Acrolinx enhancement

2025-05-12 05:17:22 +00:00 · 2022-02-23 11:56:15 +05:30 · 2022-02-23 11:56:15 +05:30 · b8329d0398
commit b8329d0398
parent 22c09c40fa
6 changed files with 76 additions and 76 deletions
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@ -37,7 +37,7 @@ Root node.
 Interior node for the account domain information.

 <a href="" id="domain-computername"></a>**Domain/ComputerName**  
-This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management is not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
+This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.

 Available naming macros:

--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@ -17,7 +17,7 @@ ms.date: 06/26/2017

 The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.

-Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
+Configuring Windows Live ActiveSync accounts through this configuration service provider isn't supported.

 > [!NOTE]
 > The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
@ -28,7 +28,7 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th

 

-The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.

 ```
 ./Vendor/MSFT
@ -86,7 +86,7 @@ Defines a specific ActiveSync account. A globally unique identifier (GUID) must

 Supported operations are Get, Add, and Delete.

-When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account.
+When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and doesn't create the new account.

 Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:

@ -107,7 +107,7 @@ For OMA DM, you must use the ASCII values of %7B and %7D for the opening and clo
 <a href="" id="account-guid-emailaddress"></a>***Account GUID*/EmailAddress**  
 Required. A character string that specifies the email address associated with the Exchange ActiveSync account.

-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

 This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com".

@ -119,21 +119,21 @@ Supported operations are Get, Replace, Add, and Delete.
 <a href="" id="account-guid-accounticon"></a>***Account GUID*/AccountIcon**  
 Required. A character string that specifies the location of the icon associated with the account.

-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

 The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.

 <a href="" id="account-guid-accounttype"></a>***Account GUID*/AccountType**  
 Required. A character string that specifies the account type.

-Supported operations are Get and Add (cannot Add after the account is created).
+Supported operations are Get and Add (can't Add after the account is created).

-This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
+This value is entered during setup and can't be modified once entered. An Exchange account is indicated by the string value "Exchange".

 <a href="" id="account-guid-accountname"></a>***Account GUID*/AccountName**  
 Required. A character string that specifies the name that refers to the account on the device.

-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

 <a href="" id="account-guid-password"></a>***Account GUID*/Password**  
 Required. A character string that specifies the password for the account.
@ -145,14 +145,14 @@ For the Get command, only asterisks are returned.
 <a href="" id="account-guid-servername"></a>***Account GUID*/ServerName**  
 Required. A character string that specifies the server name used by the account.

-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

 <a href="" id="account-guid-username"></a>***Account GUID*/UserName**  
 Required. A character string that specifies the user name for the account.

-Supported operations are Get, and Add (cannot Add after the account is created).
+Supported operations are Get, and Add (can't Add after the account is created).

-The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
+The user name can't be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".

 <a href="" id="options"></a>**Options**  
 Node for other parameters.
@ -163,9 +163,9 @@ Specifies the time window used for syncing calendar items to the device. Value t
 <a href="" id="options-logging"></a>**Options/Logging**  
 Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled).

-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

-Valid values are one of the following:
+Valid values are any of the following values:

 -   0 (default) - Logging is off.

@ -173,7 +173,7 @@ Valid values are one of the following:

 -   2 - Advanced logging is enabled.

-Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
+Logging is set to off by default. The user might be asked to set this logging to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.

 <a href="" id="options-mailbodytype"></a>**Options/MailBodyType**  
 Indicates the email format. Valid values:
@ -185,19 +185,19 @@ Indicates the email format. Valid values:
 -   4 - MIME

 <a href="" id="options-mailhtmltruncation"></a>**Options/MailHTMLTruncation**  
-Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
+Specifies the size beyond which HTML-formatted email messages are truncated when they're synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.

 <a href="" id="options-mailplaintexttruncation"></a>**Options/MailPlainTextTruncation**  
-This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
+This setting specifies the size beyond which text-formatted e-mail messages are truncated when they're synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.

 <a href="" id="options-usessl"></a>**Options/UseSSL**  
 Optional. A character string that specifies whether SSL is used.

-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

 Valid values are:

-   0 - SSL is not used.
+-   0 - SSL isn't used.

 -   1 (default) - SSL is used.

@ -206,7 +206,7 @@ Required. A character string that specifies the time until the next sync is perf

 Supported operations are Get and Replace.

-Valid values are one of the following:
+Valid values are any of the following values:

 -   -1 (default) - A sync will occur as items are received

@ -223,7 +223,7 @@ Required. A character string that specifies the time window used for syncing ema

 Supported operations are Get and Replace.

-Valid values are one of the following:
+Valid values are any of the following values:

 -   0 – No age filter is used, and all email items are synced to the device.

@ -238,7 +238,7 @@ Valid values are one of the following:
 <a href="" id="options-contenttypes-content-type-guid"></a>**Options/ContentTypes/**<strong>*Content Type GUID*</strong>  
 Defines the type of content to be individually enabled/disabled for sync.

-The *GUID* values allowed are one of the following:
+The *GUID* values allowed are any of the following values:

 -   Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}"

@ -251,11 +251,11 @@ The *GUID* values allowed are one of the following:
 <a href="" id="options-contenttypes-content-type-guid-enabled"></a>**Options/ContentTypes/*Content Type GUID*/Enabled**  
 Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled).

-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

-Valid values are one of the following:
+Valid values are any of the following values:

-   0 - Sync for email, contacts, calendar, or tasks is disabled.
+-   0 - Sync for email, contacts, calendar, or tasks are disabled.
 -   1 (default) - Sync is enabled.

 <a href="" id="options-contenttypes-content-type-guid-name"></a>**Options/ContentTypes/*Content Type GUID*/Name**  
@ -265,7 +265,7 @@ Required. A character string that specifies the name of the content type.
 > In Windows 10, this node is currently not working.

 
-Supported operations are Get, Replace, and Add (cannot Add after the account is created).
+Supported operations are Get, Replace, and Add (can't Add after the account is created).

 When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.

--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@ -57,7 +57,7 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a

   ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)

-10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....).
+10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange).

    ![admin center left navigation menu.](images/azure-ad-add-tenant9.png)

@ -75,7 +75,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent

    ![register in azure-ad.](images/azure-ad-add-tenant11.png)

-3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
+3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.

    ![register azuread](images/azure-ad-add-tenant12.png)

@ -87,7 +87,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent

    ![registration in azuread.](images/azure-ad-add-tenant14.png)

-6.  You will see a welcome page when the process completes.
+6.  You'll see a welcome page when the process completes.

    ![register screen of azuread](images/azure-ad-add-tenant15.png)

--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@ -26,7 +26,7 @@ This CSP was added in Windows 10, version 1511.

 For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).

-The following shows the AllJoynManagement configuration service provider in tree format
+The following example shows the AllJoynManagement configuration service provider in tree format

 ```
 ./Vendor/MSFT
@ -70,10 +70,10 @@ List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn
 The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.

 <a href="" id="services-node-name-port"></a>**Services/*Node name*/Port**
-The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports.
+The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it's possible to specify more ports.

 <a href="" id="services-node-name-port-node-name"></a>**Services/*Node name*/Port/**<strong>*Node name*</strong>
-Port number used for communication. This is specified by the configurable AllJoyn object and reflected here.
+Port number used for communication. This value is specified by the configurable AllJoyn object and reflected here.

 <a href="" id="services-node-name-port-node-name-cfgobject"></a>**Services/*Node name*/Port/*Node name*/CfgObject**
 The set of configurable interfaces that are available on the port of the AllJoyn object.
@ -89,7 +89,7 @@ This is the credential store. An administrator can set credentials for each AllJ
 When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase.

 <a href="" id="credentials-node-name"></a>**Credentials/**<strong>*Node name*</strong>
-This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID.
+This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It's typically implemented as a GUID.

 <a href="" id="credentials-node-name-key"></a>**Credentials/*Node name*/Key**
 An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard.
@ -128,7 +128,7 @@ SyncML xmlns="SYNCML:SYNCML1.2">
 </SyncML>
 ```

-You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting.
+You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. The data is base-64 encoded representation of the configuration file that you're setting.

 Get PIN data

--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@ -13,10 +13,10 @@ ms.date: 09/10/2020

 # ApplicationControl CSP

-Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
+Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and hence doesn't schedule a reboot.
 Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.

-The following shows the ApplicationControl CSP in tree format.
+The following example shows the ApplicationControl CSP in tree format.

 ```
 ./Vendor/MSFT
@ -80,14 +80,14 @@ Scope is dynamic. Supported operation is Get.
 Value type is char.

 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-iseffective"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective**  
-This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system.
+This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system.

 Scope is dynamic. Supported operation is Get.

 Value type is bool. Supported values are as follows:

- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system.
- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default.
+- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system.
+- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This value is the default value.

 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-isdeployed"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed**  
 This node specifies whether a policy is deployed on the system and is present on the physical machine.
@ -97,17 +97,17 @@ Scope is dynamic. Supported operation is Get.
 Value type is bool. Supported values are as follows:

 - True—Indicates that the policy is deployed on the system and is present on the physical machine.
- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default.
+- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This value is the default value.

 <a href="" id="applicationcontrol-policies-policyguid-policyinfo-isauthorized"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized**  
-This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system.
+This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system.

 Scope is dynamic. Supported operation is Get.

 Value type is bool. Supported values are as follows:

 - True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system.
- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default.
+- False—Indicates that the policy isn't authorized to be loaded by the enforcement engine on the system. This value is the default value.

 The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes:

@ -144,7 +144,7 @@ For customers using Intune standalone or hybrid management with Configuration Ma

 ## Generic MDM Server Usage Guidance

-In order to leverage the ApplicationControl CSP without using Intune, you must:
+In order to use the ApplicationControl CSP without using Intune, you must:

 1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>` or `<PolicyTypeID>` for pre-1903 systems.
 2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
@ -171,7 +171,7 @@ To deploy base policy and supplemental policies:
 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
 2. Repeat for each base or supplemental policy (with its own GUID and data).

-The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
+The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and doesn't need that reflected in the ADD).

 #### Example 1: Add first base policy

@ -240,7 +240,7 @@ The following table displays the result of Get operation on different nodes:
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status|Was the deployment successful|
 |./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName|Friendly name per the policy|

-The following is an example of Get command:
+An example of Get command is:

 ```xml
 <Get>
@ -257,7 +257,7 @@ The following is an example of Get command:

 #### Rebootless Deletion

-Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This sequence will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.

 #### Unsigned Policies

@ -266,7 +266,7 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon
 #### Signed Policies

 > [!NOTE]
-> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** is not sufficient to delete a signed policy.
+> A signed policy by default can only be replaced by another signed policy. Hence, performing a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** isn't sufficient to delete a signed policy.

 To delete a signed policy:

@ -274,7 +274,7 @@ To delete a signed policy:
 2. Deploy another update with unsigned Allow All policy.
 3. Perform delete.

-The following is an example of Delete command:
+An example of Delete command is:

 ```xml
   <Delete>
@ -289,7 +289,7 @@ The following is an example of Delete command:

 ## PowerShell and WMI Bridge Usage Guidance

-The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
+The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).

 ### Setup for using the WMI Bridge

@ -305,7 +305,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi

 ### Deploying a policy via WMI Bridge

-Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces.
+Run the following command. PolicyID is a GUID that can be found in the policy xml, and should be used here without braces.

 ```powershell
 New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="<PolicyID>";Policy=$policyBase64}
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@ -15,9 +15,9 @@ ms.date: 11/19/2019
 # AppLocker CSP


-The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked.
+The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked.

-The following shows the AppLocker configuration service provider in tree format.
+The following example shows the AppLocker configuration service provider in tree format.

 ```console
 ./Vendor/MSFT
@ -75,7 +75,7 @@ Defines restrictions for applications.
 > [!NOTE]
 > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.

-> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
+> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.

 > [!NOTE]
 > The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI.
@ -83,7 +83,7 @@ Defines restrictions for applications.
 Additional information:

 <a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**  
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
 Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.

 Supported operations are Get, Add, Delete, and Replace.
@ -101,7 +101,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.

 <a href="" id="applocker-applicationlaunchrestrictions-grouping-exe-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).

 The data type is a string. 

@ -125,7 +125,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.

 <a href="" id="applocker-applicationlaunchrestrictions-grouping-msi-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).

 The data type is a string. 

@ -144,7 +144,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.

 <a href="" id="applocker-applicationlaunchrestrictions-grouping-script-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).

 The data type is a string.

@ -163,7 +163,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.

 <a href="" id="applocker-applicationlaunchrestrictions-grouping-storeapps-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).

 The data type is a string.

@ -182,7 +182,7 @@ Data type is string.
 Supported operations are Get, Add, Delete, and Replace.

 <a href="" id="applocker-applicationlaunchrestrictions-grouping-dll-enforcementmode"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode**  
-The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).
+The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).

 The data type is a string.

@ -211,7 +211,7 @@ Supported operations are Get, Add, Delete, and Replace.
 <a href="" id="applocker-enterprisedataprotection"></a>**AppLocker/EnterpriseDataProtection**  
 Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).

-In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
+In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.

 You can set the allowed list using the following URI:
 - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
@ -227,10 +227,10 @@ Exempt examples:

 Additional information:

- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
+- [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.

 <a href="" id="applocker-enterprisedataprotection-grouping"></a>**AppLocker/EnterpriseDataProtection/_Grouping_**  
-Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
+Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define.
 Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.

 Supported operations are Get, Add, Delete, and Replace.
@ -259,7 +259,7 @@ Data type is string.

 Supported operations are Get, Add, Delete, and Replace.

-1.  On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive).
+1.  On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive).
 2.  On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**.

    The **Device Portal** page opens on your browser.
@ -267,11 +267,11 @@ Supported operations are Get, Add, Delete, and Replace.
    ![device portal screenshot.](images/applocker-screenshot1.png)

 3.  On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
-4.  On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
+4.  On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps.

    ![device portal app manager.](images/applocker-screenshot3.png)

-5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
+5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.

    ![app manager.](images/applocker-screenshot2.png)

@ -281,9 +281,9 @@ The following table shows the mapping of information to the AppLocker publisher
 |--- |--- |
 |PackageFullName|ProductName<br><br> The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.|
 |Publisher|Publisher|
-|Version|Version<br> <br>This can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|
+|Version|Version<br> <br>The version can be used either in the HighSection or LowSection of the BinaryVersionRange.<br> <br>HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.|

-Here is an example AppLocker publisher rule:
+Here's an example AppLocker publisher rule:

 ```xml
 <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*">
@ -307,7 +307,7 @@ Request URI:
 https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
 ```

-Here is the example for Microsoft OneNote:
+Here's the example for Microsoft OneNote:

 Request

@ -330,13 +330,13 @@ Result
 |--- |--- |
 |packageIdentityName|ProductName|
 |publisherCertificateName|Publisher|
-|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. <br> <br> This value will only be present if there is a XAP package associated with the app in the Store. <br> <br>If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|
+|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name. <br> <br> This value will only be present if there's a XAP package associated with the app in the Store. <br> <br>If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.|


 ## <a href="" id="settingssplashapps"></a>Settings apps that rely on splash apps


-These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.
+These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps.

 The product name is first part of the PackageFullName followed by the version number.

@ -526,7 +526,7 @@ The following example blocks the usage of the map application.
 </SyncML>
 ```

-The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.

 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
@ -1022,7 +1022,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
 ```

 ## Example for Windows 10 Holographic for Business
-The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings.
+The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, and Settings.

 ```xml
 <RuleCollection Type="Appx" EnforcementMode="Enabled">
@ -1276,8 +1276,8 @@ The following example for Windows 10 Holographic for Business denies all apps an
 </RuleCollection>
 ```

-## Recommended deny list for Windows Information Protection
-The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
+## Recommended blocklist for Windows Information Protection
+The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.

 In this example, Contoso is the node name. We recommend using a GUID for this node.