms.topic: article
 
 -   Windows 10
 
-There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
+There are specific infrastructure requirements that should be in place for the deployment and management of Windows 10. Fulfill these requirements before any Windows 10-related deployments take place.
 
 ## High-level requirements
 
-For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage.
+For initial Windows 10 deployments, and for subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage.
 
 For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.)
 
@@ -72,7 +72,10 @@ Windows Server Update Services (WSUS) requires some additional configuration to
 
 WSUS product list with Windows 10 choices
 
-Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.)
+Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's update. Consider using “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information.
+
+> [!NOTE]
+> The usage of "express installation" packages will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.
 
 ## Activation
 
@@ -93,9 +96,9 @@ Additionally, new product keys will be needed for all types of volume license ac
 -   For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key.
 -   For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.)
 
-Note that Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
+Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
 
-## Related topics
+## Related articles
 
 [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
                    
 [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
                    
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
index 41ea0c40ca..468fb48151 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
@@ -21,7 +21,7 @@ summary: |
   -   Windows 10
   
   > [!IMPORTANT]
-  > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
+  > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
   
   The following list identifies some commonly asked questions about Windows To Go.
   
@@ -49,13 +49,13 @@ summary: |
   
   -   [Why isn't my computer booting from USB?](#why-isn-t-my-computer-booting-from-usb-)
   
-  -   [What happens if I remove my Windows To Go drive while it is running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-is-running-)
+  -   [What happens if I remove my Windows To Go drive while it's running?](#what-happens-if-i-remove-my-windows-to-go-drive-while-it-s-running-)
   
   -   [Can I use BitLocker to protect my Windows To Go drive?](#can-i-use-bitlocker-to-protect-my-windows-to-go-drive-)
   
   -   [Why can't I enable BitLocker from Windows To Go Creator?](#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
   
-  -   [What power states does Windows To Go support?](#what-power-states-does-windows-to-go-support-)
+  -   [What power states do Windows To Go support?](#what-power-states-does-windows-to-go-support-)
   
   -   [Why is hibernation disabled in Windows To Go?](#why-is-hibernation-disabled-in-windows-to-go-)
   
@@ -101,7 +101,7 @@ summary: |
   
   -   [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#my-host-computer-running-windows-7-is-protected-by-bitlocker-drive-encryption--why-did-i-need-to-use-the-recovery-key-to-unlock-and-reboot-my-host-computer-after-using-windows-to-go-)
   
-  -   [I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-doesn-t-it-have-a-drive-letter-assigned-and-how-can-i-fix-it-)
+  -   [I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?](#i-decided-to-stop-using-a-drive-for-windows-to-go-and-reformatted-it---why-it-doesn-t-have-a-drive-letter-assigned-and-how-can-i-fix-it-)
   
   -   [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#why-do-i-keep-on-getting-the-message--installing-devices---when-i-boot-windows-to-go-)
   
@@ -119,7 +119,7 @@ sections:
       - question: |
           Does Windows To Go rely on virtualization?
         answer: |
-          No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
+          No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
 
       - question: |
           Who should use Windows To Go?
@@ -137,7 +137,7 @@ sections:
           
           -   A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys
           
-          You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
+          You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
           
       - question: |
           Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?
@@ -152,7 +152,7 @@ sections:
       - question: |
           How do I identify a USB 3.0 port?
         answer: |
-          USB 3.0 ports are usually marked blue or carry a SS marking on the side.
+          USB 3.0 ports are usually marked blue or carry an SS marking on the side.
 
       - question: |
           Does Windows To Go run faster on a USB 3.0 port?
@@ -190,7 +190,7 @@ sections:
           
           If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
           
-          To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.)
+          To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you don't know which key to use to enter firmware setup.)
           
           After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
           
@@ -212,14 +212,14 @@ sections:
           
           2.  Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
           
-          3.  If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port.
+          3.  If the computer isn't booting from a USB 3.0 port, try to boot from a USB 2.0 port.
           
           If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support.
           
       - question: |
-          What happens if I remove my Windows To Go drive while it is running?
+          What happens if I remove my Windows To Go drive while it's running?
         answer: |
-          If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
+          If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
           
           **Warning**  
           You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive.
@@ -229,28 +229,28 @@ sections:
       - question: |
           Can I use BitLocker to protect my Windows To Go drive?
         answer: |
-          Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace.
+          Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace.
 
       - question: |
           Why can't I enable BitLocker from Windows To Go Creator?
         answer: |
-          Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types.
+          Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three subfolders for fixed, operating system and removable data drive types.
           
-          When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation:
+          When you're using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation:
           
           1.  **Control use of BitLocker on removable drives**
           
-              If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive.
+              If this setting is disabled BitLocker can't be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive.
           
           2.  **Configure use of smart cards on removable data drives**
           
-              If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard.
+              If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you haven't already signed on using your smart card credentials before starting the Windows To Go Creator wizard.
           
           3.  **Configure use of passwords for removable data drives**
           
-              If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker.
+              If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection isn't available, the Windows To Go Creator wizard will fail to enable BitLocker.
           
-          Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go.
+          Additionally, the Windows To Go Creator will disable the BitLocker option if the drive doesn't have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go.
           
       - question: |
           What power states does Windows To Go support?
@@ -260,7 +260,7 @@ sections:
       - question: |
           Why is hibernation disabled in Windows To Go?
         answer: |
-          When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc).
+          When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you're confident that you'll only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc).
 
       - question: |
           Does Windows To Go support crash dump analysis?
@@ -272,7 +272,7 @@ sections:
         answer: |
           Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
           
-          If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported.
+          If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported.
           
       - question: |
           I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?
@@ -280,14 +280,14 @@ sections:
           Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
           
           **Warning**  
-          It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
+          It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
           
            
           
       - question: |
           I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?
         answer: |
-          Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
+          Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
           
           **Warning**  
           It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
@@ -322,7 +322,7 @@ sections:
       - question: |
           Do I need to activate Windows To Go every time I roam?
         answer: |
-          No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days.
+          No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days.
           
       - question: |
           Can I use all Windows features on Windows To Go?
@@ -337,22 +337,22 @@ sections:
       - question: |
           Does Windows To Go work slower than standard Windows?
         answer: |
-          If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds.
+          If you're using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you're booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds.
 
       - question: |
           If I lose my Windows To Go drive, will my data be safe?
         answer: |
-          Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
+          Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user won't be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
 
       - question: |
           Can I boot Windows To Go on a Mac?
         answer: |
-          We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac.
+          We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac.
 
       - question: |
           Are there any APIs that allow applications to identify a Windows To Go workspace?
         answer: |
-          Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device.
+          Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device.
           
           Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
           
@@ -366,17 +366,17 @@ sections:
       - question: |
           Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?
         answer: |
-          No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace.
+          No, use of Windows Recovery Environment isn't supported on Windows To Go. It's recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should reprovision the workspace.
 
       - question: |
           Why won't Windows To Go work on a computer running Windows XP or Windows Vista?
         answer: |
-          Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
+          Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
 
       - question: |
           Why does the operating system on the host computer matter?
         answer: |
-          It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
+          It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
 
       - question: |
           My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
@@ -385,17 +385,17 @@ sections:
           
           You can reset the BitLocker system measurements to incorporate the new boot order using the following steps:
           
-          1.  Log on to the host computer using an account with administrator privileges.
+          1.  Sign in to the host computer using an account with administrator privileges.
           
           2.  Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
           
           3.  Click **Suspend Protection** for the operating system drive.
           
-              A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive.
+              A message is displayed, informing you that your data won't be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive.
           
           4.  Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki.
           
-          5.  Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.)
+          5.  Restart the computer again and then sign in to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.)
           
           6.  Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
           
@@ -404,41 +404,41 @@ sections:
           The host computer will now be able to be booted from a USB drive without triggering recovery mode.
           
           > [!NOTE]
-          > The default BitLocker protection profile in Windows 8 or later does not monitor the boot order.
+          > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order.
           
            
           
       - question: |
-          I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?
+          I decided to stop using a drive for Windows To Go and reformatted it – why it doesn't have a drive letter assigned and how can I fix it?
         answer: |
           Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
           
           1.  Open a command prompt with full administrator permissions.
           
               > [!NOTE]
-              > If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them.
+              > If your user account is a member of the Administrators group, but isn't the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them.
           
                
           
           2.  Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt.
           
-          3.  Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available.
+          3.  Use the `select disk` command to identify the drive. If you don't know the drive number, use the `list` command to display the list of disks available.
           
           4.  After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
           
       - question: |
           Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?
         answer: |
-          One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
+          One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
           
-          In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
+          In certain cases, third-party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs that don't  support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
           
-          This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
+          This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers.
           
       - question: |
           How do I upgrade the operating system on my Windows To Go drive?
         answer: |
-          There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version.
+          There's no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be reimaged with a new version of Windows in order to transition to the new operating system version.
 
 additionalContent: |
 
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 3683bb0214..aedd92040e 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -48,7 +48,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op
 |Release channel  |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.|
 |Users    |    Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices.     |
 |Tasks   |  - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
                      - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
                     - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features.      |
-|Feedback   |  - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
                     - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
                     - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/)       |
+|Feedback   |  - This helps us make adjustments to features as quickly as possible.
                     - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
                     - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/)       |
 
 ## Validate Insider Preview builds 
 Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits:
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index 6659429435..6570e67a7b 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -15,7 +15,7 @@ ms.topic: article
 
 **Applies to**
 
--   Windows 10
--   Windows 11
+- Windows 10
+- Windows 11
 
 See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 833a2b655d..f666a097be 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -90,6 +90,18 @@ When users start scanning in Windows Update through the Settings panel, the foll
    - Windows Update uses the thread ID filtering to concentrate on one particular task. 
 
       ![Windows Update scan log 1.](images/update-scan-log-1.png)
+      
+#### Proxy Behavior
+For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
+- System proxy is attempted (set using the `netsh` command).
+- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
+
+    > [!Note]
+    > For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
+
+For WU URLs that _aren't_ used for update detection, such as for download or reporting:
+- User proxy is attempted.
+- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted.
 
 #### Identifies service IDs
 
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 4c876deaef..363891d8a9 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -1,6 +1,6 @@
 ---
 title: Olympia Corp enrollment guidelines
-description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows 10 device or an Azure Active Directory-JOINED Windows 10 device.
+description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows client device or an Azure Active Directory-JOINED Windows client device.
 ms.author: aaroncz
 ms.topic: article
 ms.prod: w10
@@ -15,17 +15,22 @@ ms.custom: seo-marvel-apr2020
 
 # Olympia Corp
 
+**Applies to**
+
+- Windows 10
+- Windows 11
+
 ## What is Windows Insider Lab for Enterprise and Olympia Corp?
 
 Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
 
 As an Olympia user, you will have an opportunity to: 
 
--   Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
--   Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
--   Validate and test pre-release software in your environment.
--   Provide feedback.
--   Interact with engineering team members through a variety of communication channels.
+- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
+- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
+- Validate and test pre-release software in your environment.
+- Provide feedback.
+- Interact with engineering team members through a variety of communication channels.
 
 >[!Note]
 >Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice.
@@ -38,17 +43,17 @@ To request an Olympia Corp account, fill out the survey at [https://aka.ms/Regis
 
 Welcome to Olympia Corp. Here are the steps needed to enroll.
 
-As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade.
+As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client Enterprise from Windows client Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows client Enterprise, we recommend you to upgrade.
 
 Choose one of the following two enrollment options:
 
 - To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account.
 
-- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to  [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account.
+- If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to  [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account.
 
 
 
-### Set up an Azure Active Directory-REGISTERED Windows 10 device
+### Set up an Azure Active Directory-REGISTERED Windows client device
 
 This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information.
 
@@ -56,26 +61,26 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 
     ![Settings -> Accounts.](images/1-1.png)
 
-2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**.
 
-3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+3. Select **Connect** and enter your **Olympia corporate account** (for example, username@olympia.windows.com). Select **Next**.
 
     ![Entering account information when setting up a work or school account.](images/1-3.png)
 
-4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+4. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password.
 
     > [!NOTE]
     > Passwords should contain 8-16 characters, including at least one special character or number.
 
     ![Update your password.](images/1-4.png)
 
-5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
+5. Read the **Terms and Conditions**. Select **Accept** to participate in the program.
 
 6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details.
 
 7. Create a PIN for signing into your Olympia corporate account.
 
-8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**.
 
     > [!NOTE]
     > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
@@ -84,9 +89,9 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 
 
 
-### Set up Azure Active Directory-JOINED Windows 10 device
+### Set up Azure Active Directory-JOINED Windows client device
 
--   This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information.
+- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information.
 
     > [!NOTE]
     > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key).
@@ -95,36 +100,36 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 
     ![Settings -> Accounts.](images/1-1.png)
 
-2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
+2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**.
     
-3. Click **Connect**, then click **Join this device to Azure Active Directory**.
+3. Select **Connect**, then select **Join this device to Azure Active Directory**.
 
     ![Joining device to Azure AD.](images/2-3.png)
 
-4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
+4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Select **Next**.
 
     ![Set up a work or school account.](images/2-4.png)
 
-5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
+5. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password.
 
     > [!NOTE]
     > Passwords should contain 8-16 characters, including at least one special character or number.
 
     ![Entering temporary password.](images/2-5.png)
 
-6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+6. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**.
 
 7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details.
 
 8. Create a PIN for signing into your Olympia corporate account.
 
-9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
+9. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**.
 
 10. Restart your device.
 
-11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise.
+11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows client Enterprise.
 
-12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**.
+12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**.
 
     > [!NOTE]
     > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness).
@@ -132,4 +137,4 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
 
 >[!NOTE]
-> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia.
+> Your Windows client Enterprise license won't be renewed if your device isn't connected to Olympia.
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index fb4639ac9b..cbe6e4c8b7 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -21,7 +21,7 @@ ms.collection: m365initiative-coredeploy
 
 Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
 
-Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
+Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
 
 Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
 
@@ -41,6 +41,6 @@ This cadence might be most suitable for you if any of these conditions apply:
 
 - You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
 
-- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
+- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get extra servicing for Windows 10 (30 months of servicing compared to 18 months).
 
 
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index b9e177429d..f62bf4a4da 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -56,32 +56,31 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
 
 |Error  |Description  |
 |---------|---------|
-| 27    | Not system account. |
-| 37    | Unexpected exception when collecting logs| 
 | 1    | General unexpected error| 
 | 6    | Invalid CommercialID| 
-| 48    | CommercialID is not a GUID| 
 | 8    | Couldn't create registry key path to setup CommercialID| 
 | 9    | Couldn't write CommercialID at registry key path| 
-| 53    | There are conflicting CommercialID values.| 
 | 11    | Unexpected result when setting up CommercialID.| 
-| 62    | AllowTelemetry registry key is not of the correct type REG_DWORD| 
-| 63    | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| 
-| 64    | AllowTelemetry is not of the correct type REG_DWORD.| 
-| 99    | Device is not Windows 10.| 
-| 40    | Unexpected exception when checking and setting telemetry.| 
 | 12    | CheckVortexConnectivity failed, check Log output for more information.| 
 | 12    | Unexpected failure when running CheckVortexConnectivity.| 
-| 66    | Failed to verify UTC connectivity and recent uploads.|  
-| 67    | Unexpected failure when verifying UTC CSP.| 
+| 16    | Reboot is pending on device, restart device and restart script.| 
+| 17    | Unexpected exception in CheckRebootRequired.| 
+| 27    | Not system account. |
+| 30    | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| 
+| 34    | Unexpected exception when attempting to check  Proxy settings.| 
+| 35    | Unexpected exception when checking User Proxy.| 
+| 37    | Unexpected exception when collecting logs| 
+| 40    | Unexpected exception when checking and setting telemetry.| 
 | 41    | Unable to impersonate logged-on user.| 
 | 42    | Unexpected exception when attempting to impersonate logged-on user.| 
 | 43    | Unexpected exception when attempting to impersonate logged-on user.| 
-| 16    | Reboot is pending on device, restart device and restart script.| 
-| 17    | Unexpected exception in CheckRebootRequired.| 
 | 44    | Error when running CheckDiagTrack service.| 
 | 45    | DiagTrack.dll not found.| 
+| 48    | CommercialID is not a GUID| 
 | 50    | DiagTrack service not running.| 
+| 51    | Unexpected exception when attempting to run Census.exe| 
+| 52    | Could not find Census.exe| 
+| 53    | There are conflicting CommercialID values.| 
 | 54    | Microsoft Account Sign In Assistant (MSA) Service disabled.| 
 | 55    | Failed to create new registry path for SetDeviceNameOptIn| 
 | 56    | Failed to create property for SetDeviceNameOptIn at registry path| 
@@ -90,15 +89,17 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
 | 59    | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| 
 | 60    | Failed to delete registry key when attempting to clean up OneSettings.| 
 | 61    | Unexpected exception when attempting to clean up OneSettings.| 
-| 52    | Could not find Census.exe| 
-| 51    | Unexpected exception when attempting to run Census.exe| 
-| 34    | Unexpected exception when attempting to check  Proxy settings.| 
-| 30    | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| 
-| 35    | Unexpected exception when checking User Proxy.| 
+| 62    | AllowTelemetry registry key is not of the correct type REG_DWORD| 
+| 63    | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| 
+| 64    | AllowTelemetry is not of the correct type REG_DWORD.| 
+| 66    | Failed to verify UTC connectivity and recent uploads.|  
+| 67    | Unexpected failure when verifying UTC CSP.| 
 | 91    | Failed to create new registry path for EnableAllowUCProcessing| 
 | 92    | Failed to create property for EnableAllowUCProcessing at registry path| 
 | 93    | Failed to update value for EnableAllowUCProcessing| 
 | 94    | Unexpected exception in EnableAllowUCProcessing| 
+| 99    | Device is not Windows 10.| 
+
 
 ## Verify device configuration
 
@@ -132,3 +133,4 @@ In some cases, you may need to manually verify the device configuration has the
    - If you need to send this data to Microsoft Support, select **Export data**.  
 
    :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png":::
+
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index ab81b9b5e2..6d03b36b95 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -14,6 +14,7 @@ ms.collection:
   - M365-analytics
   - highpri
 ms.topic: article
+ms.date: 05/03/2022
 ---
 
 # Get started with Update Compliance
@@ -48,6 +49,7 @@ Before you begin the process to add Update Compliance to your Azure subscription
 - **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
 - **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
 - **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
+- **Azure AD device join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
 
 ## Add Update Compliance to your Azure subscription
 
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index 37ad4990d7..e90960de49 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -1,5 +1,5 @@
 ---
-title: Use Windows Update for Business (WUfB) and Windows Server Update Services (WSUS) together
+title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
 description:  Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -23,7 +23,7 @@ ms.topic: article
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
-The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business (WUfB) service.
+The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service.
 
 We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.
 
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index e23f09f53f..76ea88816f 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -241,7 +241,7 @@ When you run Disk Cleanup and enable the option to Clean up system files, you ca
 
 To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then click **Yes** to confirm the elevation prompt. Screenshots and other steps to open an elevated command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). 
 
-Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23).
+Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/windows/forum/all/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23).
 
 If this is too complicated for you, then use File Explorer to create a new folder under C: with a short name such as "new" then copy or move the programs you want to run (like SetupDiag) to this folder using File Explorer. When you open an elevated command prompt, change to this directory by typing "cd c:\new" and now you can run the programs in that folder.
 
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index f6a54dca56..736fd59813 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -95,6 +95,6 @@ WIM = Windows image (Microsoft)
 
 [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
 
                    [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
                    [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications)
+
                    [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
 
                    [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
 
                    [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 2e814dd3c8..a958ea914b 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -168,14 +168,14 @@ The default MigUser.xml file does not migrate the following:
 
 -   ACLS for files in folders outside the user profile.
 
-You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer.
+You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this provision may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer.
 
 > [!NOTE]
 > Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than 300 file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document.
 
 ## Using multiple XML files
 
-You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with additional migration rules.
+You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with more migration rules.
 
 |XML migration file|Modifies the following components:|
 |--- |--- |
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index cf39be9fe4..612bacb671 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -24,7 +24,7 @@ The disk space requirements for a migration are dependent on the size of the mig
 
 -   [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers.
 
--   [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer.
+-   [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how large the migration store will be on a particular computer.
 
 -   [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure.
 
@@ -35,13 +35,13 @@ The disk space requirements for a migration are dependent on the size of the mig
 
 -   **Source Computer.** The source computer needs enough available space for the following:
 
-    -   [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available.
+    -   [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available.
 
-    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool.
+    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool.
 
-    -   [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated.
+    -   [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be large is when non-NTFS file systems exist on the system and contain data being migrated.
 
--   [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following:
+-   [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following components:
 
     -   [Operating system.](#bkmk-estmigstoresize)
 
@@ -49,12 +49,12 @@ The disk space requirements for a migration are dependent on the size of the mig
 
     -   [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage.
 
-    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool.
+    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool.
 
 ## Calculate Disk Space Requirements using the ScanState Tool
 
 
-You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration.
+You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day-to-day use so it is recommended that you use the calculations as an estimate when planning your migration.
 
 **To run the ScanState tool on the source computer with USMT installed,**
 
@@ -82,7 +82,7 @@ You can use the ScanState tool to calculate the disk space requirements for a pa
 
     The migration store will not be created by running this command, but `StorePath` is a required parameter.
 
-The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this condition in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
 
 **Note**  
 To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT.
@@ -108,7 +108,7 @@ Additionally, USMT performs a compliance check for a required minimum of 250 MB
 ## Estimate Migration Store Size
 
 
-Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate these is to survey several computers to arrive at an average for the size of the store that you will need.
+Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate the required space is to survey several computers to arrive at an average for the size of the store that you will need.
 
 The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization.
 
@@ -123,7 +123,7 @@ When trying to determine how much disk space you will need, consider the followi
 
 -   **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration.
 
--   **User system settings** Five megabytes is usually adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB.
+-   **User system settings** Five megabytes is adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB.
 
 ## Related topics
 
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index b39b3db28d..ccbe76542b 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -16,7 +16,7 @@ ms.topic: article
 
 # Hard-Link Migration Store
 
-A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios.
+A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this functionality is what makes *hard-link migration store* best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios.
 
 ## In this topic
 
@@ -50,7 +50,7 @@ You can use a hard-link migration store when your planned migration meets both o
 
 -   You are upgrading the operating system on the same volume of the computer.
 
-You cannot use a hard-link migration store if your planned migration includes any of the following:
+You cannot use a hard-link migration store if your planned migration includes any of the following tasks:
 
 -   You are migrating data from one computer to a second computer.
 
@@ -62,7 +62,7 @@ You cannot use a hard-link migration store if your planned migration includes an
 
 The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario.
 
-When you create a hard link, you give an existing file an additional path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These are two paths to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file.
+When you create a hard link, you give an existing file one more path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These two paths relate to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file.
 
 > [!NOTE]
 > A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario.
@@ -76,11 +76,11 @@ As a best practice, we recommend that you delete the hard-link migration store a
 > [!IMPORTANT]
 > Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss.
 
-Keeping the hard-link migration store can result in additional disk space being consumed or problems with some applications for the following reasons:
+Keeping the hard-link migration store can result in extra disk space being consumed or problems with some applications for the following reasons:
 
 -   Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file.
 
--   A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up additional disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files.
+-   A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up more disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files.
 
 -   Editing the file by using different paths simultaneously may result in data corruption.
 
@@ -131,7 +131,7 @@ The drive you specify on the command line for the hard-link migration store is i
 
 ### Location Modifications
 
-Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes.
+Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This impact is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes.
 
 ### Migrating Encrypting File System (EFS) Certificates and Files
 
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index c95f7f12d8..17bf9873f9 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -17,27 +17,27 @@ ms.topic: article
 # Identify Operating System Settings
 
 
-When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following:
+When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following parameters:
 
--   **Apperance.**
+-   **Appearance.**
 
-    This includes items such as wallpaper, colors, sounds, and the location of the taskbar.
+    The appearance factor includes items such as wallpaper, colors, sounds, and the location of the taskbar.
 
 -   **Action.**
 
-    This includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it.
+    The action factor includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it.
 
 -   **Internet.**
 
-    These are the settings that let you connect to the Internet and control how your browser operates. This includes items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings.
+    The Internet factor includes the settings that let you connect to the Internet and control how your browser operates. The settings include items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings.
 
 -   **Mail.**
 
-    This includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts.
+    The mail factor includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts.
 
-To help you decide which settings to migrate, you should consider any previous migration experiences as well as the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of.
+To help you decide which settings to migrate, you should consider any previous migration experiences and the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of.
 
-You should migrate any settings that users need to get their jobs done, those that make the work environment comfortable, and those that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider that users can spend a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process.
+You should migrate any settings that users need to get their jobs done, those settings that make the work environment comfortable, and those settings that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider the factor of users spending a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process.
 
 **Note**  
 For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 269e898fa4..142a94a953 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -86,8 +86,9 @@ You can use these variables within sections in the .xml files with `context=User
 |**SYSTEM**|Refers to %**WINDIR**%\system32.|
 |**SYSTEM16**|Refers to %**WINDIR**%\system.|
 |**SYSTEM32**|Refers to %**WINDIR**%\system32.|
+|**SYSTEMDRIVE**|The drive that holds the Windows folder. Note that this is a drive name and not a folder name (`C:` not `C:\`).|
 |**SYSTEMPROFILE**|Refers to the value in **HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]**.|
-|**SYSTEMROOT**|Refers to the root of the system drive.|
+|**SYSTEMROOT**|Same as **WINDIR**.|
 |**WINDIR**|Refers to the Windows folder located on the system drive.|
 
 ## Variables that are recognized only in the user context
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index c4e7bf3368..4a3128adbb 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -48,7 +48,7 @@ Before you run the **ScanState** command, note the following:
 
 -   Unless otherwise noted, you can use each option only once when running a tool on the command line.
 
--   You can gather domain accounts without the source computer having domain controller access. This functionality is available without any additional configuration.
+-   You can gather domain accounts without the source computer having domain controller access. This functionality is available without any extra configuration.
 
 -   The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
 
@@ -142,7 +142,7 @@ USMT provides several options that you can use to analyze problems that occur du
 | **/l:**[*Path*]*FileName* | Specifies the location and name of the ScanState log. 

                    You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the log will be created in the current directory. You can use the **/v** option to adjust the amount of output. 

                    If you run the **ScanState** or **LoadState** commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /**l: scan.log** command. |
 | **/v:***<VerbosityLevel>* | **(Verbosity)**

                    Enables verbose output in the ScanState log file. The default value is 0. 

                    You can set the *VerbosityLevel* to one of the following levels: 
                    • **0** - Only the default errors and warnings are enabled.
                    • **1** - Enables verbose output.
                    • **4** - Enables error and status output.
                    • **5** - Enables verbose and status output.
                    • **8** - Enables error output to a debugger.
                    • **9** - Enables verbose output to a debugger.
                    • **12** - Enables error and status output to a debugger.
                    • **13** - Enables verbose, status, and debugger output.
                     
                    For example: 
                    `scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml`|
 | /**progress**:[*Path*]*FileName* | Creates the optional progress log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.

                    For example: 
                    `scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log` |
-| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.

                    You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. |
+| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.

                    You can use the new <**ErrorControl**> section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This advantage in the Config.xml file enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample <**ErrorControl**> section that is enabled by specifying error messages and desired behaviors in the Config.xml file. |
 | **/r:***<TimesToRetry>* | **(Retry)**

                    Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

                    While storing the user state, the **/r** option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. |
 | **/w:***<SecondsBeforeRetry>* | **(Wait)**

                    Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. |
 | **/p:***<pathToFile>* | When the **ScanState** command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:
                    `Scanstate.exe C:\MigrationLocation [additional parameters]`
                    `/p:"C:\MigrationStoreSize.xml"`

                    For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).

                    To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the **/p** option, without specifying *"pathtoafile"*, in USMT. If you specify only the **/p** option, the storage space estimations are created in the same manner as with USMT3.x releases. |
@@ -156,7 +156,7 @@ By default, all users are migrated. The only way to specify which users to inclu
 |-----|-----|
 | /**all** | Migrates all of the users on the computer. 

                    USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /**ue** or /**uel** options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /**all** option, you cannot also use the /**ui**, /**ue** or /**uel** options. |
 | /**ui**:*<DomainName>*\*<UserName>*
                    or
                    /**ui**:*<ComputerName>*\*<LocalUserName>* | **(User include)** 

                    Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /**ue** or /**uel** options. You can specify multiple /**ui** options, but you cannot use the /**ui** option with the /**all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks. 
                    **Note**
                    If a user is specified for inclusion with the /**ui** option, and also is specified to be excluded with either the /**ue** or /**uel** options, the user will be included in the migration.

                    For example:
                    • To include only User2 from the Fabrikam domain, type:
                      `/ue:*\* /ui:fabrikam\user2`
                    • To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:
                      `/uel:30 /ui:fabrikam\*`
                      In this example, a user account from the Contoso domain that was last modified two months ago will not be migrated.

                    For more examples, see the descriptions of the /**ue** and /**ui** options in this table. |
-| /**uel**:*<NumberOfDays>*
                    or
                    /**uel**:*<YYYY/MM/DD>*
                    or
                    **/uel:0** | **(User exclude based on last logon)**

                    Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

                    You can specify a number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged on to another computer, that logon instance is not considered by USMT. 
                    **Note**
                    The /**uel** option is not valid in offline migrations.
                    • **/uel:0** migrates any users who are currently logged on.
                    • **/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
                    • **/uel:1** migrates users whose account has been modified within the last 24 hours.
                    • **/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.
                     
                    For example: 
                    `scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` |
+| /**uel**:*<NumberOfDays>*
                    or
                    /**uel**:*<YYYY/MM/DD>*
                    or
                    **/uel:0** | **(User exclude based on last logon)**

                    Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

                    You can specify the number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has signed in to another computer, that sign-in instance is not considered by USMT. 
                    **Note**
                    The /**uel** option is not valid in offline migrations.
                    • **/uel:0** migrates any users who are currently logged on.
                    • **/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.
                    • **/uel:1** migrates users whose account has been modified within the last 24 hours.
                    • **/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.
                     
                    For example: 
                    `scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` |
 | /**ue**:*<DomainName>*\*<UserName>*
                    -or-

                    /**ue**:*<ComputerName>*\*<LocalUserName>* | **(User exclude)**

                    Excludes the specified users from the migration. You can specify multiple /**ue** options. You cannot use this option with the /**all** option. *<DomainName>* and *<UserName>* can contain the asterisk (                    ) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

                    For example:
                    `scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1` |
 
 ## How to Use /ui and /ue
@@ -184,7 +184,7 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg
 |--- |--- |
 |Include only User2 from the Fabrikam domain and exclude all other users.|`/ue:*\* /ui:fabrikam\user2`|
 |Include only the local user named User1 and exclude all other users.|`/ue:*\* /ui:user1`|
-|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following: 
                    • On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`
                    • On the **LoadState** command line, type: `/ue:contoso\user1`
                    |
+|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following commands: 
                    • On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`
                    • On the **LoadState** command line, type: `/ue:contoso\user1`
                    |
 |Include only local (non-domain) users.|`/ue:*\* /ui:%computername%\*`|
 
 ## Encrypted File Options
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index 8b5e099da8..fd142dc7ab 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -1,6 +1,6 @@
 ---
 title: XML File Requirements (Windows 10)
-description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration urlid.
+description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID.
 ms.assetid: 4b567b50-c50a-4a4f-8684-151fe3f8275f
 ms.reviewer: 
 manager: dougeby
@@ -19,20 +19,20 @@ ms.topic: article
 
 When creating custom .xml files, note the following requirements:
 
--   **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
+-   **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
 
     ``` xml
     
     ```
 
--   **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
+-   **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
 
     ``` xml
     
     
     ```
 
--   **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax:
+-   **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the Config.xml file defines the components by the display name and the migration URL ID. For example, specify the following syntax:
 
     ``` xml
     My Application
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index c5ba9de758..e47aaec9e7 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -1,16 +1,12 @@
 ---
 title: Appendix Information sent to Microsoft during activation (Windows 10)
-description: Information sent to Microsoft during activation.
+description: Learn about the information sent to Microsoft during activation.
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 author: aczechowski
-keywords: vamt, volume activation, activation, windows activation
 ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
+ms.technology: windows
 ms.localizationpriority: medium
 ms.date: 07/27/2017
 ms.topic: article
@@ -32,13 +28,13 @@ ms.topic: article
 
 When you activate a computer running Windows 10, the following information is sent to Microsoft:
 
--   The Microsoft product code (a five-digit code that identifies the Windows product you are activating)
+-   The Microsoft product code (a five-digit code that identifies the Windows product you're activating)
 -   A channel ID or site code that identifies how the Windows product was originally obtained
 
     For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
     
 -   The date of installation and whether the installation was successful
--   Information that helps confirm that your Windows product key has not been altered
+-   Information that helps confirm that your Windows product key hasn't been altered
 -   Computer make and model
 -   Version information for the operating system and software
 -   Region and language settings
@@ -48,7 +44,7 @@ When you activate a computer running Windows 10, the following information is se
 -   Volume serial number (hashed) of the hard disk drive
 -   The result of the activation check
 
-    This includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
+    This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
     
     -   The activation exploit's identifier
     -   The activation exploit's current state, such as cleaned or quarantined
@@ -57,12 +53,12 @@ When you activate a computer running Windows 10, the following information is se
 -   The name and a hash of the contents of your computer's startup instructions file
 -   If your Windows license is on a subscription basis, information about how your subscription works
 
-Standard computer information is also sent, but your computer's IP address is only retained temporarily.
+Standard computer information is also sent, but your computer's IP address is only kept temporarily.
 
 ## Use of information
 
-Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft does not use the information to contact individual consumers.
-For additional details, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
+Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers.
+For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
 
 ## See also
 
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 77552db8bc..1e89cb087d 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -1,52 +1,51 @@
 ---
-title: Import and Export VAMT Data (Windows 10)
-description: Learn how to use the Volume Activation Management Tool (VAMT) to import product-activation data from a .cilx or .cil file into SQL Server.
-ms.assetid: 09a2c595-1a61-4da6-bd46-4ba8763cfd4f
+title: Import and export VAMT data
+description: Learn how to use the VAMT to import product-activation data from a file into SQL Server.
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: activation
-audience: itpro
+ms.technology: windows
 author: aczechowski
-ms.date: 04/25/2017
-ms.topic: article
+ms.date: 05/02/2022
+ms.topic: how-to
 ---
 
-# Import and Export VAMT Data
+# Import and export Volume Activation Management Tool data
+
+You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a computer information list (`.cilx` or `.cil`) file into SQL Server. Also use VAMT to export product-activation data into a `.cilx` file. A `.cilx` file is an XML file that stores computer and product-activation data.
 
-You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a Computer Information List (.cilx or .cil) file into SQL Server, and to export product-activation data into a .cilx file. A .cilx file is an XML file that stores computer and product-activation data. 
 You can import data or export data during the following scenarios:
--   Import and merge data from previous versions of VAMT.
--   Export data to use to perform proxy activations.
+- Import and merge data from previous versions of VAMT.
+- Export data to perform proxy activations.
 
-**Warning**  
-Editing a .cilx file using an application other than VAMT can corrupt the .cilx file and is not supported.
+> [!Warning]
+> Editing a `.cilx` file through an application other than VAMT can corrupt the `.cilx` file. This method isn't supported.
 
-## Import VAMT Data
+## Import VAMT data
 
-**To import data into VAMT**
-1.  Open VAMT.
-2.  In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
-3.  In the **Import List** dialog box, navigate to the .cilx file location, select the file, and click **Open**.
-4.  In the **Volume Activation Management Tool** dialog box, click **OK** to begin the import. VAMT displays a progress message while the file is being imported. Click **OK** when a message appears and confirms that the import has completed successfully.
+To import data into VAMT, use the following process:
 
-## Export VAMT Data
+1. Open VAMT.
+2. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box.
+3. In the **Import List** dialog box, navigate to the `.cilx` file location, choose the file, and select **Open**.
+4. In the **Volume Activation Management Tool** dialog box, select **OK** to begin the import. VAMT displays a progress message while the file is being imported. Select **OK** when a message appears and confirms that the import has completed successfully.
 
-Exporting VAMT data from a non-Internet-connected VAMT host computer is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a .cilx file:
-1.  In the left-side pane, you can click a product you want to export data for, or click **Products** if the list contains data for all products.
-2.  If you want to export only part of the data in a product list, in the product list view in the center pane select the products you want to export.
-3.  In the right-side **Actions** pane on, click **Export list** to open the **Export List** dialog box.
-4.  In the **Export List** dialog box, click **Browse** to navigate to the .cilx file.
-5.  Under **Export options**, select one of the following data-type options:
-    -   Export products and product keys
-    -   Export products only
-    -   Export proxy activation data only. Selecting this option ensures that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is checked.
-6.  If you have selected products to export, select the **Export selected product rows only** check box.
-7.  Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
+## Export VAMT data
 
-## Related topics
+Exporting VAMT data from a VAMT host computer that's not internet-connected is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a `.cilx` file:
 
-- [Perform Proxy Activation](proxy-activation-vamt.md)
+1. In the left-side pane, select a product you want to export data for, or select **Products** if the list contains data for all products.
+2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export.
+3. In the right-side **Actions** pane on, select **Export list** to open the **Export List** dialog box.
+4. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file.
+5. Under **Export options**, select one of the following data-type options:
+    - Export products and product keys
+    - Export products only
+    - Export proxy activation data only. Selecting this option makes sure that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No personally identifiable information (PII) is contained in the exported `.cilx` file when this selection is checked.
+6. If you've selected products to export, select the **Export selected product rows only** check box.
+7. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully.
+
+## Related articles
+
+[VAMT proxy activation](proxy-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index e34487ea05..d91aa9b28b 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -17,7 +17,7 @@ ms.topic: article
 
 # Introduction to VAMT
 
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10,Windows Server 2008 R2, or Windows Server 2012.
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012.
 
 > [!NOTE]
 > VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
@@ -34,20 +34,20 @@ The Volume Activation Management Tool (VAMT) enables network administrators and
 You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
 
 - **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
-- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is completely isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
+- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host.
 
 ## Managing Key Management Service (KMS) Activation
 
-In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 as well as Microsoft Office 2010.\
+In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\
 VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types.
 
 ## Enterprise Environment
 
-VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
+VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
 
 ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg)
 
-In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
+In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection.
 The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
 
 ## VAMT User Interface
@@ -60,7 +60,7 @@ VAMT provides a single, graphical user interface for managing activations, and f
 
 - **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query.
 - **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers.
-- **Monitoring activation status.** You can collect activation information about each product, including the last 5 characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
+- **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information.
 - **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
 - **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
 
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 079bf16e25..a2bcb071f0 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -1,6 +1,6 @@
 ---
 title: Manage Activations (Windows 10)
-description: Learn how to manage activations and how to activate a client computer by using a variety of activation methods.
+description: Learn how to manage activations and how to activate a client computer by using various activation methods.
 ms.assetid: 53bad9ed-9430-4f64-a8de-80613870862c
 ms.reviewer: 
 manager: dougeby
@@ -17,18 +17,18 @@ ms.topic: article
 
 # Manage Activations
 
-This section describes how to activate a client computer, by using a variety of activation methods.
+This section describes how to activate a client computer, by using various activation methods.
 
 ## In this Section
 
 |Topic |Description |
 |------|------------|
 |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
-|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that do not have Internet access. |
-|[Perform KMS Activation](kms-activation-vamt.md) |Describes how perform volume activation using the Key Management Service (KMS). |
+|[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that don't have Internet access. |
+|[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). |
 |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
-|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. |
-|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. |
+|[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to activate an Active Directory forest, online. |
+|[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that isn't connected to the Internet. |
  
  
  
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 1e9d9dfcda..1457e41148 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -17,7 +17,7 @@ ms.topic: article
 
 # Scenario 2: Proxy Activation
 
-In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
+In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups that are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
 
 ![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg)
 
@@ -45,9 +45,9 @@ In this scenario, the Volume Activation Management Tool (VAMT) is used to activa
 2.  To open the **Discover Products** dialog box, click **Discover products** in the right-side pane.
 3.  In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
     -   To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
-    -   To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that both IPv4 and IPv6addressing are supported.
+    -   To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported.
     -   To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
-    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
+    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks.
 4.  Click **Search**.
 
     The **Finding Computers** window appears and displays the search progress as the computers are located.
@@ -70,9 +70,9 @@ You can sort the list of products so that it is easier to find the computers tha
 
 To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
 - To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
-- To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information.
+- To select computers that are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
   **To collect status information from the selected computers**
-- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**.
+- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**.
 - VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
 
   **Note**  
@@ -91,9 +91,9 @@ To collect the status from select computers in the database, you can select comp
 
 1.  In the left-side pane, in the **Products** node click the product that you want to install keys onto.
 2.  If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers).
-3.  In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+3.  In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
 4.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-5.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time.
+5.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Only one key can be installed at a time.
 6.  VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
 
     The same status appears under the **Status of Last Action** column in the product list view in the center pane.
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index 48c14ccc1a..9e0146f4f9 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -17,17 +17,17 @@ ms.topic: article
 
 # VAMT Step-by-Step Scenarios
 
-This section provides step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; the scenarios in this section describe some of the most common to get you started.
+This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started.
 
 ## In this Section
 
 |Topic |Description |
 |------|------------|
 |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
-|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers — the first one with Internet access and a second computer within an isolated workgroup — as proxies to perform MAK volume activation for workgroup computers that do not have Internet access. |
-|[Scenario 3: KMS Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
+|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. |
+|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
 
-## Related topics
+## Related articles
 - [Introduction to VAMT](introduction-vamt.md)
  
  
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index e5e014f594..f22ca0e63d 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -394,7 +394,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
 
-3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
+3. Verify the monitoring service is working as expected by opening the following link on SRV1: `http://localhost:9800/MDTMonitorEvent/`. If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
 
 4. Close Internet Explorer.
 
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index ad6bf5aa42..2b534e585f 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -218,6 +218,8 @@ When you have the required Azure AD subscription, group-based licensing is the p
 
 If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
 
+Subscription Activation doesn’t remove the need to activate the underlying operating system, this is still a requirement for running a genuine installation of Windows.
+
 > [!CAUTION]
 > Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
 
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 7b2c202eac..08a6973def 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -17,12 +17,11 @@ ms.collection: highpri
 
 # Windows 10 deployment scenarios and tools
 
+To successfully deploy the Windows 10 operating system and applications for your organization, understand the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment.
 
-To successfully deploy the Windows 10 operating system and applications for your organization, it's essential that you know about the available tools to help with the process. In this topic, you'll learn about the most commonly used tools for Windows 10 deployment.
+Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). These tools aren't a complete solution on their own. Combine these tools with solutions like [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) to get a complete deployment solution.
 
-Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It's when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) or [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) that you get the complete deployment solution.
-
-In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
+In this article, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
 
 ## Windows Assessment and Deployment Kit
 
@@ -43,7 +42,7 @@ DISM services online and offline images. For example, with DISM you can install
 Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
 ```
 
-In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
+In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
 
 ``` syntax
 Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All 
@@ -60,22 +59,17 @@ For more information on DISM, see [DISM technical reference](/windows-hardware/m
 
 USMT is a backup and restore tool that allows you to migrate user state, data, and settings from one installation to another. Microsoft Deployment Toolkit (MDT) and System Center 2012 R2 Configuration Manager use USMT as part of the operating system deployment process.
 
-**Note**  
-Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you'll learn below, using USMT isn't difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it's easy to use. With MDT, you do nothing at all and USMT just works.
-
- 
-
 USMT includes several command-line tools, the most important of which are ScanState and LoadState:
 
--   **ScanState.exe.** This performs the user-state backup.
--   **LoadState.exe.** This performs the user-state restore.
--   **UsmtUtils.exe.** This supplements the functionality in ScanState.exe and LoadState.exe.
+-   **ScanState.exe.** This tool performs the user-state backup.
+-   **LoadState.exe.** This tool performs the user-state restore.
+-   **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe.
 
 In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
 
 -   **Migration templates.** The default templates in USMT.
 -   **Custom templates.** Custom templates that you create.
--   **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
+-   **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
 
 ![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png)
 
@@ -85,20 +79,20 @@ USMT supports capturing data and settings from Windows Vista and later, and rest
 
 By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
 
--   Folders from each profile, including those from user profiles as well as shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
--   Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
+-   Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
+-   Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
 
-    **Note**  
-    The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use aren't migrated by default.
+    > [!NOTE]
+    > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
 
 -   Operating system component settings
 -   Application settings
 
-These are the settings migrated by the default MigUser.xml and MigApp.xml templates. For more information on what USMT migrates, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more information on the USMT overall, see the [USMT technical reference](./usmt/usmt-reference.md).
+These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md).
 
 ### Windows Imaging and Configuration Designer
 
-Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for reimaging the device with a custom image.
+Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This tool is useful for setting up new devices, without the need for reimaging the device with a custom image.
 
 ![Windows Imaging and Configuration Designer.](images/windows-icd.png)
 
@@ -118,7 +112,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht
 
 ### Volume Activation Management Tool (VAMT)
 
-If you don't use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
+If you don’t use KMS, manage your MAKs centrally with the Volume Activation Management Tool (VAMT). Use this tool to install and manage product keys throughout the organization. VAMT can also activate on behalf of clients without internet access, acting as a MAK proxy.
 
 ![The updated Volume Activation Management Tool.](images/mdt-11-fig08.png)
 
@@ -164,11 +158,11 @@ Windows Deployment Services (WDS) has been updated and improved in several ways
 
 Windows Deployment Services using multicast to deploy three machines.
 
-In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. In most scenarios, the Active Directory integration mode is the best option. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you'll use them instead. In WDS, it's possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
+In Windows Server 2012 R2, [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11)) can be configured for stand-alone mode or for Active Directory integration. The Active Directory integration mode is the best option, in most scenarios. WDS also has the capability to manage drivers; however, driver management through MDT and Configuration Manager is more suitable for deployment due to the flexibility offered by both solutions, so you'll use them instead. In WDS, it's possible to pre-stage devices in Active Directory, but here, too, Configuration Manager has that capability built in, and MDT has the ability to use a SQL Server database for pre-staging. In most scenarios, those solutions are better than the built-in pre-staging function as they allow greater control and management.
 
 ### Trivial File Transfer Protocol (TFTP) configuration
 
-In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—wasn't user friendly. In Windows Server 2012, this has become much easier to do as it can be configured as a setting.
+In some cases, you need to modify TFTP Maximum Block Size settings for performance tuning reasons, especially when PXE traffic travels through routers and such. In the previous version of WDS, it was possible to change that, but the method of do so—editing the registry—wasn't user friendly. In Windows Server 2012, this modification in settings has become much easier to do as it can be configured as a setting.
 
 Also, there are a few new features related to TFTP performance:
 
@@ -210,7 +204,7 @@ The SCM console showing a baseline configuration for a fictional client's comput
 ## Microsoft Desktop Optimization Pack
 
 
-MDOP is a suite of technologies available to Software Assurance customers through an additional subscription.
+MDOP is a suite of technologies available to Software Assurance customers through another subscription.
 
 The following components are included in the MDOP suite:
 
@@ -280,16 +274,16 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia
 
 In regard to UEFI, hardware is divided into four device classes:
 
--   **Class 0 devices.** This is the UEFI definition for a BIOS, or non-UEFI, device.
--   **Class 1 devices.** These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
--   **Class 2 devices.** These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
--   **Class 3 devices.** These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
+-   **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
+-   **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
+-   **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
+-   **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
 
 ### Windows support for UEFI
 
 Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.
 
-With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI doesn't support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
+With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI doesn't support cross-platform boot. This limitation means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.
 
 ### How UEFI is changing operating system deployment
 
@@ -302,7 +296,7 @@ There are many things that affect operating system deployment as soon as you run
 
 For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources.
 
-## Related topics
+## Related articles
 
 [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
                    
 [Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 8b2b1f883d..cfe5cdf277 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -47,7 +47,7 @@ Using the Diagnostic Data Viewer for PowerShell requires administrative (elevate
 ### Install the Diagnostic Data Viewer for PowerShell
 
    >[!IMPORTANT]
-   >It is recommended to visit the documentation on [Getting Started](/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. 
+   >It is recommended to visit the documentation on [Getting Started](/powershell/scripting/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. 
 
 To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: 
 ```powershell
@@ -187,4 +187,4 @@ When resetting the size of your data history to a lower value, be sure to turn o
 
 ## Related Links
 - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer)
-- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps)
\ No newline at end of file
+- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?)
\ No newline at end of file
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 5e5a751b1b..fc82f5a509 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -6809,7 +6809,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -6823,7 +6823,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -6864,7 +6864,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index bcfa0ba684..e660f2df49 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -8296,7 +8296,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -8310,7 +8310,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -8351,7 +8351,7 @@ The following fields are available:
 - **oSVersion**  Build number of the device.
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
@@ -9584,8 +9584,8 @@ The following fields are available:
 - **UnifiedInstallerDeviceIsProSkuHresult**  The result code from checking whether a device is Pro SKU.
 - **UnifiedInstallerDeviceIsSccmManaged**  Boolean indicating whether a device is SCCM managed.
 - **UnifiedInstallerDeviceIsSccmManagedHresult**  The result code from checking whether a device is SCCM managed.
-- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Wufb managed.
-- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Windows Update for Business managed.
+- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Windows Update for Business managed.
 - **UnifiedInstallerPlatformResult**  The result code from checking what platform type the device is.
 - **UnifiedInstallerPlatformType**  The enum indicating the type of platform detected.
 - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku**  The result code from checking whether a device is Home SKU.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 6d2cc70a0c..2dd8d27ae5 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -3627,7 +3627,7 @@ The following fields are available:
 - **IsDeviceUninstallActive**  Indicates whether the OS (operating system) on the device was recently updated.
 - **IsDeviceUpdateNotificationLevel**  Indicates whether the device has a set policy to control update notifications.
 - **IsDeviceUpdateServiceManaged**  Indicates whether the device uses WSUS (Windows Server Update Services).
-- **IsDeviceWUFBManaged**  If device is WUfB managed.
+- **IsDeviceWUFBManaged**  If device is Windows Update for Business managed.
 - **IsDeviceZeroExhaust**  Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft.
 - **IsGreaterThanMaxRetry**  Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count.
 - **IsVolumeLicensed**  Indicates whether a volume license was used to authenticate the operating system or applications on the device.
@@ -6257,8 +6257,8 @@ The following fields are available:
 - **UnifiedInstallerDeviceIsProSkuHresult**  The result code from checking whether a device is Pro SKU.
 - **UnifiedInstallerDeviceIsSccmManaged**  Boolean indicating whether a device is SCCM managed.
 - **UnifiedInstallerDeviceIsSccmManagedHresult**  The result code from checking whether a device is SCCM managed.
-- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Wufb managed.
-- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Windows Update for Business managed.
+- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Windows Update for Business managed.
 - **UnifiedInstallerPlatformResult**  The result code from checking what platform type the device is.
 - **UnifiedInstallerPlatformType**  The enum indicating the type of platform detected.
 - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku**  The result code from checking whether a device is Home SKU.
@@ -6374,7 +6374,7 @@ The following fields are available:
 - **CV**  Correlation vector.
 - **GlobalEventCounter**  The global event counter counts the total events for the provider.
 - **PackageVersion**  The version for the current package.
-- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for WUFB cloud membership.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for Windows Update for Business cloud membership.
 
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@@ -8457,7 +8457,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  This is the device info.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -8472,7 +8472,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Represents the device info.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -8509,7 +8509,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Device in the General Availability Channel.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index b84bda7733..00b49e112b 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -58,7 +58,7 @@ Although enterprise admins can turn off most essential services, we recommend, w
 |Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.
                    To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). |
 | Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start. 
                    To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). |
 | Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date. 
                    If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network. 
                    To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). |
-| Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11. 
                    To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinpu.md#textinput-touchkeyboardemojibuttonavailability). |
+| Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11. 
                    To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinput). |
 | Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab. 
                    To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). |
 | Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely. 
                    To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). |
 | Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats. 
                    To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). |
@@ -99,8 +99,8 @@ Internet Explorer shares many of the Windows essential services listed above. Th
 ## Related links
 
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Connected Experiences in Office](/deployoffice/privacy/connected-experiences.md)
-- [Essential Services in Office](/deployoffice/privacy/essential-services.md)
+- [Connected Experiences in Office](/deployoffice/privacy/connected-experiences)
+- [Essential Services in Office](/deployoffice/privacy/essential-services)
 
 To view endpoints for Windows Enterprise, see:
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index d3a03542fc..3f2cf6b3ae 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -58,6 +58,11 @@ The following sections list the components that make network connections to Micr
 
 The following table lists management options for each setting,  For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11.
 
+ > [!IMPORTANT]
+> **If you need assistance with troubleshooting issues, please refer to**:
                     
+>  - [Keep your device running smoothly](https://support.microsoft.com/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)
                    
+>  - [CSP - Troubleshooting](/windows/client-management/mdm/policy-csp-troubleshooting)
+
 
 | Setting | UI | Group Policy | Registry |
 | - | :-: | :-: | :-: |
@@ -581,7 +586,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** >
 | Configure search suggestions in Address Bar              | Choose whether the Address Bar shows search suggestions. 
                     **Set to Disabled**                    |
 | Configure Windows Defender SmartScreen (Windows 10, version 1703)               | Choose whether Microsoft Defender SmartScreen is turned on or off. 
                     **Set to Disabled**                            |
 | Allow web content on New Tab page                     | Choose whether a new tab page appears. 
                     **Set to Disabled**                                     |
-| Configure Start pages                       | Choose the Start page for domain-joined devices. 
                     **Enabled** and **Set this to <>**         |
+| Configure Start pages                       | Choose the Start page for domain-joined devices. 
                     **Enabled** and **Set this to ```<>```**         |
 | Prevent the First Run webpage from opening on Microsoft Edge                       | Choose whether employees see the First Run webpage. 
                     **Set to: Enable**        |
 | Allow Microsoft Compatibility List                       | Choose whether to use the Microsoft Compatibility List in Microsoft Edge. 
                     **Set to: Disabled**        |
 
@@ -597,7 +602,7 @@ Alternatively, you can configure the following Registry keys as described:
 | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
                    REG_DWORD name: ShowSearchSuggestionsGlobal 
                    Value: **0**|
 | Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
                    REG_DWORD name: EnabledV9 
                    Value: **0** |
 | Allow web content on New Tab page  | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
                    REG_DWORD name: AllowWebContentOnNewTabPage 
                    Value: **0** |
-| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
                    REG_SZ name: ProvisionedHomePages 
                    Value: **<>**|
+| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
                    REG_SZ name: ProvisionedHomePages 
                    Value: **```<>```**|
 | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main 
                    REG_DWORD name: PreventFirstRunPage 
                    Value: **1**|
 | Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
                    REG_DWORD: MSCompatibilityMode 
                    Value: **0**|
 
@@ -861,6 +866,8 @@ Use Settings > Privacy & security to configure some settings that may be importa
 
 - [18.23 Voice Activation](#bkmk-voice-act)
 
+- [18.24 News and interests](#bkmk-priv-news)
+
 ### 18.1 General
 
 **General** includes options that don't fall into other areas.
@@ -1528,6 +1535,13 @@ To turn this Off in the UI:
 
 - Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)**
 
+### 18.24 News and interests  
+
+In the **Windows Feeds** area, you can choose which apps have access to your diagnostic information.
+
+To turn this off:
+
+- Create a REG_DWORD registry setting named **EnableFeeds** in **HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Feeds** with a **value of 0 (zero)**.
 
 ### 19. Software Protection Platform
 
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index d2770a3edf..1370d95086 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
 
@@ -55,8 +55,8 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
                     
                    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -154,4 +154,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
 
 - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index b9a121fa15..f6b2a11c6d 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -164,6 +164,10 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
 
 ## Certificates
 
+Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
+
+If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
+
 The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses.
 
 Additionally, it's used to download certificates that are publicly known to be fraudulent.
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 7c2bf27999..41d1c6b46b 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -37,11 +37,11 @@ The following methodology was used to derive these network endpoints:
 
 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. 
 2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 
 4. Compile reports on traffic going to public IP addresses.
 5.  The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6.  All traffic was captured in our lab using a IPV4 network.  Therefore, no IPV6 traffic is reported here. 
-7.  These tests were conducted in an approved Microsoft lab.  It's possible your results may be different.
+6.  All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here. 
+7.  These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8.  These tests were conducted for one week, but if you capture traffic for longer you may have different results.
 
 > [!NOTE]
@@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
 |Area|Description|Protocol|Destination|
 |----------------|----------|----------|------------|
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
-||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com|
-|||HTTP|tile-service.weather.microsoft.com
-|||HTTP|tile-service.weather.microsoft.com
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US
+||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|`blob.weather.microsoft.com`|
+|||HTTP|tile-service.weather.microsoft.com|
+|||HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US|
 ||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*|
 ||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net|
@@ -68,7 +68,7 @@ The following methodology was used to derive these network endpoints:
 |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com|
 |||HTTPS|ris-prod-atm.trafficmanager.net|
 |||HTTPS|validation-v2.sls.trafficmanager.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
                     
                    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||HTTP|ctldl.windowsupdate.com|
 |Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com|
@@ -186,5 +186,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 
 ## Related links
 
-- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index da29e4f457..b5dfff14b9 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -36,10 +36,10 @@ The following methodology was used to derive these network endpoints:
 
 1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
 2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
 
@@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 |||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
                     
                    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*|
@@ -136,5 +136,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 
 ## Related links
 
-- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 48879ed467..2b302dbf62 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -39,7 +39,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
 
@@ -53,9 +53,9 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoints are used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|blob.weather.microsoft.com|
 |||HTTP|tile-service.weather.microsoft.com|
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
 ||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
                     
                    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
@@ -137,5 +137,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 
 ## Related links
 
-- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index 8035ebc8d5..9d1ec6d001 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
 
@@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
                     
                    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -82,7 +82,7 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
 |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
 ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
-||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
 |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
 |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
 ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
@@ -155,4 +155,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
 
 - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index 940115bae8..bd760cb5c0 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
 
@@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
 |Area|Description|Protocol|Destination|
 |----------------|----------|----------|------------|
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
-||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
                     
                    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -66,9 +66,11 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoint is used to authenticate a device. If you  turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
 |Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
 |||HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. 
                    If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 |||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
-||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
+|||HTTP|www.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
 |||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
 |Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
 |||HTTPS|fs.microsoft.com|
@@ -80,8 +82,8 @@ The following methodology was used to derive these network endpoints:
 ||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
 |Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
 ||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
-||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
-|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead, disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
 |Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
 ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
 ||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
@@ -107,10 +109,10 @@ The following methodology was used to derive these network endpoints:
 |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
 |||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
 |||HTTPS|settings.data.microsoft.com|
-|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 |||HTTPS/HTTP|*.pipe.aria.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
-|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
 |||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
 |Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
 |||HTTPS/TLSv1.2|wdcp.microsoft.com|
@@ -124,7 +126,7 @@ The following methodology was used to derive these network endpoints:
 |||HTTP|emdl.ws.microsoft.com|
 ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
 |||HTTP|*.windowsupdate.com|
-||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
 |||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
 ||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
 ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
@@ -137,6 +139,7 @@ The following methodology was used to derive these network endpoints:
 To view endpoints for other versions of Windows 10 Enterprise, see:
 
 - [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20H2-endpoints.md)
 - [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
 - [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
 - [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
@@ -145,6 +148,7 @@ To view endpoints for other versions of Windows 10 Enterprise, see:
 To view endpoints for non-Enterprise Windows 10 editions, see:
 
 - [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
+- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md)
 - [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
 - [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
 - [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
@@ -153,4 +157,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
 
 - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index f8bf449d07..d8c926a1fc 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4. Compile reports on traffic going to public IP addresses.
 5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
 7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
 8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
 
@@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
 |Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
 ||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
 ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
                     
                    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
 |||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
 |Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
 ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -93,7 +93,7 @@ The following methodology was used to derive these network endpoints:
 |||HTTP|share.microsoft.com|
 ||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
 |Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
-||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
+||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|`www.msftconnecttest.com`|
 |Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
 |||HTTPS|www.office.com|
 |||HTTPS|blobs.officehome.msocdn.com|
@@ -152,4 +152,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
 ## Related links
 
 - [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index ee4c6b4726..084f8f8a9e 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -6328,7 +6328,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  This is the device info.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -6343,7 +6343,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Represents the device info.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -6380,7 +6380,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Device in the General Availability Channel.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 6a226268c2..b37678708d 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -5789,8 +5789,8 @@ The following fields are available:
 - **UnifiedInstallerDeviceIsProSkuHresult**  The result code from checking whether a device is Pro SKU.
 - **UnifiedInstallerDeviceIsSccmManaged**  Boolean indicating whether a device is SCCM managed.
 - **UnifiedInstallerDeviceIsSccmManagedHresult**  The result code from checking whether a device is SCCM managed.
-- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Wufb managed.
-- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged**  Boolean indicating whether a device is Windows Update for Business managed.
+- **UnifiedInstallerDeviceWufbManagedHresult**  The result code from checking whether a device is Windows Update for Business managed.
 - **UnifiedInstallerPlatformResult**  The result code from checking what platform type the device is.
 - **UnifiedInstallerPlatformType**  The enum indicating the type of platform detected.
 - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku**  The result code from checking whether a device is Home SKU.
@@ -5917,7 +5917,7 @@ The following fields are available:
 - **CV**  Correlation vector.
 - **GlobalEventCounter**  The global event counter for counting total events for the provider.
 - **PackageVersion**  The version for the current package.
-- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for WUFB cloud membership.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr**  The result code returned when checking for Windows Update for Business cloud membership.
 
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@@ -7212,7 +7212,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  This is the device info.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -7227,7 +7227,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Represents the device info.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -7270,7 +7270,7 @@ The following fields are available:
 - **paused**  Indicates whether the device is paused.
 - **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
 - **sacDevice**  Device in the General Availability Channel.
-- **wUfBConnected**  Result of WUfB connection check.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index eacb21eb26..2ba26987bb 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -131,7 +131,7 @@ For more information about user rights, see [User Rights Assignment](/windows/de
 
 With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
 
-For more information about auditing, see [Security Auditing Overview](/windows/security/threat-protection/auditing/security-auditing-overview).
+For more information about auditing, see [Security Auditing Overview](../../threat-protection/auditing/security-auditing-overview.md).
 
 ## See also
 
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index c95e92b80c..2ec117c8b9 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -342,7 +342,7 @@ This security group has not changed since Windows Server 2008.
 
 Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
 
-For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/library/hh831734.aspx).
+For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100).
 
 This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
 
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index 79e1a30a6a..992afda9d6 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -60,7 +60,7 @@ Credential information is encrypted twice. The first encryption is based on the
 
     Blank passwords are not allowed.
 
-    For more information, see [Microsoft Account Security Overview](https://www.microsoft.com/account/security/default.aspx).
+    For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9).
 
 -   **Secondary proof of identity is required**.
 
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 9a30c84314..8564378d9c 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -21,7 +21,9 @@ ms.date: 04/19/2017
 
 **Applies to**
 -   Windows 10
+-   Windows 11
 -   Windows Server 2016
+-   Windows Server 2019
 
 This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
 
@@ -208,7 +210,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 | S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
 | S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
 | S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
-| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.|
+| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.|
 | S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
                    System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
                    When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
 | S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
 | S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
@@ -243,6 +245,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 |S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
 |S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
 |S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
+|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.|
 |S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
 |S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
 |S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
@@ -314,6 +317,19 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCache
 
 All Capability SIDs are prefixed by S-1-15-3
 
+## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition
+
+You may see the following registry keys under AllCachedCapabilities:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
+
+All Capability SIDs are prefixed by S-1-15-3
+
 ## See also
 
 - [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index d0ddb7f478..c6922f3901 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -43,7 +43,7 @@ A digitally signed message reassures the recipient that the message hasn't been
 -   Valid Personal Information Exchange (PFX) certificates are installed on the device.
 
     -   [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
-    -   [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=718216)
+    -   [Enable access to company resources using certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-configure)
 
 ## Choose S/MIME settings
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index d370cb1473..3599199593 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -57,15 +57,6 @@ The following known issues have been fixed by servicing releases made available
      This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
 
 
-- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
-
-    This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
-
-    - Windows 10 Version 1607 and Windows Server 2016: 
-    [KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217) 
-    - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219)
-    - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221)
-
 ## Known issues involving third-party applications
 
 The following issue affects the Java GSS API. See the following Oracle bug database article: 
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 050b9e39c3..b41236db4a 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -245,8 +245,8 @@ Whenever an application verifies a TLS/SSL certificate chain that contains a ser
 The output file name consists of the leading eight ASCII hex digits of the root’s SHA1 thumbprint followed by the server name. 
 For example:
 
-- D4DE20D0_xsi.outlook.com.p7b
-- DE28F4A4_www.yammer.com.p7b
+- `D4DE20D0_xsi.outlook.com.p7b`
+- `DE28F4A4_www.yammer.com.p7b`
 
 If there's either an enterprise certificate pin rule or a Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. 
 If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. 
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 1cc41effde..bb8984236d 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -24,7 +24,7 @@ ms.reviewer:
 - Windows 11
 
 **Requirements:**
-* Windows Hello for Business deployment (Hybrid or On-premises)
+* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
 * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
 * Windows 10, version 1709 or newer, or Windows 11
 * Bluetooth, Bluetooth capable phone - optional
@@ -396,4 +396,4 @@ Multi-factor unlock writes events to event log under **Application and Services
 |5520|Unlock policy not configured|
 |6520|Warning event|
 |7520|Error event|
-|8520|Success event|
\ No newline at end of file
+|8520|Success event|
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 5762e33ff9..8135aa6650 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -41,7 +41,7 @@ sections:
 
       - question: Can I use Windows Hello for Business key trust and RDP?
         answer: |
-          Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+          Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
           
       - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
         answer: |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index a4e61a2244..86edd45c86 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -157,7 +157,7 @@ Primarily for large enterprise organizations with more complex authentication re
 [Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync)
 
 ### More information
-- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 
 [Return to Top](hello-how-it-works-technology.md)
 ## Hybrid Azure AD Joined
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index c9bbe2c198..9496bd8da6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -193,7 +193,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
 2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
 3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**.  For example, ** or ** (do not forget the trailing forward slash). 
+4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**.  For example, `` or `` (do not forget the trailing forward slash). 
    ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png)
 5. Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 638d001dcf..ebad63fce7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -94,14 +94,14 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
 2. Select **Sign in to Graph Explorer** and provide Azure credentials.
 
 > [!NOTE]
-> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted.
+> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted.
 
 3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent.
 
 4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory.  Select **Run query**.
 
 > [!NOTE]
-> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
+> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
 
 #### Request
 
@@ -650,7 +650,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
 
-6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
+6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, ```https://ndes.corp.mstepdemo.net```.  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 
 7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
 
@@ -1025,7 +1025,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
     ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
 
-17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
 
 18. Click **Next**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 15ec076a51..04926dd580 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -69,7 +69,7 @@ After a successful key registration, Windows creates a certificate request using
 The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
 
 > [!NOTE]
-> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint.
 
 The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority.  The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store.  Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index dc028844a0..93dcb39b92 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -32,7 +32,7 @@ The Windows Server 2016 Active Directory Federation Server Certificate Registrat
 The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
 
 > [!NOTE]
-> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
+> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the ```https://enterpriseregistration.windows.net``` endpoint.
 
 ### Configure the Registration Authority
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index fdd927d52e..04d4d3b8b1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -13,8 +13,9 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 4/30/2021
-ms.reviewer: 
+ms.date: 05/04/2022
+ms.reviewer: prsriva
+
 ---
 # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
 
@@ -25,7 +26,7 @@ ms.reviewer:
 - Hybrid deployment
 - Key trust
 
-You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
+You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
 
 > [!NOTE]
 > Before proceeding, you should familiarize yourself with device registration concepts such as:
@@ -33,27 +34,30 @@ You are ready to configure device registration for your hybrid environment. Hybr
 > * Azure AD joined devices
 > * Hybrid Azure AD joined devices
 >
-> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
+> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview)
 
-## Configure Azure for Device Registration
+## Configure Hybrid Azure AD join
 
-Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. 
+Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
 
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal).
+Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
 
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
 
+- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
+- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
 
-

                    
+You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join).
 
-
                    
+> [!NOTE]
+> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 
 1. [Overview](hello-hybrid-cert-trust.md)
 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-key-new-install.md)
-4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
-5. Configure Azure Device Registration (*You are here*)
+3. [New installation baseline](hello-hybrid-key-new-install.md)
+4. [Configure directory synchronization](hello-hybrid-key-trust-dirsync.md)
+5. Configure Azure Device Registration (*you're here*)
 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 28c80840a2..705b84df66 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -36,6 +36,13 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
 
 
                    
 
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
+- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
+- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD. 
+
+> [!NOTE]
+> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
+
 
                    
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
@@ -46,4 +53,4 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
 4. Configure Directory Synchronization (*You are here*)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 2cc0527401..86a2a82c99 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -35,7 +35,7 @@ Windows Hello addresses the following problems with passwords:
 - Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
 - Server breaches can expose symmetric network credentials (passwords).
 - Passwords are subject to [replay attacks](/previous-versions/dotnet/netframework-4.0/aa738652(v=vs.100)).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+- Users can inadvertently expose their passwords due to phishing attacks.
 
 Windows Hello lets users authenticate to:
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index bad0c616fe..3ce6180ae9 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -82,7 +82,7 @@ Credential providers must be registered on a computer running Windows, and they
 
 ## Smart card subsystem architecture
 
-Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Cryptographic Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
+Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://pcscworkgroup.com/). Each smart card must have a Cryptographic Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware.
 
 ### Base CSP and smart card minidriver architecture
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 5bb30875b0..eea206d53d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -187,7 +187,7 @@ The smart card certificate has specific format requirements when it is used with
 
 |            **Component**             |                                                                **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11**                                                                 |                                                                                                **Requirements for Windows XP**                                                                                                 |
 |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|   CRL distribution point location    |                                                                                               Not required                                                                                               |             The location must be specified, online, and available, for example:
                    \[1\]CRL Distribution Point
                    Distribution Point Name:
                    Full Name:
                    URL=             |
+|   CRL distribution point location    |                                                                                               Not required                                                                                               |             The location must be specified, online, and available, for example:
                    \[1\]CRL Distribution Point
                    Distribution Point Name:
                    Full Name:
                    URL=``             |
 |              Key usage               |                                                                                            Digital signature                                                                                             |                                                                                                       Digital signature                                                                                                        |
 |          Basic constraints           |                                                                                               Not required                                                                                               |                                                                              \[Subject Type=End Entity, Path Length Constraint=None\] (Optional)                                                                               |
 |       Enhanced key usage (EKU)       | The smart card sign-in object identifier is not required.

                    **Note**  If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |      -   Client Authentication (1.3.6.1.5.5.7.3.2)
                    The client authentication object identifier is required only if a certificate is used for SSL authentication.

                    - Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2)       |
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index dd3d3ccddb..0d26cf1289 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -22,7 +22,7 @@ Applies To: Windows 10, Windows 11, Windows Server 2016 and above
 
 This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions.
 
-The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://www.pcscworkgroup.com/).
+The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://pcscworkgroup.com/).
 
 The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description:
 
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index b1e9071045..bbc7256c6d 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -60,7 +60,7 @@ With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for
 
 The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
 
-![uac consent prompt.](images/uacconsentprompt.gif)
+:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt.":::
 
 **The credential prompt**
 
@@ -68,7 +68,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
 
 The following is an example of the UAC credential prompt.
 
-![uac credential prompt.](images/uaccredentialprompt.gif)
+:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt.":::
 
 **UAC elevation prompts**
 
@@ -85,7 +85,7 @@ The elevation prompt color-coding is as follows:
 
 Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
 
-![uac shield icon.](images/uacshieldicon.png)
+:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
 
 The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
 
diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif
deleted file mode 100644
index ec65e67586..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png
new file mode 100644
index 0000000000..1a84a4cfd7
Binary files /dev/null and b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png differ
diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif
deleted file mode 100644
index 86374d118b..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png
new file mode 100644
index 0000000000..df0077b91b
Binary files /dev/null and b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png
index 8df37f2c12..5c9e4de2f7 100644
Binary files a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png and b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png differ
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 5e8dbb7965..441d05936f 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -35,8 +35,7 @@ VPN profiles in Windows 10 or Windows 11 can be configured to connect automatica
 
 The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
 
-[Find a package family name (PFN) for per-app VPN configuration](/intune/deploy-use/find-a-pfn-for-per-app-vpn)
-
+[Find a package family name (PFN) for per-app VPN configuration](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
 
 ## Name-based trigger
 
@@ -78,7 +77,7 @@ Should a management tool remove or add the same profile name back and set **Alwa
 
 ## Trusted network detection
 
-This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
+This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
 
 Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
 
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index fafe96b51b..ec2a6bed29 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -35,7 +35,7 @@ See also [Always On VPN deployment for Windows Server and Windows 10](/windows-s
 
 - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
 
-- [Microsoft Intune device compliance policies](/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
+- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
 
     - Antivirus status
     - Auto-update status and update compliance
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index dfac592fab..1e29149153 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,5 +1,5 @@
 ---
-title: BitLocker basic deployment (Windows 10)
+title: BitLocker basic deployment
 description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
 ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
 ms.reviewer: 
@@ -32,9 +32,9 @@ This article for the IT professional explains how BitLocker features can be used
 
 ## Using BitLocker to encrypt volumes
 
-BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
+BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
 
-In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
+If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
 
 > [!NOTE]
 > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
@@ -43,43 +43,43 @@ BitLocker encryption can be done using the following methods:
 
 -   BitLocker control panel
 -   Windows Explorer
--   manage-bde command-line interface
+-   `manage-bde` command-line interface
 -   BitLocker Windows PowerShell cmdlets
 
 ### Encrypting volumes using the BitLocker control panel
 
-Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
 To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
 
 ### Operating system volume
 
-Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
+When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
 
 |Requirement|Description|
 |--- |--- |
 |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
 |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
-|Hardware TPM|TPM version 1.2 or 2.0. 
                     A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
+|Hardware TPM|TPM version 1.2 or 2.0. 
                     A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
 |BIOS configuration|
                  •  A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
                    •  
                  •  The boot order must be set to start first from the hard disk, and not the USB or CD drives.
                    •   
                  •  The firmware must be able to read from a USB flash drive during startup.
                    • |
 |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive. 
                     For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. 
                     For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
 |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
 
-Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
-Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.
+Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
+Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer can't access the drive.
 
-You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
+You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
 
 When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options:
 
 -   Encrypt used disk space only - Encrypts only disk space that contains data
 -   Encrypt entire drive - Encrypts the entire volume including free space
 
-It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
+It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option.
 
 > [!NOTE]
-> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
+> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
 
-Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
 
 After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
 
@@ -88,10 +88,10 @@ Until encryption is completed, the only available options for managing BitLocker
 ### Data volume
 
 Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard.
-Unlike for operating system volumes, data volumes are not required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked.
+Unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked.
 
 After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
-With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it is recommended that used space only encryption is selected.
+With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected.
 
 With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption.
 
@@ -99,7 +99,7 @@ Encryption status displays in the notification area or within the BitLocker cont
 
 ###  OneDrive option
 
-There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
+There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
 
 Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
 they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
@@ -152,7 +152,7 @@ manage-bde -on C:
 
 **Enabling BitLocker with a TPM only**
 
-It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
+It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
 
 `manage-bde -on C:`
 
@@ -257,9 +257,9 @@ $pw = Read-Host -AsSecureString
 Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 ```
 
-### Using a SID-based protector in Windows PowerShell
+### Using an SID-based protector in Windows PowerShell
 
-The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster.
+The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
 
 > [!WARNING]
 > The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
@@ -280,7 +280,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
 > Use of this command requires the RSAT-AD-PowerShell feature.
 
 > [!TIP]
-> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
+> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.
 
 In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
 
@@ -302,11 +302,11 @@ Checking BitLocker status with the control panel is the most common method used
 | Status | Description |
 | - | - |
 | **On**|BitLocker is enabled for the volume |
-| **Off**| BitLocker is not enabled for the volume |
+| **Off**| BitLocker isn't enabled for the volume |
 | **Suspended** | BitLocker is suspended and not actively protecting the volume |
 | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
 
-If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
+If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
 Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
 The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
 
@@ -350,7 +350,7 @@ Decrypting volumes removes BitLocker and any associated protectors from the volu
 BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process.
 Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel.
 
-The control panel does not report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
+The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
 
 Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
 
@@ -370,9 +370,9 @@ manage-bde -status C:
 
 ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
 
-Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
+Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
 
-Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is:
+Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
 
 ```powershell
 Disable-BitLocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 83d1f263d5..c3f40de8e2 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -18,11 +18,11 @@ ms.date: 02/28/2019
 ms.custom: bitlocker
 ---
 
-# BitLocker Management for Enterprises
+# BitLocker management for enterprises
 
-The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. 
+The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. 
 
-Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
+Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
 
 
 > [!IMPORTANT]
@@ -44,27 +44,26 @@ For hardware that is compliant with Modern Standby and HSTI, when using either o
 
 This is applicable to Azure Hybrid AD as well. 
 
-
 ## Managing workplace-joined PCs and phones
 
-For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
+For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
 
 
 ## Managing servers
 
-Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. 
+Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. 
 
 The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features).  
 
 If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
 
- Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
+ Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
 
  For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).
  
 ## PowerShell examples
 
-For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.  
+For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD.  
 
 *Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
 ```powershell
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 654ea1271b..c1316fbac4 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -124,7 +124,9 @@ Figure 2 illustrates the Measured Boot and remote attestation process.
 **Figure 2. Measured Boot proves the PC’s health to a remote server**
 
 
-Windows includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For an example of such a tool, download the [TPM Platform Crypto-Provider Toolkit](https://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/) from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s [Measured Boot Tool](http://mbt.codeplex.com/).
+Windows includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
+- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
 
 Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to confidently assess the trustworthiness of a client PC across the network.
 
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index e12bbc3156..c54c2521ad 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -165,4 +165,4 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard
 
 
                    
 
-Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](https://developer.microsoft.com/windows/iot/iotcore).  IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
+Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](/windows/iot-core/windows-iot-core).  IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index f8388b1544..3fa8df029b 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -569,7 +569,7 @@ After you've decided where your protected apps can access enterprise data on you
         
 - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. 
         
-**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). 
+**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). 
     
 - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. 
         
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index df74e9eb71..93c399ae54 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -42,8 +42,6 @@ Changes to user and group objects are tracked by the Account Management audit ca
 
 **Event volume**: High on domain controllers.
 
-For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/kb/841001).
-
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                    |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 136684f355..a5fc916065 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -120,9 +120,9 @@ This event is always logged regardless of the "Audit Other Policy Change Events"
 
 -   **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here: .
 
--   **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx). Information about [Hyper-V](/windows/deployment/deploy-whats-new) technology is available on Microsoft TechNet web site.
+-   **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host). Information about [Hyper-V](/windows/deployment/deploy-whats-new) technology is available on Microsoft TechNet web site.
 
--   **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx).
+-   **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host).
 
 ## Security Monitoring Recommendations
 
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index dae7e74958..4a2e0e7e1f 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -23,7 +23,7 @@ ms.technology: windows-sec
 
 ***Event Description:***
 
-This event generates when [resource attributes](https://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
+This event generates when [resource attributes](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview) of the file system object were changed.
 
 Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab).
 
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index b153e56a00..6e7bc52761 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -23,7 +23,7 @@ ms.technology: windows-sec
 
 ***Event Description:***
 
-This event occurs when an account that is a member of any defined [Special Group](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
+This event occurs when an account that is a member of any defined [Special Group](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) logs in.
 
 > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
 
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index 59e64af10b..a0be07f3bf 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for CNG troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index 625c998826..8ef262994a 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 9497f26ebf..e20a614013 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -25,8 +25,6 @@ For more information about CNG, visit these pages:
 
 -   
 
--   
-
 -   
 
 This event is mainly used for CNG troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index 7fc9f07b38..5038c7efce 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 0640bde11a..58926d7958 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 99731361a2..7e24add6fe 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index a0faa27390..310525c71a 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 82bd2b643c..509b5d140a 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index 54cfae4b8f..1214a053db 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -23,8 +23,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 6a762e71a3..dadbcf3347 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 2a77163002..5763a4dba1 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
 
 -   
 
--   
-
 -   
 
 This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index e968128cb7..773a459b03 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -103,7 +103,7 @@ It typically generates when network adapter connects to new wired network.
 
 -   **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: , .
 
--   **Error Code** \[Type = HexInt32\]: unique [EAP error code](https://msdn.microsoft.com/library/windows/desktop/aa813691(v=vs.85).aspx).
+-   **Error Code** \[Type = HexInt32\]: unique [EAP error code](/windows/win32/eaphost/eap-related-error-and-information-constants).
 
 ## Security Monitoring Recommendations
 
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 42a29f7d54..0c0339615a 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -30,7 +30,7 @@ Use the following procedures to monitor the use of removable storage devices and
 Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
 
 > [!NOTE] 
-> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor.
+> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299(v=vs.85)). This may require the device to restart to apply the new security descriptor.
  
 **To configure settings to monitor removable storage devices**
 
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 123a9eef64..9d7d8ad4bc 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -390,7 +390,7 @@ Examples:
     Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
     ```
 
-- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-windows-defender-application-control). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections.
+- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy. For more information, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control/windows-defender-application-control-deployment-guide.md). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections.
 
 - **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:
 
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 958eae7a5c..087bf0dbc9 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -128,7 +128,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
     -   The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
     -   The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
 
     Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
 
@@ -460,8 +460,8 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
 > [!NOTE]
 > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
 
--   For Intel firmware TPM: **https://ekop.intel.com/ekcertservice**
--   For Qualcomm firmware TPM: **https://ekcert.spserv.microsoft.com/**
+-   For Intel firmware TPM: **```https://ekop.intel.com/ekcertservice```**
+-   For Qualcomm firmware TPM: **```https://ekcert.spserv.microsoft.com/```**
 
 ### Attestation Identity Keys
 
@@ -604,7 +604,7 @@ Today’s access control technology, in most cases, focuses on ensuring that the
 The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune.
 
 > [!NOTE]
-> For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](https://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733956).
+> For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](https://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
 The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
 
@@ -632,7 +632,7 @@ The third-party MDM server will have the same consistent first-party user experi
 
 This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
 
-For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=733953).
+For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10).
 
 ### Conditional access control
 
@@ -654,7 +654,7 @@ When a user requests access to an Office 365 service from a supported device pla
 When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
 
 > [!NOTE]
-> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.
+> Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067) blog post.
 
 When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
 
@@ -677,7 +677,7 @@ To get to a compliant state, the Windows 10-based device needs to:
 -   Be compliant with the device policies set by the MDM solution.
 
 > [!NOTE]
-> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.
+> At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-microsoft-intune-and-windows-10-8211-using-the-cloud-to/ba-p/244012) blog post.
 
 ### Cloud and on-premises apps conditional access control
 
@@ -692,7 +692,7 @@ For more information about conditional access, see [Azure Conditional Access Pre
 
 For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
 
--   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
+-   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more information, see [Using Azure AD Application Proxy to publish on-premises apps for remote users](/azure/active-directory/app-proxy/what-is-application-proxy).
 -   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
 :::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index e89957070a..3463eceedc 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -87,6 +87,9 @@ If you don't set or you disable this policy, the PKU2U protocol won't be used to
 
 If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work.
 
+### Fix/Remediation
+
+This vulnerability was fixed on February 9, 2021, in the [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) Security Update.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
new file mode 100644
index 0000000000..19a27eb4d3
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
@@ -0,0 +1,56 @@
+---
+title: Testing and Debugging AppId Tagging Policies
+description: Testing and Debugging AppId Tagging Policies to ensure your policies are deployed successfully.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/29/2022
+ms.technology: windows-sec
+---
+
+# Testing and Debugging AppId Tagging Policies
+
+**Applies to:**
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event. 
+
+## Verifying Tags on Running Processes
+
+After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since WDAC can only tag processes created after the policy has been deployed. 
+
+1. Download and Install the Windows Debugger 
+
+	[Microsoft's WinDbg Preview application](https://www.microsoft.com/store/productId/9PGJGD53TN86) can be downloaded from the Store and used to verify tags on running processes. 
+
+2. Get the Process ID (PID) of the process under validation
+
+	Using Task Manager, or an equivalent process monitoring tool, locate the PID of the process you wish to inspect. In the example below, we've located the PID for the running process for Microsoft Edge to be 2260. The PID will be used in the next step. 
+
+	![Using Task Manager to locate the process ID - PID.](../images/appid-pid-task-mgr.png)
+
+3. Use WinDbg to inspect the process
+
+	After opening WinDbg. select File followed by `Attach to Process`, and select the process with the PID identified in the step prior. Finally, select `Attach` to connect to the process. 
+
+	![Attach to the process using WinDbg.](../images/appid-pid-windbg.png)
+
+	Lastly, in the textbox, type `!token` and then press the Enter key to dump the security attributes on the process, including the _POLICYAPPID://_ followed by the key you set in the policy, and its corresponding value in the Value[0] field.
+
+	![Dump the security attributes on the process using WinDbg.](../images/appid-pid-windbg-token.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
new file mode 100644
index 0000000000..a8ac5aafd1
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -0,0 +1,60 @@
+---
+title: Deploying Windows Defender Application Control AppId Tagging policies (Windows)
+description: How to deploy your WDAC AppId Tagging policies locally and globally within your managed environment
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/29/2022
+ms.technology: windows-sec
+---
+
+# Deploying Windows Defender Application Control AppId Tagging policies (Windows)
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
+
+1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
+1. [Deploy policies with MEMCM](#deploy-appid-tagging-policies-with-memcm)
+1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
+1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
+
+## Deploy AppId Tagging Policies with MDM
+
+Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). 
+
+## Deploy AppId Tagging Policies with MEMCM
+
+Custom AppId Tagging policies can deployed via MEMCM using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. 
+
+### Deploy AppId Tagging Policies via Scripting
+
+Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy WDAC policies using script article](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Only the method for deploying to version 1903 and above is applicable for AppId Tagging policies. 
+
+### Deploying policies via the ApplicationControl CSP
+
+Multiple WDAC policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
+
+However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
+
+For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use MEM Intune's Custom OMA-URI capability.
+
+> [!NOTE]
+> WMI and GP do not currently support multiple policies. Instead, customers who can't directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
new file mode 100644
index 0000000000..e39893ba64
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
@@ -0,0 +1,119 @@
+---
+title: Create your Windows Defender Application Control AppId Tagging Policies
+description: Create your Windows Defender Application Control AppId tagging policies for Windows devices.
+keywords: security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/29/2022
+ms.technology: windows-sec
+---
+
+# Creating your WDAC AppId Tagging Policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+## Create the policy using the WDAC Wizard
+
+You can use the WDAC Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md).
+
+1. Create a new base policy using the templates:
+
+	Start with the Policy Creator task and select Multiple Policy Format and Base Policy. Select the Base Template to use for the policy. The example below shows beginning with the [Default Windows Mode](../wdac-wizard-create-base-policy.md#template-base-policies) template and build on top of these rules. 
+
+	![Configuring the policy base and template.](../images/appid-wdac-wizard-1.png)
+
+2. 	Set the following rule-options using the Wizard toggles:
+
+	![Configuring the policy rule-options.](../images/appid-wdac-wizard-2.png)
+
+3. Create custom rules:
+
+	Selecting the `+ Custom Rules` button will open the Custom Rules panel. The Wizard supports five types of file rules: 
+
+	- Publisher rules: Create a rule based off the signing certificate hierarchy. Additionally, the original filename and version can be combined with the signing certificate for added security. 
+	- Path rules: Create a rule based off the path to a file or a parent folder path. Path rules support wildcards. 
+	- File attribute rules: Create a rule based off a file's immutable properties like the original filename, file description, product name or internal name.
+	- Package app name rules: Create a rule based off the package family name of an appx/msix.
+	- Hash rules: Create a rule based off the PE Authenticode hash of a file. 
+
+
+	For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](../wdac-wizard-create-base-policy.md#creating-custom-file-rules).
+
+4. Convert to AppId Tagging Policy:
+
+	After the Wizard builds the policy file, open the file in a text editor and remove the entire "Value=131" SigningScenario text block. The only remaining signing scenario should be "Value=12" which is the usermode application section. Next, open PowerShell in an elevated prompt and run the following command. Replace the AppIdTagging Key-Value pair for your scenario:
+
+	```powershell
+	Set-CIPolicyIdInfo -ResetPolicyID -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
+	```
+	The policyID GUID will be returned by PowerShell if successful. 
+
+## Create the policy using PowerShell 
+
+Using this method, you'll create an AppId Tagging policy directly using the WDAC PowerShell commands. These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md). In an elevate PowerShell instance:
+
+1. Create an AppId rule for the policy based on a combination of the signing certificate chain and version of the application. In the example below, the level has been set to SignedVersion. Any of the [WDAC File Rule Levels](../select-types-of-rules-to-create.md#table-2-windows-defender-application-control-policy---file-rule-levels) can be used in AppId rules:
+
+	```powershell
+	$rule = New-CiPolicyRule -Level SignedVersion -DriverFilePath 
+	```
+2. Create the AppId Tagging Policy. Replace the AppIdTagging Key-Value pair for your scenario:
+
+	```powershell
+	New-CIPolicy -rules $rule -FilePath .\AppIdPolicy.xml -AppIdTaggingPolicy -AppIdTaggingKey "MyKey" -AppIdTaggingValue "MyValue"
+	```
+3. Set the rule-options for the policy:
+
+	```powershell
+	Set-RuleOption -Option 0 .\AppIdPolicy.xml  # Usermode Code Integrity (UMCI)
+	Set-RuleOption -Option 16 .\AppIdPolicy.xml # Refresh Policy no Reboot
+	Set-RuleOption -Option 18 .\AppIdPolicy.xml # (Optional) Disable FilePath Rule Protection
+	```
+
+	If you're using filepath rules, you'll likely want to set option 18. Otherwise, there's no need. 
+	
+4. Set the name and ID on the policy, which is helpful for future debugging:
+
+	```powershell
+	Set-CIPolicyIdInfo -ResetPolicyId -PolicyName "MyPolicyName" -PolicyId "MyPolicyId"" -AppIdTaggingPolicy -FilePath ".\AppIdPolicy.xml"
+	```
+	The policyID GUID will be returned by PowerShell if successful. 
+
+## Deploy for Local Testing
+
+After creating your AppId Tagging policy in the above steps, you can deploy the policy to your local machine for testing before broadly deploying the policy to your endpoints:
+
+1. Depending on your deployment method, convert the xml to binary: 
+
+	```powershell
+	Convertfrom-CIPolicy .\policy.xml ".\{PolicyIDGUID}.cip"
+	```
+
+2. Optionally, deploy it for local testing:
+
+	```powershell
+		copy ".\{Policy ID}.cip" c:\windows\system32\codeintegrity\CiPolicies\Active\
+		./RefreshPolicy.exe
+	```
+
+	RefreshPolicy.exe is available for download from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=102925).
+
+## Next Steps
+For more information on debugging and broad deployment of the AppId Tagging policy, see [Debugging AppId policies](./debugging-operational-guide-appid-tagging-policies.md) and [Deploying AppId policies](deploy-appid-tagging-policies.md). 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
new file mode 100644
index 0000000000..97105395a8
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
@@ -0,0 +1,53 @@
+---
+title: Designing, creating, managing and troubleshooting Windows Defender Application Control AppId Tagging policies (Windows)
+description: How to design, create, manage and troubleshoot your WDAC AppId Tagging policies
+keywords: security, malware, firewall
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: jsuther1974
+ms.author: dansimp
+manager: dansimp
+ms.date: 04/27/2022
+ms.technology: windows-sec
+---
+
+# WDAC Application ID (AppId) Tagging guide
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+- Windows Server 2022 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+
+## AppId Tagging Feature Overview
+
+The Application ID (AppId) Tagging Policy feature, while based off WDAC, does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't. 
+
+## AppId Tagging Feature Availability
+
+The WDAC AppId Tagging feature is available on the following versions of the Windows platform: 
+
+Client: 
+- Windows 10 20H1, 20H2 and 21H1 versions only
+- Windows 11
+
+Server: 
+- Windows Server 2022
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Designing and Creating AppId Policies](design-create-appid-tagging-policies.md) | This topic covers how to design and create AppId Tagging policies. |
+| [Deploying AppId Policies](deploy-appid-tagging-policies.md) | This topic covers how to deploy AppId Tagging policies. |
+| [Debugging AppId Policies](debugging-operational-guide-appid-tagging-policies.md) | This topic covers how to debug and view events from AppId Tagging policies. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 53aae67283..2f007e159d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -46,9 +46,9 @@
             - name: Policy creation for common WDAC usage scenarios
               href: types-of-devices.md
               items: 
-                - name: Create a WDAC policy for lightly-managed devices
+                - name: Create a WDAC policy for lightly managed devices
                   href: create-wdac-policy-for-lightly-managed-devices.md
-                - name: Create a WDAC policy for fully-managed devices
+                - name: Create a WDAC policy for fully managed devices
                   href: create-wdac-policy-for-fully-managed-devices.md
                 - name: Create a WDAC policy for fixed-workload devices
                   href: create-initial-default-policy.md
@@ -101,7 +101,7 @@
           href: disable-windows-defender-application-control-policies.md
         - name: LOB Win32 Apps on S Mode
           href: LOB-win32-apps-on-s.md
-    - name: Windows Defender Application Control operational guide
+    - name: WDAC operational guide
       href: windows-defender-application-control-operational-guide.md
       items: 
         - name: Understanding Application Control event tags
@@ -114,6 +114,15 @@
           href: operations/known-issues.md
         - name: Managed installer and ISG technical reference and troubleshooting guide
           href: configure-wdac-managed-installer.md
+    - name: WDAC AppId Tagging guide
+      href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+      items:
+        - name: Creating AppId Tagging Policies
+          href: AppIdTagging/design-create-appid-tagging-policies.md
+        - name: Deploying AppId Tagging Policies
+          href: AppIdTagging/deploy-appid-tagging-policies.md
+        - name: Testing and Debugging AppId Tagging Policies
+          href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
     - name: AppLocker
       href: applocker\applocker-overview.md
       items: 
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 9e1b49b4c8..68bc7639b6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -162,3 +162,80 @@ To add this CLSID to the existing policy, follow these steps:
         
       
     ```
+### Default COM Object Allow List
+
+
+
+| File Name | CLSID |
+|--------|-----------|
+| scrrun.dll | EE09B103-97E0-11CF-978F-00A02463E06F |
+| scrrun.dll | 0D43FE01-F093-11CF-8940-00A0C9054228 |
+| vbscript.dll | 3F4DACA4-160D-11D2-A8E9-00104B365C9F |
+| WEX.Logger.Log | 70B46225-C474-4852-BB81-48E0D36F9A5A |
+| TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a | 
+| TE.Common.RuntimeParameters | 9f3d4048-6028-4c5b-a92d-01bc977af600 |
+| TE.Common.Verify | e72cbabf-8e48-4d27-b14e-1f347f6ec71a |
+| TE.Common.Interruption | 5850ba6f-ce72-46d4-a29b-0d3d9f08cc0b |
+| msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 | 
+| msxml6.dll | ED8C108E-4349-11D2-91A4-00C04F7969E8 |
+| mmcndmgr.dll | ADE6444B-C91F-4E37-92A4-5BB430A33340 |
+| puiobj.dll | B021FF57-A928-459C-9D6C-14DED0C9BED2 |
+| wdtf.dll | 041E868E-0C7D-48C6-965F-5FD576530E5B |
+| wdtfedtaction.dll | 0438C02B-EB9C-4E42-81AD-407F6CD6CDE1 |
+| wdtfioattackaction.dll | 078B1F7D-C34C-4B13-A7C3-9663901650F1 |
+| wdtfmutt2tcdsimpleioaction.dll | 0ABB2961-2CC1-4F1D-BE8E-9D330D06B77D |
+| wdtfdriverpackageaction.dll | 0D7237E6-930F-4682-AD0A-52EBFFD3AEE3 |
+| wdtf.dll | 0D972387-817B-46E7-913F-E9993FF401EB |
+| wdtf.dll | 0E770B12-7221-4A5D-86EE-77310A5506BB |
+| wdtfdriversetupdeviceaction.dll | 0FA57208-5100-4CD6-955C-FE69F8898973 |
+| wdtf.dll | 1080A020-2B47-4DA9-8095-DBC9CEFFFC04 |
+| wdtfnetworksimpleioaction.dll | 10CF2E12-1681-4C53-ADC0-932C84832CD8 |
+| wdtf.dll | 140F2286-3B39-4DE1-AF94-E083DEEA6BB9 |
+| wdtfinterfaces.dll | 1A7D6D61-4FE5-42E2-8F23-4FC1731C474F |
+| wdtfaudiosimpleioaction.dll | 1C658D42-4256-4743-A4C5-90BF3A3A186A |
+| wdtf.dll | 2236B1F3-4A33-48C2-B22C-A1F93A626F05 |
+| wdtfsystemaction.dll | 23440924-1AB0-41F2-A732-B75069E5C823 |
+| wdtfdriversetupsystemaction.dll | 238C0AEB-1DFC-4575-AAF3-C67FE15C1819 |
+| wdtffuzztestaction.dll | 23D0E542-0390-4873-9AC7-EF86E95E5215 |
+| wdtf.dll | 240FA08C-1D70-40CB-BDB3-2CC41A45496B |
+| wdtf.dll | 26CC4211-A9A6-4E5C-A30D-3C659BB4CDC9 |
+| wdtf.dll | 28EE5F0B-97D8-4A59-BAC8-A8A80E11F56B |
+| wdtf.dll | 2C9AF7D6-2589-4413-A2BA-9926EBCFD67C |
+| wdtf.dll | 32A9798D-987F-489E-8DB6-2EFB240248BD |
+| wdtfinterfaces.dll | 3C0B0D50-611A-4368-AC87-4488D6E0C4A7 |
+| wdtfcdromsimpleioaction.dll | 3F2C07F3-199B-4165-A948-B8B59A97FCC5 |
+| wdtf.dll | 485785D3-8820-4C3D-A532-4C0F66392A30 |
+| wdtfinterfaces.dll | 5EAE59BE-6946-44B7-A7B3-1D59811B246A |
+| wdtfiospyaction.dll | 698F6A82-7833-4499-8BA5-2145D604ABD4 |
+| wdtfdevicesupportaction.dll | 69D94D1B-0833-40D4-9AE7-7FC6F64F2624 |
+| wdtf.dll | 6EE5B280-3B0F-4358-9E20-99F169FAA700 |
+| wdtfmuttsimpleioaction.dll | 7776915A-0370-49A7-90B7-20EB36E80B6D |
+| wdtfcpuutilizationsystemaction.dll | 7926C7DE-299C-4B09-BB1B-649A4B917ED0 |
+| wdtfwirelesssimpleioaction.dll | 7A686BCD-9203-435C-8B06-9D7E7A518F98 |
+| wdtfbluetoothsimpleioaction.dll | 7E6C4615-6184-4077-A150-5D30F29993A4 |
+| wdtf.dll | 9663A00A-5B72-4810-9014-C77108062949 |
+| wdtfinterfaces.dll | 9C261B2B-DBD6-4087-B636-ABE1607989E8 |
+| wdtfwebcamsimpleioaction.dll | A1B74619-F02D-4574-8091-2AADD46A5B2B |
+| wdtf.dll | A2FD15D7-64F0-4080-AABD-884380202022 |
+| wdtfvolumesimpleioaction.dll | AC91E813-B116-4676-AE33-2988B590F3C7 |
+| wdtfconcurrentioaction.dll | AE278430-ABC2-49D1-AF30-910B9A88CB1E |
+| wdtf.dll | B43FF7F1-629C-4DE5-9559-1D09E0A07037 |
+| wdtfdriververifiersystemaction.dll | B7770265-B643-4600-A60B-93F9BA9F4B24 |
+| wdtfpnpaction.dll | B8D74985-4EB9-46AA-B2ED-DD2D918849DF |
+| wdtfmobilebroadbandsimpleioaction.dll | BCFBBB02-4DA5-466C-9DA7-DC672877B075 |
+| wdtf.dll | BE56FAD1-A489-4508-ABB7-3348E1C2C885 |
+| wdtfpnpaction.dll | C0B6C572-D37D-47CC-A89D-E6B9E0852764 |
+| wdtfioattackaction.dll | C88B324E-6B26-49BC-9D05-A221F15D7E13 |
+| wdtfsensorsiosimpleioaction.dll | C8BF7EC0-C746-4DE8-BA46-34528C6329FB |
+| wdtfanysimpleioaction.dll | C8C574DA-367B-4130-AED6-1EA61A5C6A4B |
+| simpleio_d3dtest.dll | CBC36BDB-A6BC-4383-8194-659470553488 |
+| wdtfsystemaction.dll | D30E1E07-AA39-4086-A7E6-9245FBD0A730 |
+| wdtf.dll | DD34E741-139D-4F4C-A1E2-D4184FCDD4F9 |
+| wdtfsupaction.dll | EA48171B-4265-48C3-B56B-70B175A7FDFA |
+| wdtfinterfaces.dll | EB9DB874-D23D-44D5-A988-85E966322843 |
+| wdtfinterfaces.dll | ED05EF76-09A9-4409-90CA-C5D0711CA057 |
+| wdtfwpdsimpleioaction.dll | EEA17F2B-8E8E-41A3-9776-A87FACD625D0 |
+| wdtfinterfaces.dll | F30FC2BB-F424-4A1F-8F95-68CFEE935E92 |
+| wdtfedtaction.dll | F6694E02-5AD0-476D-BD2D-43F7E5D10AF6 |
+| wdtfsmartcardreadersimpleioaction.dll | FA6F7E49-76C6-490C-B50E-8B1E8E0EEE2A |
+| wdtfiospyaction.dll | FE36026D-CDA8-4514-B3D9-57BDA3870D0C |
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index e5b26ce22e..a644bac95c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -62,6 +62,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
     
     
     
+    
 
 ```
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 92f944b419..bc7f23ee67 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -90,3 +90,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w
    ```
 
    This command will show the raw XML to verify the individual rules that were set.
+
+## Remove Managed Installer feature
+
+To remove the Managed Installed from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule - To clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 557e9d9716..1b9d67ff10 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 02/01/2022
+ms.date: 04/30/2022
 ms.technology: windows-sec
 ---
 
@@ -39,7 +39,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 | 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
 | 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
 | 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the "Correlation ActivityID" found in the "System" portion of the event. |
-| 3099 | Indicates that a policy has been loaded. This event also includes information about the policy options that were specified by the policy. Refer to the  |
+| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy. |
 
 ## WDAC events found in the Microsoft Windows AppLocker MSI and Script log
 
@@ -57,7 +57,7 @@ Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or
 | Event ID | Explanation |
 |--------|---------|
 | 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
-| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the policy is in audit mode. |
+| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. |
 | 3092 | This event is the enforcement mode equivalent of 3091. |
 
 The above events are reported per active policy on the system, so you may see multiple events for the same file.
@@ -72,8 +72,8 @@ The following information is found in the details for 3090, 3091, and 3092 event
 | PassesManagedInstaller | Indicates whether the file originated from a MI |
 | SmartlockerEnabled | Indicates whether the specified policy enables ISG trust |
 | PassesSmartlocker | Indicates whether the file had positive reputation according to the ISG |
-| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode |
-| PolicyName | The name of the policy to which the event applies |
+| AuditEnabled | True if the WDAC policy is in audit mode, otherwise it is in enforce mode |
+| PolicyName | The name of the WDAC policy to which the event applies |
 
 ### Enabling ISG and MI diagnostic events
 
@@ -109,7 +109,7 @@ For a simple solution for converting hex to binary, follow these steps.
 
 This view will provide the hex code in binary form, with each bit address shown separately.  The bit addresses start at 0 in the bottom right.  Each bit address correlates to a specific event policy-rule option.  If the bit address holds a value of 1, the setting is in the policy.
 
-Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). For example, if the bit address of 16 holds a value of 1, then the “Enabled:Audit Mode (Default)” is in the policy meaning the policy is in audit mode.
+Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the “Enabled:Audit Mode (Default)” is in the policy meaning the policy is in audit mode.
 
 | Bit Address | Policy Rule Option |
 |-------|------|
@@ -149,28 +149,38 @@ A list of other relevant event IDs and their corresponding description.
 | 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
 | 3024 | Windows application control was unable to refresh the boot catalog file. |
 | 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
+| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked. 
 | 3033 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |
+| 3034 | The file under validation would not meet the requirements to pass the application control policy if the WDAC policy was enforced. The file was allowed since the WDAC policy is in audit mode. |
 | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
-| 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |
-| 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. |
+| 3064 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the WDAC policy is in audit mode. |
+| 3065 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. |
 | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
-| 3075 | This event monitors the performance of the Code Integrity policy check a file. |
+| 3075 | This event measures the performance of the WDAC policy check during file validation. |
+| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. |
+| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. |
 | 3079 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3080 | If the policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. |
+| 3080 | If the WDAC policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. |
 | 3081 | The file under validation did not meet the requirements to pass the application control policy. |
-| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. |
-| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
-| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
+| 3082 | If the WDAC policy was in enforced mode, the non-WHQL driver would have been denied by the WDAC policy. |
+| 3084 | Code Integrity will enforce the WHQL driver signing requirements on this boot session. |
+| 3085 | Code Integrity will not enforce the WHQL driver signing requirements on this boot session. |
 | 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. |
-| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. |
-| 3097 | The Code Integrity policy cannot be refreshed. |
+| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. |
+| 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. |
+| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. |
+| 3092 | This event is the enforcement mode equivalent of 3091. |
+| 3095 | The WDAC policy cannot be refreshed and must be rebooted instead. |
+| 3096 | The WDAC policy was not refreshed since it is already up-to-date. |
+| 3097 | The WDAC policy cannot be refreshed. |
+| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy.  |
 | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
-| 3101 | Code Integrity started refreshing the policy. |
-| 3102 | Code Integrity finished refreshing the policy. |
-| 3103 | Code Integrity is ignoring the policy refresh. |
+| 3101 | The system started refreshing the WDAC policy. |
+| 3102 | The system finished refreshing the WDAC policy. |
+| 3103 | The system is ignoring the WDAC policy refresh. |
 | 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. |
-| 3105 | Code Integrity is attempting to refresh the policy. |
+| 3105 | The system is attempting to refresh the WDAC policy. |
 | 3108 | Windows mode change event was successful. |
 | 3110 | Windows mode change event was unsuccessful. |
 | 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. |
+| 3112 | The file under validation is signed by a certificate that has been explicitly revoked by Windows. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 21ff82c26f..3acb16d6e4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: denisebmsft
-ms.reviewer: isbrahm
+ms.reviewer: jgeurten
 ms.author: deniseb
 manager: dansimp
 ms.date: 07/29/2021
@@ -45,3 +45,4 @@ ms.technology: windows-sec
 | COM object configurability        | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md)  | Not available |
 | Packaged app rules                | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md)  | Available on Windows 8+   |
 | Enforceable file types       | 
                    • Driver files: .sys
                    • Executable files: .exe and .com
                    • DLLs: .dll and .ocx
                    • Windows Installer files: .msi, .mst, and .msp
                    • Scripts: .ps1, .vbs, and .js
                    • Packaged apps and packaged app installers: .appx
                    | 
                    • Executable files: .exe and .com
                    • [Optional] DLLs: .dll and .ocx
                    • Windows Installer files: .msi, .mst, and .msp
                    • Scripts: .ps1, .bat, .cmd, .vbs, and .js
                    • Packaged apps and packaged app installers: .appx
                    |
+| Application ID (AppId) Tagging | [Available on 20H1+](./AppIdTagging/windows-defender-application-control-appid-tagging-guide.md)  | Not available |
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-task-mgr.png b/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-task-mgr.png
new file mode 100644
index 0000000000..f7cd17263a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-task-mgr.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-windbg-token.png b/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-windbg-token.png
new file mode 100644
index 0000000000..03e545c23f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-windbg-token.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-windbg.png b/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-windbg.png
new file mode 100644
index 0000000000..28427dbe43
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/appid-pid-windbg.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/appid-wdac-wizard-1.png b/windows/security/threat-protection/windows-defender-application-control/images/appid-wdac-wizard-1.png
new file mode 100644
index 0000000000..a416e7469c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/appid-wdac-wizard-1.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/appid-wdac-wizard-2.png b/windows/security/threat-protection/windows-defender-application-control/images/appid-wdac-wizard-2.png
new file mode 100644
index 0000000000..818dbc85fe
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/appid-wdac-wizard-2.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 71779ec0d3..c3bdab9f89 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -15,7 +15,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 08/23/2021
+ms.date: 09/29/2021
 ---
 
 # Microsoft recommended block rules
@@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 | `Alex Ionescu` | `@aionescu`|
 | `Brock Mammen`| |
 | `Casey Smith` | `@subTee` | 
+| `James Forshaw` | `@tiraniddo` |
 | `Jimmy Bayne` | `@bohops` |
 | `Kim Oppalfens` | `@thewmiguy` |
 | `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
@@ -119,1437 +120,1434 @@ Microsoft recommends that you block the following Microsoft-signed applications
 Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
 
 ```xml
- 
-  
-  10.0.0.0 
-  {A244370E-44C9-4C06-B551-F6016E563076} 
-  {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} 
+
+
+  10.0.0.0
+  {A244370E-44C9-4C06-B551-F6016E563076}
+  {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
   
-  
-   
-  
-  
-   
-  
-  
-   
-  
-  
-   
-  
+    
+      
+    
+    
+      
+    
+    
+      
+    
+    
+      
+    
+    
+      
+    
   
    
-   
+  -->
+  
    
+  -->
   
-  
-  
-  
-  
-   
-   
-  
-  
-  
-   
-  
-   
-  
-   
-  
-   
-   
-   
-  
-   
-  
-   
-   
-   
-   
-   
-   
-  
-   
-   
-   
-   
-   
-   
-   
-   
-     
-   
-  
-  
-   
-   
-   
-
-  
-  
-  
+    
+    
-  
-  
-  
-  
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-
-   
-   
-   
-
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
   
    
-   
+  -->
+  
    
+  -->
   
-  
-  
-  
-   
-  
-  
-  
-  
-  
-  
-   
-   
-   
-  
-     
-   
-   
-   
-  
-   
-   
-   
-   
-   
-   
-   
-   
-  
-   
-   
-  
-  
-   
-   
-   
-  
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-  
-  
-   
-   
-   
-
-  
-
-  
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+          
+        
+      
+    
   
-   
-   
-  0 
-  
+  
+  
+  0
+
 ```
 
                    
 
@@ -1558,4 +1556,4 @@ Select the correct version of each .dll for the Windows release you plan to supp
 
 ## More information
 
-- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
\ No newline at end of file
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index ab24b47475..2f252dac4f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -27,7 +27,7 @@ You can add information about your organization in a contact card to the Windows
 
 ![The Windows Security custom fly-out.](images/security-center-custom-flyout.png)
 
-This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
+This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
 
 Users can select the displayed information to initiate a support request:
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 2f22a993dd..40b96ae917 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -84,7 +84,7 @@ You can find more information about each section, including options for configur
 >
 >Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
 >
-> Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+> Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
 
 > [!WARNING]
 > If you disable the Windows Security Center Service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index 65ecfd3af8..792686a4b3 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -70,7 +70,7 @@ Other examples of incompatibility include:
 
 -   Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null).
 
-    >**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
+    >**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide).
      
 ## Network address translation (NAT)
 
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 3a143a59c5..579ef8f647 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -62,8 +62,6 @@ In some cases, IPsec-secured traffic might have to pass through a router, perime
 
 In the case of a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected.
 
-For more info, see [How to Enable IPsec Traffic Through a Firewall](https://go.microsoft.com/fwlink/?LinkId=45085).
-
 ## Network load balancing and server clusters
 
 There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific device, it prevents different devices from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client device as untrusted.
@@ -82,6 +80,6 @@ In general, IPsec defeats network-based prioritization and port- or protocol-bas
 
 Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices.
 
-Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
+Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide).
 
 **Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index d64c7e44ba..40645e4078 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -27,7 +27,7 @@ ms.technology: windows-sec
 
 Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
 
-Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report).
+Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/security-intelligence-report).
 
 Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
 
diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index 61ffa9d578..7ae486d08d 100644
--- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -35,7 +35,8 @@ In these procedures, you confirm that the rules you deployed are working correct
 
 -   **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode.
 
->**Note:**  In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from . Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
+> [!NOTE]
+> In addition to the steps shown in this procedure, you can also use network traffic capture tools such as [Microsoft Network Monitor](https://www.microsoft.com/download/4865). Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
 
 **Administrative credentials**
 
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index 23ab9c183a..281436db6f 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -234,33 +234,6 @@ Certified against the Protection Profile for General Purpose Operating Systems.
 - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
 - [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf) 
 
-### Windows XP and Windows Server 2003
-
-- [Security Target - Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
-- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
-- [Windows Server 2003 SP2 R2 Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
-- [Windows Server 2003 SP2 R2 Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
-- [Windows Server 2003 SP1 Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
-- [Windows Server 2003 SP1 Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
-- [Windows Server 2003 with x64 Hardware Administrator's Guide](https://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
-- [Windows Server 2003 with x64 Hardware Configuration Guide](https://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
-- [Windows XP Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
-- [Windows XP Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
-- [Windows XP User Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
-- [Windows XP Professional with x64 Hardware Administrator's Guide](https://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
-- [Windows XP Professional with x64 Hardware Configuration Guide](https://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
-- [Windows XP Professional with x64 Hardware User’s Guide](https://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
-- [Windows XP Professional Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
-- [Windows XP Professional Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
-- [Windows XP Professional User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
-- [Windows XP / Windows Server 2003 with x64 Hardware ETR](https://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
-- [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](https://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
-- [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](https://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
-- [Windows XP Professional SP2 and x64 SP2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
-- [Windows XP Embedded SP2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
-- [Windows XP and Windows Server 2003 ETR](https://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
-- [Windows XP and Windows Server 2003 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
-
 ### Windows Server 2003 Certificate Server
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 207c4d7600..f226465d77 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -43,7 +43,7 @@ No. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are c
 
 **Does SCT support the creation of Microsoft Endpoint Manager DCM packs?**
 
-No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
 
 **Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 3058486461..689b70bef4 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -45,6 +45,7 @@ The Security Compliance Toolkit consists of:
     -   Windows Server 2012 R2
 
 -   Microsoft Office security baseline
+    -   Office 2016 
     -   Microsoft 365 Apps for Enterprise Version 2112
     
 -   Microsoft Edge security baseline
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index 3c1c1c14e2..c1c29d8f63 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -36,7 +36,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
 
 ### AppLocker
 
-AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md) for a list of operating system requirements.
+AppLocker was available for Windows 8.1, and is improved with Windows 10. See [Requirements to use AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker) for a list of operating system requirements.
 
 Enhancements to AppLocker in Windows 10 include:
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index f8d9f514e0..e7ad13d805 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -104,7 +104,7 @@ In Windows 10, security auditing has added some improvements:
 In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
 -   [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
     When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
--   [Audit PNP Activity](/windows/device-security/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
+-   [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
     Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
     A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
 
@@ -193,7 +193,7 @@ Event ID 4826 has been added to track the following changes to the Boot Configur
 
 Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
 
-[Learn how to manage your security audit policies within your organization](/windows/device-security/auditing/security-auditing-overview).
+[Learn how to manage your security audit policies within your organization](/windows/security/threat-protection/auditing/security-auditing-overview).
 
 ### Trusted Platform Module
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 4703489ace..509b7d10a0 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -102,12 +102,12 @@ Windows Information Protection (WIP) helps to protect against this potential dat
 ### Windows Defender
 Several new features and management options have been added to Windows Defender in Windows 10, version 1607.
 
-- [Windows Defender Offline in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media.
-- [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
-- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
-- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus).
-- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
+- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media.
+- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
+- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
+- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).
+- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
 
 ### Microsoft Defender for Endpoint
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 84777b43cf..a62e914365 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -125,27 +125,27 @@ You can read more about ransomware mitigations and detection capability in Micro
 Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10 and the new capabilities in Windows 10, version 1703 see [Microsoft Defender for Endpoint for Windows 10 Creators Update](/windows/deployment/deploy-whats-new).
 
 ### Microsoft Defender Antivirus
-Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
+Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).
 
 The new library includes information on:
-- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus)
-- [Managing updates](/windows/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus)
-- [Reporting](/windows/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus)
-- [Configuring features](/windows/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features)
-- [Troubleshooting](/windows/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus)
+- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
+- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
+- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
+- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
+- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
 
 Some of the highlights of the new library include:
-- [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus)
-- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus)
+- [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus)
+- [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus)
 
 New features for Microsoft Defender AV in Windows 10, version 1703 include:
 
-- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus)
-- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus)
+- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
+- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
 
 
-In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
+In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
 
 You can read more about ransomware mitigations and detection capability in Microsoft Defender AV in the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
 
@@ -167,7 +167,7 @@ You can now reset a forgotten PIN without deleting company managed data or apps
 
 For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
 
-For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
+For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
 
 ### Windows Information Protection (WIP) and Azure Active Directory (Azure AD)
 Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
@@ -186,7 +186,7 @@ Windows Update for Business managed devices are now able to defer feature update
 
 ### Windows Insider for Business
 
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business).
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register).
 
 ### Optimize update delivery
 
@@ -244,7 +244,7 @@ For more info, see [Implement server-side support for mobile application managem
 
 ### MDM diagnostics
 
-In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
 
 ### Application Virtualization for Windows (App-V)
 Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index e1c64c7943..905d4ff2dd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -46,9 +46,9 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett
 
 ## Update
 
-### Windows Update for Business (WUfB)
+### Windows Update for Business
 
-WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
 
 ### Windows Insider Program for Business
 
@@ -87,7 +87,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c
 
 ### Microsoft Defender for Endpoint
 
-Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection).
+Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices).
 
 ### Windows Defender Application Guard
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 0afb63e954..f2f4dc5964 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -120,7 +120,7 @@ For more information, see [Windows Setup Command-Line Options](/windows-hardware
 
 SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
 
-### Windows Update for Business (WUfB)
+### Windows Update for Business
 
 Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune.  For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure).
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 7e050b3435..9ce31284cc 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -157,7 +157,7 @@ A network connection is now required to set up a new device. As a result, we rem
 - [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics)
                    
 Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
 
-- [Custom detection](/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
                    
+- [Custom detection](/microsoft-365/security/defender/custom-detections-overview)
                    
  With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
 
 - [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
                    
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index a048b03c95..35ed9f16c3 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -138,7 +138,7 @@ Several new features are coming in the next version of Edge. See the [news from
 
 ## See Also
 
-[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
                    
+[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903-1909): New and updated features in Windows Server.
                    
 [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
                    
 [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                    
 [What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
                    
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 3c99daca0f..3b33b31e96 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -36,9 +36,9 @@ Pre-release Windows 10 feature updates are now available to IT administrators us
 
 The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. 
 
-### Windows Update for Business (WUfB)
+### Windows Update for Business
 
-If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
+If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
 
 ## Security
 
@@ -56,7 +56,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
 
 ### Transport Layer Security (TLS)
 
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/platform/status/tls13/).
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
 
 ## Virtualization
 
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index e3d23c3da3..726580724f 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -263,6 +263,6 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
 - [What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
 - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
 - [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
-- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features.
 - [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
 - [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index dabd888d3d..2fdba9bd26 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -24,7 +24,7 @@ This article lists new and updated features and content that is of interest to I
 Windows 10, version 21H1 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H1-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), 21H1 is serviced for 18 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. 
 
 
-For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2 have the ability to update quickly to version 21H1 via an enablement package. For more details, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736).
+For details on how to update your device, or the devices in your organization, see [How to get the Windows 10 May 2021 Update](https://blogs.windows.com/windowsexperience/?p=175674). Devices running Windows 10, versions 2004 and 20H2, have the ability to update quickly to version 21H1 via an enablement package. For more information, see [Feature Update through Windows 10, version 21H1 Enablement Package](https://support.microsoft.com/help/5000736).
 
 ## Servicing
 
@@ -42,13 +42,13 @@ A new [resolved issues](/mem/autopilot/resolved-issues) article is available tha
 
 A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
 
-Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).  
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).  
 
 For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
 ### Windows Assessment and Deployment Toolkit (ADK)
 
-There is no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1.  For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
+There's no new ADK for Windows 10, version 21H1. The ADK for Windows 10, version 2004 will also work with Windows 10, version 21H1.  For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
 
 ## Device management
 
@@ -74,7 +74,7 @@ The new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business)
 
 ## General fixes
 
-See the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/) for more information.
+For more information on the general fixes, see the [Windows Insider blog](https://blogs.windows.com/windows-insider/2021/02/17/releasing-windows-10-build-19042-844-20h2-to-beta-and-release-preview-channels/).
 
 This release includes the following enhancements and issues fixed:
 
@@ -88,7 +88,7 @@ This release includes the following enhancements and issues fixed:
 - an issue that might cause video playback to flicker when rendering on certain low-latency capable monitors.
 - an issue that sometimes prevents the input of strings into the Input Method Editor (IME).
 - an issue that exhausts resources because Desktop Windows Manager (DWM) leaks handles and virtual memory in Remote Desktop sessions.
-- a stop error that occurs at start up.
+- a stop error that occurs at the start.
 - an issue that might delay a Windows Hello for Business (WHfB) Certificate Trust deployment when you open the Settings-> Accounts-> Sign-in Options page.
 - an issue that might prevent some keyboard keys from working, such as the home, Ctrl, or left arrow keys when you set the Japanese IME input mode to Kana.
 - removed the history of previously used pictures from a user account profile.
@@ -104,8 +104,8 @@ This release includes the following enhancements and issues fixed:
 - an issue that prevents wevtutil from parsing an XML file.
 - failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
 - We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode.
-- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum is not valid.
-- the WinHTTP AutoProxy service does not comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically.
+- User Datagram Protocol (UDP) broadcast packets that are larger than the maximum transmission unit (MTU). Devices that receive these packets discard them because the checksum isn't valid.
+- the WinHTTP AutoProxy service doesn't comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically.
 - We improved the ability of the WinHTTP Web Proxy Auto-Discovery Service to ignore invalid Web Proxy Auto-Discovery Protocol (WPAD) URLs that the Dynamic Host Configuration Protocol (DHCP) server returns.
 - We displayed the proper Envelope media type as a selectable output paper type for Universal Print queues.
 - We ended the display of a random paper size for a printer when it uses the Microsoft Internet Printing Protocol (IPP) Class Driver.
@@ -122,7 +122,7 @@ This release includes the following enhancements and issues fixed:
   * Default value = 1; enables the log.
   * Value other than 1; disables the log.
 
-  If this key does not exist, it will be created automatically. 
+  If this key doesn't exist, it will be created automatically. 
   To take effect, any change to **dfslog/RootShareAcquireSuccessEvent** in the registry requires that you restart the DFSN service.
 - We updated the Open Mobile Alliance (OMA) Device Management (DM) sync protocol by adding a check-in reason for requests from the client to the server. The check-in reason will allow the mobile device management (MDM) service to make better decisions about sync sessions. With this change, the OMA-DM service must negotiate a protocol version of 4.0 with the Windows OMA-DM client.
 - We turned off token binding by default in Windows Internet (WinINet).
@@ -137,4 +137,4 @@ This release includes the following enhancements and issues fixed:
 [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
                    
 [Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
                    
 [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
                    
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
                    
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.