Merge pull request #3141 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
2025-05-13 05:47:23 +00:00 · 2020-06-23 09:06:33 -07:00 · 2020-06-23 09:06:33 -07:00 · aed85af8a2
commit aed85af8a2
parent 3ec16c78da 74a01fc5ec
12 changed files with 138 additions and 150 deletions
--- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md
@ -17,16 +17,13 @@ ms.date: 06/26/2017
 # Certificate Renewal
 The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
-> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
+> [!Note]
-
+> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 ## In this topic
 -   [Automatic certificate renewal request](#automatic-certificate-renewal-request)
 -   [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
 -   [Certificate renewal response](#certificate-renewal-response)
@ -35,12 +32,10 @@ The enrolled client certificate expires after a period of use. The expiration da
 <a href="" id="automatic-certificate-renewal"></a>
 ## Automatic certificate renewal request
 In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
-> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
+> [!Note]
-
+> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
@ -54,7 +49,7 @@ During the automatic certificate renew process, the device will deny HTTP redire
 The following example shows the details of an automatic renewal request.
-```
+``` xml
 <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
   xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
   "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
@ -106,7 +101,6 @@ The following example shows the details of an automatic renewal request.
 </s:Envelope>
 ```
 <a href="" id="certificate-renewal-schedule"></a>
 ## Certificate renewal schedule configuration
@ -116,11 +110,10 @@ For more information about the parameters, see the CertificateStore configuratio
 Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
-> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
+> [!Note]
 > For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
 > For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
 ## Certificate renewal response
 When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
@ -133,12 +126,12 @@ When RequestType is set to Renew, the web service verifies the following (in add
 After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
-> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
+> [!Note]
-
+> The HTTP server response must not be chunked; it must be sent as one message.
 The following example shows the details of an certificate renewal response.
-```
+``` xml
 <wap-provisioningdoc version="1.1">
   <characteristic type="CertificateStore">
 <!-- Root certificate provision is only needed here if it is not in the device already -->      <characteristic type="Root">
@ -163,25 +156,15 @@ The following example shows the details of an certificate renewal response.
 </wap-provisioningdoc>
 ```
-> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
+> [!Note]
-
+The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 <a href="" id="csp-support-during-enrollment-and-renewal"></a>
 ## Configuration service providers supported during MDM enrollment and certificate renewal
 The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
 -   CertificateStore
 -   w7 APPLICATION
 -   DMClient
 -   EnterpriseAppManagement
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@ -14,17 +14,15 @@ ms.date: 02/28/2020
 # ClientCertificateInstall CSP
 The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
 For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
-> **Note**  
+> [!Note]
-Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
+> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
 You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
 The following image shows the ClientCertificateInstall configuration service provider in tree format.
 ![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
@ -63,7 +61,6 @@ The data type is an integer corresponding to one of the following values:
 | 3     | Install to software.                                                                                          |
 | 4     | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
 <a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**  
 Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
@ -107,8 +104,8 @@ Supported operations are Get, Add, and Replace.
 <a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**  
 Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
-> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
+> [!Note]
-
+> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
 The data type bool.
@ -138,20 +135,19 @@ Supported operations are Add, Get, and Replace.
 <a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**  
 Node for SCEP.
-> **Note**  An alert is sent after the SCEP certificate is installed.
+> [!Note]
-
+> An alert is sent after the SCEP certificate is installed.
 <a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/**<strong>*UniqueID*</strong>  
 A unique ID to differentiate different certificate installation requests.
 <a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**  
 A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
 Supported operations are Get, Add, Replace, and Delete.
-> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
+> [!Note]
-
+> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**  
 Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
@ -191,8 +187,8 @@ Supported operations are Add, Get, and Replace.
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**  
 Optional. Specifies where to keep the private key.
-> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
+> [!Note]
-
+> Even if the private key is protected by TPM, it is not protected with a TPM PIN.
 The data type is an integer corresponding to one of the following values:  
@ -203,7 +199,6 @@ The data type is an integer corresponding to one of the following values:
 | 3     | (Default) Private key saved in software KSP.                                                                                                                                                          |
 | 4     | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
 Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**  
@ -238,8 +233,8 @@ Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**  
 Optional. OID of certificate template name.
-> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.
+> [!Note]
-
+> This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.
 Data type is string.
@ -294,7 +289,6 @@ Valid values are:
 > **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**  
@ -302,8 +296,8 @@ Optional. Specifies the desired number of units used in the validity period. Thi
 Data type is string.
->**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
+> [!Note]
-
+> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 Supported operations are Add, Get, Delete, and Replace.
@ -358,7 +352,6 @@ The only supported operation is Get.
 | 16    | Action failed                                                                                     |
 | 32    | Unknown                                                                                           |
 <a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**  
 Optional. An integer value that indicates the HRESULT of the last enrollment error code.
@ -373,7 +366,6 @@ The only supported operation is Get.
 ## Example
 Enroll a client certificate through SCEP.
 ```xml
@ -669,15 +661,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
 ## Related topics
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -120,8 +120,6 @@ The following table describes the supported values:
 | 50    | Ransomware                  |
 | 51    | ASR Rule                    |
 Supported operation is Get.
 <a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**  
@ -248,60 +246,60 @@ Supported operation is Get.
 <a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled**  
 Indicates whether the Windows Defender service is running.
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
 <a href="" id="health-rtpenabled"></a>**Health/RtpEnabled**  
 Indicates whether real-time protection is running.
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
 <a href="" id="health-nisenabled"></a>**Health/NisEnabled**  
 Indicates whether network protection is running.
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
 <a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**  
 Indicates whether a Windows Defender quick scan is overdue for the device.
-A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default)
+A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default).
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
 <a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**  
 Indicates whether a Windows Defender full scan is overdue for the device.
-A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default)
+A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default).
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
 <a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate**  
 Indicates whether the Windows Defender signature is outdated.
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
 <a href="" id="health-rebootrequired"></a>**Health/RebootRequired**  
 Indicates whether a device reboot is needed.
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
 <a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired**  
 Indicates whether a Windows Defender full scan is required.
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
@ -357,7 +355,7 @@ Supported operation is Get.
 <a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled**  
 Indicates whether the Windows Defender tamper protection feature is enabled.
-The data type is a boolean.
+The data type is a Boolean.
 Supported operation is Get.
@ -422,5 +420,4 @@ Supported operations are Get and Execute.
 ## Related topics
 [Configuration service provider reference](configuration-service-provider-reference.md)
--- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
+++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
@ -23,7 +23,6 @@ User Experience Virtualization (UE-V) supports Microsoft Application Virtualizat
 ## UE-V settings synchronization for App-V applications
 UE-V monitors when an application opens by the program name and, optionally, by file version numbers and product version numbers, whether the application is installed locally or virtually by using App-V. When the application starts, UE-V monitors the App-V process, applies any settings that are stored in the user's settings storage path, and then enables the application to start normally. UE-V monitors App-V applications and automatically translates the relevant file and registry paths to the virtualized location as opposed to the physical location outside the App-V computing environment.
 **To implement settings synchronization for a virtualized application**
@ -34,28 +33,11 @@ UE-V monitors when an application opens by the program name and, optionally, by
 3.  Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet.
-    **Note**  
+    > [!NOTE]
-    If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**.
+    > If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**.
 4.  Start the App-V package.
 ## Related topics
 [Administering UE-V](uev-administering-uev.md)
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@ -30,55 +30,52 @@ The following resources provide additional information about using Windows Updat
 [Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/)
 ## How do I reset Windows Update components?
-[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
+[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
 [This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
 [Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
 ## Reset Windows Update components manually
 1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER:
-   ```console
+   ``` console
   cmd
   ```
 2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
-   ```console
+   ``` console
   net stop bits
   net stop wuauserv
   ```
 3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
-   ```console
+   ``` console
   Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
   ```
 4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
   1. Rename the following folders to *.BAK:
-   ```console
+   ``` console
   %systemroot%\SoftwareDistribution\DataStore
   %systemroot%\SoftwareDistribution\Download
   %systemroot%\system32\catroot2
   ```
   To do this, type the following commands at a command prompt. Press ENTER after you type each command.
-   ```console
+   ``` console
   Ren %systemroot%\SoftwareDistribution\DataStore *.bak
   Ren %systemroot%\SoftwareDistribution\Download *.bak
   Ren %systemroot%\system32\catroot2 *.bak
   ```
   2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
-   ```console
+   ``` console
   sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
   sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
   ```
 5. Type the following command at a command prompt, and then press ENTER:
-   ```console
+   ``` console
   cd /d %windir%\system32
   ```
 6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
-   ```console
+   ``` console
   regsvr32.exe atl.dll
   regsvr32.exe urlmon.dll
   regsvr32.exe mshtml.dll
@ -118,20 +115,20 @@ The following resources provide additional information about using Windows Updat
   ```
 7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
-   ```console
+   ``` console
   netsh winsock reset
   ```
 8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER:
-   ```console
+   ``` console
   proxycfg.exe -d
   ```
 9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
-   ```console
+   ``` console
   net start bits
   net start wuauserv
   ```
 10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
-    ```console
+    ``` console
    bitsadmin.exe /reset /allusers
    ```
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@ -16,7 +16,6 @@ ms.topic: article
 # Determine What to Migrate
 By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration.
 However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize.
@ -25,7 +24,6 @@ To reduce complexity and increase standardization, your organization should cons
 ## In This Section
 <table>
 <colgroup>
 <col width="50%" />
@ -51,18 +49,6 @@ To reduce complexity and increase standardization, your organization should cons
 </tbody>
 </table>
 ## Related topics
 [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@ -48,13 +48,13 @@ On the KMS host computer, perform the following steps:
 1. To extract the contents of the update, run the following command:
-   ```cmd
+   ```console
   expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
   ```
 1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
-   ```cmd
+   ```console
   expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
   ```
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@ -47,6 +47,7 @@ For more information on the available join options, see the following sections:
 - [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain.
 - [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
 - [Hybrid Azure Active Directory join with VPN support](#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain, but are not connected to the corporate network and must use VPN connectivity.
 ## User-driven mode for Azure Active Directory join
@ -83,11 +84,65 @@ To perform a user-driven hybrid Azure AD joined deployment using Windows Autopil
  - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. 
 - If using Proxy, WPAD Proxy settings option must be enabled and configured.
-**Azure AD device join**: The hybrid Azure AD join process uses the system context to perform device Azure AD join, therefore it is not affected by user based Azure AD join permission settings. In addition, all users are enabled to join devices to Azure AD by default.
+The hybrid Azure AD join process uses the system context to register the device to Azure AD, therefore it is not affected by user based Azure AD join permission settings.
-### Step by step instructions
+## User-driven mode for hybrid Azure Active Directory join with VPN support
 Devices that are joined to Active Directory require connectivity to an Active Directory domain controller for a variety of activities, such as user sign-in (validating the user's credentials) and Group Policy application.  As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller.
 With the additional of VPN support for this scenario, it is now possible for you to specify to skip that connectivity check during the Hybrid Azure AD Join.  This does not eliminate the need for communicating with an Active Directory domain controller, but rather enables the device to be first prepared with a needed VPN configuration delivered via Intune prior to the user attempting to sign into Windows, allowing connectivity to the organization's network.
 ### Requirements
 The following additional requirements apply for Hybrid Azure AD Join with VPN support:
 - A supported version of Windows 10:
  - Windows 10 1903 + December 10th Cumulative update (KB4530684, OS build 18362.535) or higher 
  - Windows 10 1909 + December 10th Cumulative update (KB4530684, OS build 18363.535) or higher  
  - Windows 10 2004 or later 
 - Enable the new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile.
 - A VPN configuration that can be deployed via Intune that enables the user to manualy establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed.  
 The specific VPN configuration required depends on the VPN software and authentication being used.  For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself as well as any specific connection information, e.g. VPN endpoint host names) via Intune Management Extensions.  Consult your VPN provider's documentation for configuration details specific to that provider.
 > [!NOTE]
 > The VPN requirements are not specific to Windows Autopilot. For example, if you have already implemented a VPN configuration to enable remote password resets, where a user needs to log on to Windows with a new password when not on the organization's network, that same configuration can be used with Windows Autopilot.  Once the user has signed in to cache their credentials, subsequent log-on attempts do not need connectivity since the cached credentials can be used. 
 In cases where certificate authentication is required by the VPN software, the needed machine certificate should also be deployed via Intune.  This can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device.
 Note that user certificates are not supported because these certificates cannot be deployed until the user logs in.  Also, third-party UWP VPN plug-ins delivered from the Windows Store are also not supported because these are not installed until after the user signs in.
 ### Validation
 Before attempting a hybrid Azure AD Join using VPN, it is important to first confirm that a user-driven Hybrid Azure AD Join process can be performed on the organization's network, before adding in the additional requirements described below.  This simplifies troubleshooting by making sure the core process works fine before adding the additional VPN configuration required.
 Next, validate that the VPN configuration (Win32 app, certs, and any other requirements) can be deployed via Intune to an existing device that has already been hybrid Azure AD joined.  For example, some VPN clients create a per-machine VPN connection as part of the installation process, so you can validate the configuration using steps such as these:
 - From PowerShell, verify that at least one per-machine VPN connection has been created using the "Get-VpnConnection -AllUserConnection" command.
 - Attempt to manually start the VPN connection using the command: RASDIAL.EXE "ConnectionName"
 - Log out and verify that the "VPN connection" icon can be seen on the Windows logon page.
 - Move the device off the corporate network and attempt to establish the connection using the icon on the Windows logon page, signing into an account that does not have cached credentials.
 For VPN configurations that automatically connect, the validation steps may be different.
 > [!NOTE]
 > Always On VPN can be used for this scenario.  See the [Deploy Always On VPN](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information.  Note that Intune cannot yet deploy the needed per-machine VPN profile. 
 To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com and then manually installing it:
 - Press Shift-F10 to open a command prompt.
 - Insert a USB key containing the donwloaded update.
 - Install the update using the command (substituting the real file name): WUSA.EXE <filename>.msu /quiet
 - Reboot the computer using the command: shutdown.exe /r /t 0
 Alternatively, you can invoke Windows Update to install the latest updates through this process:
 - Press Shift-F10 to open a command prompt.
 - Run the command "start ms-settings:"
 - Navigate to the "Update & Security" node and check for updates.
 - Reboot after the updates are installed.
 ## Step by step instructions
 See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@ -26,7 +26,8 @@ ms.custom:
 Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune.  In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
-**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
+> [!NOTE]
 > For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
 ## Software requirements
@ -46,8 +47,8 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
 Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
- Ensure DNS name resolution for internet DNS names
+- Ensure DNS name resolution for internet DNS names.
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
+- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).
 In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services. For additional details about each of these services and their specific requirements, review the following details:
@ -97,9 +98,9 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
 Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
 To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business)
+- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business).
- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline)
+- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline).
- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx)
+- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx).
 - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
 - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
 - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
@ -133,7 +134,6 @@ For a walkthrough for some of these and related steps, see this video:
 <iframe width="560" height="315" src="https://www.youtube.com/embed/KYVptkpsOqs" frameborder="0" allow="accelerometer; autoplay; encrypted-media" gyroscope; picture-in-picture" allowfullscreen></iframe>
 There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
 ## Related topics
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a
 To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
 - Support for Virtualization-based security (required)
 - Secure boot (required)
- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware 
+- TPM (preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware 
 - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
 The Virtualization-based security requires:
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@ -40,7 +40,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
 A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
-You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business.  Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  
 If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.  
 Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 > [!NOTE]
 >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@ -133,9 +133,14 @@ This table provides info about the most common problems you might encounter whil
        </td>
      </tr>
    <tr>
-        <td>By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business).  Onenote does not support local WIP protected notebooks.</td>
+        <td>OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.</td>
-        <td>OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon)</td>
+        <td>OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.</td>
-        <td>If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. We recommend that you create a new notebook and copy the contents from the existing notebook into the new one. In OneNote desktop, File > New > OnedDive - company name notebook and create a new one. Then within OneNote, copy over the old 'local' sections into this new notebook to ensure they get upgraded to the modern format. Hold Ctrl + drag and drop the sections into the notebook. Holding Ctrl will copy sections rather than move them,  preserving the old sections as backup copies. Wait for the new notebook to finish syncing to OneDrive for business.</td>    
+        <td>"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
 1. Close the notebook in OneNote.
 2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
 3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
 Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut.  Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.</td>    
    </tr>
    <tr>
        <td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.