Merge pull request #8596 from MicrosoftDocs/main

Publish main to live, Tuesday 10:30AM PDT, 7/25
2025-06-27 08:13:39 +00:00 · 2023-07-25 13:42:04 -04:00
parent 6ab2b04306 acf8721ffe
commit c684099f1b
90 changed files with 22954 additions and 24435 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@ -1,7 +1,7 @@
 ---
 title: Azure AD Join with Set up School PCs app
 description: Learn how Azure AD Join is configured in the Set up School PCs app.
-ms.topic: article
+ms.topic: conceptual
 ms.date: 08/10/2022
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@ -1,7 +1,7 @@
 ---
 title: Set up School PCs app technical reference overview
 description: Describes the purpose of the Set up School PCs app for Windows 10 devices.
-ms.topic: conceptual
+ms.topic: overview
 ms.date: 08/10/2022
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@ -1,7 +1,7 @@
 ---
 title: Set up Windows devices for education
 description: Decide which option for setting up Windows 10 is right for you.
-ms.topic: article
+ms.topic: conceptual
 ms.date: 08/10/2022
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
@ -9,11 +9,12 @@ appliesto:
 # Set up Windows devices for education
-You have two tools to choose from to set up PCs for your classroom: 
+You have two tools to choose from to set up PCs for your classroom:
 * Set up School PCs 
 * Windows Configuration Designer
-Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). 
+- Set up School PCs 
 - Windows Configuration Designer
 Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account).
 You can use the following diagram to compare the tools.
@ -29,4 +30,4 @@ You can use the following diagram to compare the tools.
 ## Related topics
 [Take tests in Windows](take-tests-in-windows.md)
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)S
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -1,8 +1,8 @@
 ---
 title: Windows 11 SE Overview
 description: Learn about Windows 11 SE, and the apps that are included with the operating system.
-ms.topic: article
+ms.topic: overview
-ms.date: 03/09/2023
+ms.date: 07/25/2023
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:
@ -104,7 +104,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Dyknow`                                  | 7.9.13.7          | Win32    | `Dyknow`                                  |
 | `e-Speaking Voice and Speech recognition` | 4.4.0.11          | Win32    | `e-speaking`                              |
 | `EasyReader`                              | 10.0.4.498        | Win32    | `Dolphin Computer Access`                 |
-| `Easysense 2`                             | 1.32.0001         | Win32    | `Data Harvest`                            |                   
+| `Easysense 2`                             | 1.32.0001         | Win32    | `Data Harvest`                            |
 | `Epson iProjection`                       | 3.31              | Win32    | `Epson`                                   |
 | `eTests`                                  | 4.0.25            | Win32    | `CASAS`                                   |
 | `Exam Writepad`                           | 22.10.14.1834     | Win32    | `Sheldnet`                                |
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@ -1,30 +1,21 @@
 ---
 title: Windows 10 editions for education customers
 description: Learn about the two Windows 10 editions that are designed for the needs of education institutions.
-ms.topic: article
+ms.topic: conceptual
-ms.date: 08/10/2022
+ms.date: 07/25/2023
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Windows 10 editions for education customers
-Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620).
+Windows 10 offers various new features and functionalities, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
-Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/).
+Windows 10 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
 Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
 ## Windows 10 Pro Education
-Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions).
+Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions).
 For Cortana<sup>[1](#footnote1)</sup>:
 - If you're using version 1607, Cortana is removed.
 - If you're using new devices with version 1703 or later, Cortana is turned on by default.
 - If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
 You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
 Windows 10 Pro Education is available on new devices pre-installed with Windows 10, version 1607 or newer versions that are purchased with discounted K-12 academic licenses through OEM partners (these discounted licenses are sometimes referred to as National Academic or Shape the Future).
@ -38,13 +29,6 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si
 Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions).
 For Cortana<sup>1</sup>:
 - If you're using version 1607, Cortana<sup>1</sup> is removed.
 - If you're using new devices with version 1703 or later, Cortana is turned on by default.
 - If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
 You can use the **AllowCortana** policy to turn off Cortana. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
 Windows 10 Education is available through Microsoft Volume Licensing. Customers who are already running Windows 10 Education can upgrade to Windows 10, version 1607 or newer versions through Windows Update or from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). We recommend Windows 10 Education to all K-12 customers as it provides the most complete and secure edition for education environments. If you don't have access to Windows 10 Education, contact your Microsoft representative or see more information [here](https://go.microsoft.com/fwlink/?LinkId=822628).
 Customers who deploy Windows 10 Enterprise are able to configure the product to have similar feature settings to Windows 10 Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions). We recommend that K-12 customers using commercial Windows 10 Enterprise read the [document](/windows/configuration/manage-tips-and-suggestions) and apply desired settings for your environment.
@ -52,14 +36,11 @@ Customers who deploy Windows 10 Enterprise are able to configure the product to
 For any other questions, contact [Microsoft Customer Service and Support](https://support.microsoft.com/en-us).
 ## Related topics
 - [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
 - [Windows deployment for education](./index.yml)
 - [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths)
 - [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10)
 - [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client)
 - [Windows 10 subscription activation](/windows/deployment/windows-10-subscription-activation)
-
+- 
 <a name="footnote1"></a><sup>1</sup> <small>Cortana available in select markets; experience may vary by region and device.</small>
--- a/windows/client-management/mdm/index.yml
+++ b/windows/client-management/mdm/index.yml
@ -12,7 +12,6 @@ metadata:
  ms.collection:
    - highpri
    - tier1
  ms.custom: intro-hub-or-landing
  author: vinaypamnani-msft
  ms.author: vinpa
  manager: aaroncz
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@ -3,7 +3,7 @@ title: Cache node configuration
 manager: aaroncz
 description: Configuring a cache node on Azure portal
 ms.prod: windows-client
-author: amyzhou
+author: amymzhou
 ms.author: amyzhou
 ms.topic: article
 ms.date: 12/31/2017
@ -13,7 +13,7 @@ ms.collection: tier3
 # Cache node configuration
-All cache node configuration will take place within Azure portal. This article outlines all of the settings that you'll be able to configure. 
+All cache node configuration takes place within Azure portal. This article outlines all of the settings that you're able to configure. 
 ## Settings
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@ -3,7 +3,7 @@ metadata:
  title: Microsoft Connected Cache Frequently Asked Questions
  description: The following article is a list of frequently asked questions for Microsoft Connected Cache.
  author: amymzhou
-  ms.author: amymzhou
+  ms.author: amyzhou
  manager: aaroncz
  ms.collection:
    - highpri
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@ -3,7 +3,7 @@ title: Update or uninstall your cache node
 manager: aaroncz
 description: How to update or uninstall your cache node
 ms.prod: windows-client
-author: amyzhou
+author: amymzhou
 ms.author: amyzhou
 ms.topic: article
 ms.date: 12/31/2017
--- a/windows/deployment/do/mcc-isp-verify-cache-node.md
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@ -3,7 +3,7 @@ title: Verify cache node functionality and monitor health and performance
 manager: aaroncz
 description: How to verify the functionality of a cache node
 ms.prod: windows-client
-author: amyzhou
+author: amymzhou
 ms.author: amyzhou
 ms.topic: article
 ms.date: 12/31/2017
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@ -3,7 +3,7 @@ title: Enhancing cache performance
 manager: aaroncz
 description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
 ms.prod: windows-client
-author: amyzhou
+author: amymzhou
 ms.author: amyzhou
 ms.topic: reference
 ms.technology: itpro-updates
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -8,7 +8,7 @@ ms.author: mstewart
 manager: aaroncz
 ms.topic: article
 ms.technology: itpro-updates
-ms.date: 05/09/2023
+ms.date: 07/17/2023
 ms.reviewer: stevedia
 ---
@ -19,7 +19,7 @@ ms.reviewer: stevedia
 -   Windows 10
 -   Windows 11
-This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
+This article explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
 Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
@ -29,7 +29,7 @@ Whenever installation of a feature update starts (whether from media or an envir
 - Updates to Setup.exe binaries or other files that Setup uses for feature updates
 - Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
- Updates to the servicing stack necessary to complete the feature update (see [Servicing stack updates](servicing-stack-updates.md) for more information)
+- Updates to the servicing stack necessary to complete the feature update For more information, see [Servicing stack updates](servicing-stack-updates.md).
 - The latest cumulative (quality) update
 - Updates to applicable drivers already published by manufacturers specifically intended for Dynamic Update
@ -39,20 +39,40 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
 ## Acquire Dynamic Update packages
-You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. For example, you could enter *1809 Dynamic Update x64*, which would return results like this:
+You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the needed files. The following tables show the key values to search for or look for in the results. 
-![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles.](images/update-catalog.png)
+### Windows 11, version 22H2 Dynamic Update packages
 **Title** can distinguish each Dynamic Package. Cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.
-The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
+| Update packages                   |Title                                                          |
 |-----------------------------------|---------------------------------------------------------------|
 |Safe OS Dynamic Update             | YYYY-MM Safe OS Dynamic Update for Windows 11 Version 22H2    |
 |Setup Dynamic Update               | YYYY-MM Setup Dynamic Update for Windows 11 Version 22H2      |
 |Latest cumulative update           | YYYY-MM Cumulative Update for Windows 11 Version 22H2         |
 |Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2    |
 |To find this Dynamic Update packages, search for or check the results here  |Title  |Product  |Description (select the **Title** link to see **Details**)  |
 |---------|---------|---------|---------|
 |Safe OS Dynamic Update      | 2019-08 Dynamic Update...        | Windows 10 Dynamic Update, Windows **Safe OS Dynamic Update**         | ComponentUpdate:        |
 |Setup Dynamic Update     | 2019-08 Dynamic Update...         | Windows 10 Dynamic Update        | **SetupUpdate**        |
 |Latest cumulative update     | 2019-08 **Cumulative Update for Windows 10**    |  Windows 10       |  Install this update to resolve issues in Windows...       |
 |Servicing stack Dynamic Update     | 2019-09 **Servicing Stack Update for Windows 10**        |  Windows 10...       | Install this update to resolve issues in Windows...        |
-If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
+### Windows 11, version 21H2 Dynamic Update packages
 **Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
 | Update packages                   |Title                                                          |Product                                       |Description       |
 |-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
 |Safe OS Dynamic Update             | YYYY-MM Dynamic Update for Windows 11                         |Windows Safe OS Dynamic Update                | ComponentUpdate  |
 |Setup Dynamic Update               | YYYY-MM Dynamic Update for Windows 11                         |Windows 10 and later Dynamic Update           | SetupUpdate      |
 |Latest cumulative update           | YYYY-MM Cumulative Update for Windows 11                      |                                              |                  |
 |Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2    |                                              |                  |
 ### For Windows 10, version 22H2 Dynamic Update packages
 **Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
 | Update packages                   |Title                                                          |Product                                       |Description       |
 |-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
 |Safe OS Dynamic Update             | YYYY-MM Dynamic Update for Windows 10 Version 22H2            |Windows Safe OS Dynamic Update                | ComponentUpdate  |
 |Setup Dynamic Update               | YYYY-MM Dynamic Update for Windows 10 Version 22H2            |Windows 10 and later Dynamic Update           | SetupUpdate      |
 |Latest cumulative update           | YYYY-MM Cumulative Update for Windows 10 Version 22H2         |                                              |                  |
 |Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Windows 10 Version 22H2    |                                              |                  |
 If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, if Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
 ## Update Windows installation media
@ -63,56 +83,56 @@ Properly updating the installation media involves a large number of actions oper
 - Windows operating system: one or more editions of Windows stored in \sources\install.wim
 - Windows installation media: the complete collection of files and folders in the Windows installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
-This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26).
+This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task  |WinRE (winre.wim)  |WinPE (boot.wim)  |Operating system (install.wim)  | New media |
+|Task                               |WinRE (winre.wim)  |WinPE (boot.wim)  |Operating system (install.wim)  | New media |
-|---------|---------|---------|---------|------|
+|-----------------------------------|-------------------|------------------|--------------------------------|-----------|
-|Add servicing stack Dynamic Update     |  1       | 9        | 18        |
+|Add servicing stack Dynamic Update | 1                 | 9                | 18                             |           | 
-|Add language pack     | 2        |   10      |  19       |
+|Add language pack                  | 2                 | 10               | 19                             |           |
-|Add localized optional packages     |  3       | 11        |         |
+|Add localized optional packages    | 3                 | 11               |                                |           |
-|Add font support     |  4       |  12       |         |
+|Add font support                   | 4                 | 12               |                                |           |
-|Add text-to-speech      | 5        |   13      |         |
+|Add text-to-speech                 | 5                 | 13               |                                |           |
-|Update Lang.ini     |         |  14       |         |
+|Update Lang.ini                    |                   | 14               |                                |           |
-|Add Features on Demand     |         |         |  20       |
+|Add Features on Demand             |                   |                  | 20                             |           |
-|Add Safe OS Dynamic Update     | 6        |        |       |
+|Add Safe OS Dynamic Update         | 6                 |                  |                                |           |
-|Add Setup Dynamic Update     |         |         |         | 26
+|Add Setup Dynamic Update           |                   |                  |                                | 26        |
-|Add setup.exe from WinPE     |         |         |         | 27
+|Add setup.exe from WinPE           |                   |                  |                                | 27        |
-|Add boot manager from WinPE     |         |         |         | 28
+|Add boot manager from WinPE        |                   |                  |                                | 28        |
-|Add latest cumulative update     |         | 15        | 21        |
+|Add latest cumulative update       |                   | 15               | 21                             |           |
-|Clean up the image     |  7       | 16        | 22        |
+|Clean up the image                 | 7                 | 16               | 22                             |           |
-|Add Optional Components     |         |         |  23       |
+|Add Optional Components            |                   |                  | 23                             |           |
-|Add .NET and .NET cumulative updates     |         |        | 24        |
+|Add .NET and .NET cumulative updates |                 |                  | 24                             |           |
-|Export image     | 8        |  17       | 25        |
+|Export image                       | 8                 | 17               | 25                             |           |
 > [!NOTE]
 > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
 > [!NOTE]
-> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
+> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
 ### Multiple Windows editions
-The main operating system file (install.wim) contains multiple editions of Windows. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
+The main operating system file (install.wim) contains multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
 ### Additional languages and features
 You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
 ## Windows PowerShell scripts to apply Dynamic Updates to an existing image
 These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages are stored locally in this folder structure:
-|Folder  |Description  |
+|Folder                     |Description                                                                                                                              |
-|---------|---------|
+|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
-|C:\mediaRefresh     |  Parent folder that contains the PowerShell script       |
+|C:\mediaRefresh            | Parent folder that contains the PowerShell script                                                                                       |
-|C:\mediaRefresh\oldMedia |  Folder that contains the original media that will be refreshed. For example, contains Setup.exe, and \sources folder.       |
+|C:\mediaRefresh\oldMedia   | Folder that contains the original media that will be refreshed. For example, contains Setup.exe, and \sources folder.                   |
-|C:\mediaRefresh\newMedia     | Folder that will contain the updated media. It is copied from \oldMedia, then used as the target for all update and cleanup operations.        |
+|C:\mediaRefresh\newMedia   | Folder that will contain the updated media. It's copied from \oldMedia, then used as the target for all update and cleanup operations. |
 ### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
 ```powershell
 #Requires -RunAsAdministrator
@ -126,8 +146,10 @@ $LANG  = "ja-jp"
 $LANG_FONT_CAPABILITY = "jpan"
 # Declare media for FOD and LPs
 # Note: Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO.
 # Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO.
 # If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
 $FOD_ISO_PATH    = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
 $LP_ISO_PATH     = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
 # Declare Dynamic Update packages
 $LCU_PATH        = "C:\mediaRefresh\packages\LCU.msu"
@ -144,24 +166,23 @@ $MAIN_OS_MOUNT   = "C:\mediaRefresh\temp\MainOSMount"
 $WINRE_MOUNT     = "C:\mediaRefresh\temp\WinREMount"
 $WINPE_MOUNT     = "C:\mediaRefresh\temp\WinPEMount"
-# Mount the language pack ISO
+# Mount the Features on Demand ISO
-Write-Output "$(Get-TS): Mounting LP ISO"
+Write-Output "$(Get-TS): Mounting FOD ISO"
-$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
+$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
 # Note: Starting with Windows 11, version 21H2, the correct path for main OS language and optional features
 # moved to \LanguagesAndOptionalFeatures instead of the root. For Windows 10, use $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
 $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\LanguagesAndOptionalFeatures"
 # Declare language related cabs
-$WINPE_OC_PATH              = "$LP_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
+$WINPE_OC_PATH              = "$FOD_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
 $WINPE_OC_LANG_PATH         = "$WINPE_OC_PATH\$LANG"
 $WINPE_OC_LANG_CABS         = Get-ChildItem $WINPE_OC_LANG_PATH -Name
 $WINPE_OC_LP_PATH           = "$WINPE_OC_LANG_PATH\lp.cab"
 $WINPE_FONT_SUPPORT_PATH    = "$WINPE_OC_PATH\WinPE-FontSupport-$LANG.cab"
 $WINPE_SPEECH_TTS_PATH      = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
 $WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
-$OS_LP_PATH                 = "$LP_ISO_DRIVE_LETTER`:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
+$OS_LP_PATH                 = "$FOD_PATH\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
 # Mount the Features on Demand ISO
 Write-Output "$(Get-TS): Mounting FOD ISO"
 $FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
 $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
 # Create folders for mounting images and storing temporary files
 New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
@ -199,7 +220,7 @@ Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MO
 # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
 # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
 # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
-# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
+# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined 
 # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
 # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
 # combined cumulative update can be installed. 
@ -231,7 +252,7 @@ Catch
 }
 # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
 # update. This second approach is commented out below.
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
@ -288,7 +309,7 @@ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction
 # Perform image cleanup
 Write-Output "$(Get-TS): Performing image cleanup on WinRE"
-DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
 # Dismount
 Dismount-WindowsImage -Path $WINRE_MOUNT  -Save -ErrorAction stop | Out-Null
@ -301,7 +322,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim
 ### Update WinPE
-This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
+This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
 ```powershell
 #
@ -322,7 +343,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
    # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
    # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined 
    # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and 
-    # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined 
+    # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined 
    # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined 
    # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the 
    # combined cumulative update can be installed. 
@ -354,7 +375,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
    }
    # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
-    # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+    # but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
    # update. This second approach is commented out below.
    # Write-Output "$(Get-TS): Adding package $SSU_PATH"
@ -415,7 +436,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
    # Perform image cleanup
    Write-Output "$(Get-TS): Performing image cleanup on WinPE"
-    DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+    DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
    if ($IMAGE.ImageIndex -eq "2") {
@ -442,11 +463,11 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
 ### Update the main operating system
-For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
+For this next phase, there's no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
 Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
-You can install Optional Components, along with the .NET feature, offline, but that will require the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
 ```powershell
 #
@ -458,7 +479,7 @@ You can install Optional Components, along with the .NET feature, offline, but t
 # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
 # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
 # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
-# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+# cases, the servicing stack update is not published separately; the combined cumulative update should be used for this step. However, in hopefully
 # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published, 
 # and installed first before the combined cumulative update can be installed. 
@ -471,7 +492,7 @@ Write-Output "$(Get-TS): Adding package $LCU_PATH"
 Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null  
 # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
 # update. This second approach is commented out below.
 # Write-Output "$(Get-TS): Adding package $SSU_PATH"
@ -590,7 +611,6 @@ Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
 # Dismount ISO images
 Write-Output "$(Get-TS): Dismounting ISO images"
 Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
 Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
 Write-Output "$(Get-TS): Media refresh completed!"
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@ -38,11 +38,9 @@
              href: deploy/windows-autopatch-device-registration-overview.md
            - name: Register your devices
              href: deploy/windows-autopatch-register-devices.md
-            - name: Windows Autopatch groups experience
+            - name: Windows Autopatch groups overview
-              href:
+              href: deploy/windows-autopatch-groups-overview.md
              items:
                - name: Windows Autopatch groups overview
                  href: deploy/windows-autopatch-groups-overview.md
                - name: Manage Windows Autopatch groups
                  href: deploy/windows-autopatch-groups-manage-autopatch-groups.md
            - name: Post-device registration readiness checks
@ -50,98 +48,57 @@
    - name: Operate
      href: 
      items:
-        - name: Windows Autopatch groups experience
+        - name: Software update management
-          href:
+          href: operate/windows-autopatch-groups-update-management.md
          items:
-            - name: Software update management
+              - name: Windows updates
-              href: operate/windows-autopatch-groups-update-management.md
+                href:
                items:
                  - name: Customize Windows Update settings
                    href: operate/windows-autopatch-groups-windows-update.md
                  - name: Windows quality updates
                    href: operate/windows-autopatch-groups-windows-quality-update-overview.md
                    items:
                      - name: Windows quality update end user experience
                        href: operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
                      - name: Windows quality update signals
                        href: operate/windows-autopatch-groups-windows-quality-update-signals.md
                      - name: Windows quality update communications
                        href: operate/windows-autopatch-groups-windows-quality-update-communications.md
                  - name: Windows feature updates
                    href: operate/windows-autopatch-groups-windows-feature-update-overview.md
                    items:
                      - name: Manage Windows feature updates
                        href: operate/windows-autopatch-groups-manage-windows-feature-update-release.md
                  - name: Microsoft 365 Apps for enterprise
                    href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
                  - name: Microsoft Edge
                    href: operate/windows-autopatch-edge.md
                  - name: Microsoft Teams
                    href: operate/windows-autopatch-teams.md
        - name: Windows quality and feature update reports
          href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
          items:
            - name: Windows quality update reports
              href:
              items:
-                - name: Windows updates
+                - name: Summary dashboard
-                  href:
+                  href: operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
-                  items:
+                - name: Quality update status report
-                    - name: Customize Windows Update settings
+                  href: operate/windows-autopatch-groups-windows-quality-update-status-report.md
-                      href: operate/windows-autopatch-groups-windows-update.md
+                - name: Quality update trending report
-                    - name: Windows quality updates
+                  href: operate/windows-autopatch-groups-windows-quality-update-trending-report.md
-                      href: operate/windows-autopatch-groups-windows-quality-update-overview.md
+            - name: Windows feature update reports
-                      items:
+              href:
                        - name: Windows quality update end user experience
                          href: operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
                        - name: Windows quality update signals
                          href: operate/windows-autopatch-groups-windows-quality-update-signals.md
                        - name: Windows quality update communications
                          href: operate/windows-autopatch-groups-windows-quality-update-communications.md
                    - name: Windows feature updates
                      href: operate/windows-autopatch-groups-windows-feature-update-overview.md
                      items:
                        - name: Manage Windows feature updates
                          href: operate/windows-autopatch-groups-manage-windows-feature-update-release.md
            - name: Windows quality and feature update reports
              href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
              items:
-                - name: Windows quality update reports
+                - name: Summary dashboard
-                  href:
+                  href: operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
-                  items:
+                - name: Feature update status report
-                    - name: Summary dashboard
+                  href: operate/windows-autopatch-groups-windows-feature-update-status-report.md
-                      href: operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
+                - name: Feature update trending report
-                    - name: Quality update status report
+                  href: operate/windows-autopatch-groups-windows-feature-update-trending-report.md
-                      href: operate/windows-autopatch-groups-windows-quality-update-status-report.md
+            - name: Windows quality and feature update device alerts
-                    - name: Quality update trending report
+              href: operate/windows-autopatch-device-alerts.md
                      href: operate/windows-autopatch-groups-windows-quality-update-trending-report.md
                - name: Windows feature update reports
                  href:
                  items:
                    - name: Summary dashboard
                      href: operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
                    - name: Feature update status report
                      href: operate/windows-autopatch-groups-windows-feature-update-status-report.md
                    - name: Feature update trending report
                      href: operate/windows-autopatch-groups-windows-feature-update-trending-report.md
                - name: Windows quality and feature update device alerts
                  href: operate/windows-autopatch-device-alerts.md
        - name: Classic experience
          href:
          items:  
            - name: Software update management
              href: operate/windows-autopatch-update-management.md
              items:
                - name: Windows updates
                  href:
                  items:
                    - name: Customize Windows Update settings
                      href: operate/windows-autopatch-windows-update.md
                    - name: Windows quality updates
                      href: operate/windows-autopatch-windows-quality-update-overview.md
                      items:
                        - name: Windows quality update end user experience
                          href: operate/windows-autopatch-windows-quality-update-end-user-exp.md
                        - name: Windows quality update signals
                          href: operate/windows-autopatch-windows-quality-update-signals.md
                        - name: Windows quality update communications
                          href: operate/windows-autopatch-windows-quality-update-communications.md
                        - name: Windows quality update reports
                          href: operate/windows-autopatch-windows-quality-update-reports-overview.md
                          items:
                            - name: Summary dashboard
                              href: operate/windows-autopatch-windows-quality-update-summary-dashboard.md
                            - name: All devices report
                              href: operate/windows-autopatch-windows-quality-update-all-devices-report.md
                            - name: All devices report—historical
                              href: operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
                            - name: Eligible devices report—historical
                              href: operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
                            - name: Ineligible devices report—historical
                              href: operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
                    - name: Windows feature updates
                      href: operate/windows-autopatch-windows-feature-update-overview.md
                      items:
                        - name: Windows feature update end user experience
                          href: operate/windows-autopatch-windows-feature-update-end-user-exp.md
                - name: Microsoft 365 Apps for enterprise
                  href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
                - name: Microsoft Edge
                  href: operate/windows-autopatch-edge.md
                - name: Microsoft Teams
                  href: operate/windows-autopatch-teams.md
        - name: Policy health and remediation
          href: operate/windows-autopatch-policy-health-and-remediation.md
        - name: Maintain the Windows Autopatch environment
@ -166,8 +123,6 @@
              href: references/windows-autopatch-microsoft-365-policies.md
        - name: Changes made at tenant enrollment
          href: references/windows-autopatch-changes-to-tenant.md
        - name: Windows Autopatch groups public preview addendum
          href: references/windows-autopatch-groups-public-preview-addendum.md
        - name: Driver and firmware updates public preview addendum
          href: references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
    - name: What's new
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@ -1,7 +1,7 @@
 ---
 title: Device registration overview
 description: This article provides an overview on how to register devices in Autopatch
-ms.date: 06/06/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -26,9 +26,7 @@ The overall device registration process is as follows:
 :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
 1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch.
-2. IT admin identifies devices to be managed by Windows Autopatch through either adding:
+2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Azure AD groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
    1. The devices into the Windows Autopatch Device Registration (classic) Azure Active Directory (AD) group.
    2. Device-based Azure AD groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
 3. Windows Autopatch then:
    1. Performs device readiness prior registration (prerequisite checks).
    2. Calculates the deployment ring distribution.
@ -48,7 +46,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
 | Step | Description |
 | ----- | ----- |
 | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
-| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group when using the:<ul><li> [Classic device registration method](../deploy/windows-autopatch-register-devices.md#classic-device-registration-method), or </li><li>Adding existing device-based Azure AD groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
+| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group when using adding existing device-based Azure AD groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
 | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group or from Azure AD groups used with Autopatch groups in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
 | **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
 | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
@ -82,9 +80,6 @@ The following four Azure AD assigned groups are used to organize devices for the
 The five Azure AD assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition):
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 | Software updates-based deployment ring | Description |
 | ----- | ----- |
 | Windows Autopatch - Test | Deployment ring for testing software updates-based deployments prior production rollout. |
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@ -1,7 +1,7 @@
 ---
 title: Manage Windows Autopatch groups
 description: This article explains how to manage Autopatch groups
-ms.date: 06/05/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Manage Windows Autopatch groups (public preview)
+# Manage Windows Autopatch groups
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey.
@ -61,9 +58,6 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 > [!TIP]
 > [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../operate/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies).
 > [!NOTE]
 > During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more prerequisites are failing. Once you remediate the issue to meet the prerequisites, it can take up to an hour for your tenant to have the "Use preview" button available.
 ## Create a Custom Autopatch group
 > [!NOTE]
@ -75,9 +69,6 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
 1. Select **Devices** from the left navigation menu.
 1. Under the **Windows Autopatch** section, select **Release management**.
 1. In the **Release management** blade, select **Autopatch groups (preview)**.
 1. Only during the public preview:
    1. Review the [Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md) and the [Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md).
    1. Select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Autopatch groups. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
 1. In the **Autopatch groups** blade, select **Create**.
 1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**.
    1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created.
@ -190,31 +181,3 @@ When you create or edit the Custom or Default Autopatch group, Windows Autopatch
 #### Device conflict post device registration
 Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service.
 ## Known issues
 This section lists known issues with Autopatch groups during its public preview.
 ### Autopatch group Azure AD group remediator
 - **Status: Active**
 The Windows Autopatch team is aware that the Windows Autopatch service isn't automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. If the following Azure AD groups, that belong to the Default Autopatch group and other Azure AD groups that get created with Custom Autopatch groups, are deleted or renamed, they won't be automatically remediated on your behalf yet:
 - Windows Autopatch – Test
 - Windows Autopatch – Ring1
 - Windows Autopatch – Ring2
 - Windows Autopatch – Ring3
 - Windows Autopatch – Last
 The Windows Autopatch team is currently developing the Autopatch group Azure AD group remediator feature and plan to make it available during public preview.
 > [!NOTE]
 > The Autopatch group remediator won't remediate the service-based deployment rings:
 > 
 > - Modern Workplace Devices-Windows Autopatch-Test
 > - Modern Workplace Devices-Windows Autopatch-First
 > - Modern Workplace Devices-Windows Autopatch-Fast
 > - Modern Workplace Devices-Windows Autopatch-Broad
 > 
 > Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups).
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
@ -1,7 +1,7 @@
 ---
 title: Windows Autopatch groups overview
 description: This article explains what Autopatch groups are
-ms.date: 05/03/2023
+ms.date: 07/20/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows Autopatch groups overview (public preview)
+# Windows Autopatch groups overview
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
@ -243,9 +240,6 @@ Autopatch groups works with the following software update workloads:
 - [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
 - [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
 > [!IMPORTANT]
 > [Microsoft Edge](../operate/windows-autopatch-edge.md) and [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) are supported through the (classic) service-based deployment rings. Other software update workloads aren’t currently supported.
 ### Maximum number of Autopatch groups
 Windows Autopatch supports up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings.
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@ -1,7 +1,7 @@
 ---
 title: Register your devices
 description: This article details how to register devices in Autopatch
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -23,49 +23,21 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev
 Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads:
- Windows quality updates
+- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
-    - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
+- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
-    - [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md)
+- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
- Windows feature updates
+- [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
-    - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
+- [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
    - [Classic experience](../operate/windows-autopatch-windows-feature-update-overview.md)
 - The following software update workloads use the Classic experience:
    - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
    - [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
    - [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
-### About the use of an Azure AD group to register devices
+### Windows Autopatch groups device registration
-Windows Autopatch provides two methods of registering devices with its service, the [Classic](#classic-device-registration-method) and the Autopatch groups device registration method.
+When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.  
 #### Classic device registration method
 This method is intended to help organizations that don’t require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to register devices.
 You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods:
 - Direct membership
 - Nesting other Azure AD dynamic/assigned groups
 - [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members)
 Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.
 You can also use the **Discover devices** button in either the Registered or Not ready tab to register devices on demand. The **Discover devices** button scans for devices to be registered in the **Windows Autopatch Device Registration** or any other Azure AD group used with either the Default or Custom Autopatch groups.
 #### Windows Autopatch groups device registration method
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 This method is intended to help organizations that require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
 When you either create/edit a Custom Autopatch group or edit the Default Autopatch group to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.  
 If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Azure AD groups instead of the Windows Autopatch Device Registration group.
 For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method.
-##### Supported scenarios when nesting other Azure AD groups
+#### Supported scenarios when nesting other Azure AD groups
 Windows Autopatch also supports the following Azure AD nested group scenarios:
@ -74,8 +46,6 @@ Azure AD groups synced up from:
 - On-premises Active Directory groups (Windows Server AD)
 - [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync)
 The Azure AD groups apply to both the [Classic](#classic-device-registration-method) and the [Autopatch group device registration](#windows-autopatch-groups-device-registration-method) methods.
 > [!WARNING]
 > It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group.
@ -95,9 +65,6 @@ It's recommended to detect and clean up stale devices in Azure AD before registe
 ## Prerequisites for device registration
 > [!IMPORTANT]
 > The following prerequisites apply to both the [Classic](#classic-device-registration-method) and the [Autopatch groups device registration](#windows-autopatch-groups-device-registration-method) methods.
 To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
 - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture).
@ -122,7 +89,7 @@ For more information, see [Windows Autopatch Prerequisites](../prepare/windows-a
 ## About the Registered, Not ready and Not registered tabs
 > [!IMPORTANT]
-> Devices registered through either the [Classic](#classic-device-registration-method) or the [Autopatch groups device registration method](#windows-autopatch-groups-device-registration-method) can appear in the Registered, Not ready, or Not registered tabs. When devices successfully register with the service, the devices are listed in the Registered tab. However, even if the device(s)is successfully registered, they can be part of Not ready tab. If devices fail to register, the devices are listed in the Not registered tab.
+> Registered devices can appear in the Registered, Not ready, or Not registered tabs. When devices successfully register with the service, the devices are listed in the Registered tab. However, even if the device(s)is successfully registered, they can be part of Not ready tab. If devices fail to register, the devices are listed in the Not registered tab.
 Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so the IT admin knows where to go to monitor, and fix potential device health issues.
@ -171,33 +138,6 @@ Registering your devices with Windows Autopatch does the following:
 For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md).
 ## Steps to register devices using the classic method
 > [!IMPORTANT]
 > For more information, see [Create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [Edit Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) on how to register devices using the Autopatch groups device registration method.
 Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy.
 For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads).
 Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group.
 **To register devices with Windows Autopatch using the classic method:**
 1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
 3. Under the **Windows Autopatch** section, select **Devices**.
 4. Select either the **Registered** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
 > [!NOTE]
 > The **Windows Autopatch Device Registration** hyperlink is in the center of the Registered tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Registered** and **Not registered** tabs.
 Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service.
 > [!TIP]
 > You can also use the **Discover Devices** button in either one of the **Registered**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf.
 ### Windows Autopatch on Windows 365 Enterprise Workloads
 Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin.
@ -224,7 +164,7 @@ For more information, see [Create a Windows 365 Provisioning Policy](/windows-36
 Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process.
-Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#steps-to-register-devices-using-the-classic-method). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified.
+Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#windows-autopatch-groups-device-registration). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified.
 #### Prerequisites
@ -242,7 +182,7 @@ The following Azure Virtual Desktop features aren’t supported:
 #### Deploy Autopatch on Azure Virtual Desktop
-Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#steps-to-register-devices-using-the-classic-method).
+Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#windows-autopatch-groups-device-registration).
 For ease of deployment, we recommend nesting a dynamic device group in your Autopatch device registration group. The dynamic device group would target the **Name** prefix defined in your session host, but **exclude** any Multi-Session Session Hosts. For example:
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@ -11,7 +11,6 @@ metadata:
  author: tiaraquan #Required; your GitHub user alias, with correct capitalization.
  ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
  ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
  ms.custom: intro-hub-or-landing
  ms.prod: windows-client
  ms.technology: itpro-updates
  ms.collection:
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@ -1,7 +1,7 @@
 ---
 title: Device alerts
 description: Provide notifications and information about the necessary steps to keep your devices up to date. 
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Device alerts (public preview)
+# Device alerts
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information will help you understand:
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
@ -1,7 +1,7 @@
 ---
 title: Manage Windows feature update releases
 description: This article explains how you can manage Windows feature updates with Autopatch groups
-ms.date: 05/05/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Manage Windows feature update releases: Windows Autopatch groups experience (public preview) 
+# Manage Windows feature update releases
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 You can create custom releases for Windows feature update deployments in Windows Autopatch.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
@ -1,7 +1,7 @@
 ---
 title: Software update management for Autopatch groups
 description: This article provides an overview of how updates are handled with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: overview
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Software update management: Windows Autopatch groups experience (public preview)
+# Software update management
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf.
@ -26,12 +23,12 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
 | Software update workload | Description |
 | ----- | ----- |
-| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see:<ul><li>[Windows Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md)</li><li>[Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) |
+| Windows quality update | Windows Autopatch uses four deployment rings to manage [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) |
-| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see: <ul><li>[Windows Autopatch groups experience](windows-autopatch-groups-windows-feature-update-overview.md)</li><li>[Classic experience](windows-autopatch-windows-feature-update-overview.md)</li></ul> |
+| Windows feature update | Windows Autopatch uses four deployment rings to manage [Windows feature updates](windows-autopatch-groups-windows-feature-update-overview.md) |
 | Anti-virus definition | Updated with each scan. |
-| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). This software update workload uses the classic experience. |
+| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
-| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). This software update workload uses the classic experience. |
+| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
-| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). This software update workload uses the classic experience. |
+| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). |
 ## Autopatch groups
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
@ -1,7 +1,7 @@
 ---
-title: Windows feature updates overview with Autopatch groups
+title: Windows feature updates overview
 description: This article explains how Windows feature updates are managed with Autopatch groups
-ms.date: 05/03/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows feature updates overview: Autopatch groups experience (public preview) 
+# Windows feature updates overview
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
@ -1,7 +1,7 @@
 ---
 title: Feature update status report
 description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Feature update status report (public preview)
+# Feature update status report
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.  
@ -62,6 +59,10 @@ The following information is available as optional columns in the Feature update
 | User Last Logged On | The last user who logged on as reported from Intune |
 | Primary User UPN | The Primary User UPN as reported from Intune |
 | Hex Error Code | The hex error provided from Windows Update |
 | Feature Update Installed Time | The time the update was installed as reported from Windows Update |
 | Servicing Channel | The Client Servicing Channel as defined in Windows Update |
 | Phase | The phase as indicated from the Feature Update Release Scheduled |
 | Release | The release the devices are associated with |
 > [!NOTE]
 > The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
@ -1,7 +1,7 @@
 ---
 title: Windows feature update summary dashboard
 description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows feature update summary dashboard (public preview)
+# Windows feature update summary dashboard
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 The summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
@ -1,7 +1,7 @@
 ---
 title: Feature update trending report
 description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,17 +15,14 @@ ms.collection:
  - tier1
 ---
-# Feature update trending report (public preview)
+# Feature update trending report
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
 **To view the Feature update trending report:**
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (public preview)**.
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates**.
 1. Select the **Reports** tab.
 1. Select **Feature update trending**.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
@ -1,7 +1,7 @@
 ---
-title: Windows quality and feature update reports overview with Windows Autopatch Groups experience
+title: Windows quality and feature update reports overview
 description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows quality and feature update reports overview: Windows Autopatch groups experience (public preview)
+# Windows quality and feature update reports overview
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 ## Windows quality reports
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
@ -1,7 +1,7 @@
 ---
 title: Windows quality update communications for Autopatch groups
 description: This article explains Windows quality update communications for Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,11 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows quality update communications: Windows Autopatch groups experience (public preview) 
+# Windows quality update communications
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 There are three categories of communication that are sent out during a Windows quality and feature update:
@ -45,9 +41,6 @@ Communications are posted to, as appropriate for the type of communication, to t
 ### Opt out of receiving emails for standard communications
 > [!IMPORTANT]
 > This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
 If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out.
 **To opt out of receiving emails for standard communications:**
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
@ -1,7 +1,7 @@
 ---
 title: Windows quality update end user experience for Autopatch groups
 description: This article explains the Windows quality update end user experience using the Autopatch groups exp
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows quality update end user experience: Windows Autopatch groups experience (public preview) 
+# Windows quality update end user experience
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 ## User notifications  
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@ -1,7 +1,7 @@
 ---
 title: Windows quality updates overview with Autopatch groups experience
 description: This article explains how Windows quality updates are managed with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows quality updates: Windows Autopatch groups experience (public preview) 
+# Windows quality updates
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
@ -1,7 +1,7 @@
 ---
 title: Windows quality update release signals with Autopatch groups
 description: This article explains the Windows quality update release signals with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows quality update signals: Windows Autopatch groups experience (public preview) 
+# Windows quality update signals
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
@ -1,7 +1,7 @@
 ---
 title: Quality update status report
 description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups.
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Quality update status report (public preview)
+# Quality update status report
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 The Quality update status report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
@ -65,6 +62,9 @@ The following information is available as optional columns in the Quality update
 | User Last Logged On | The last user who logged on as reported from Intune |
 | Primary User UPN | The Primary User UPN as reported from Intune |
 | Hex Error Code | The hex error provided from Windows Update |
 | Cadence Type | The cadence type configured in the quality update ring schedule |
 | Quality update Installed Time | The time the update was installed as reported from Windows Update |
 | Servicing Channel | The Client Servicing Channel as defined in Windows Update |
 > [!NOTE]
 > The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
@ -1,7 +1,7 @@
 ---
 title: Windows quality update summary dashboard
 description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Windows quality update summary dashboard (public preview)
+# Windows quality update summary dashboard
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 The summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Quality update trending report (public preview)
+# Quality update trending report
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
@ -1,7 +1,7 @@
 ---
 title: Customize Windows Update settings Autopatch groups experience
 description: How to customize Windows Updates with Autopatch groups
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,13 +15,7 @@ ms.collection:
  - tier1
 ---
-# Customize Windows Update settings: Autopatch groups experience (public preview) 
+# Customize Windows Update settings
 > [!IMPORTANT]
 > This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback.
 > [!IMPORTANT]
 > Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.<p>The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.</p><br>**To opt-in to use Windows Autopatch groups:**<ol><li>Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.</li><li>Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.</li><li>Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).</li></ol>
 You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. This capability is allowed for both [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) and [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups). However, we recommend that you remain within service defined boundaries to maintain compliance.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
@ -1,7 +1,7 @@
 ---
 title: policy health and remediation
 description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
-ms.date: 05/01/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@ -15,10 +15,7 @@ ms.collection:
  - tier1
 ---
-# Policy health and remediation (public preview)
+# Policy health and remediation
 > [!IMPORTANT]
 > This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
 Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service.
@ -61,7 +58,7 @@ The minimum role required to restore configurations is **Intune Service Administ
 There will be an alert for each policy that is missing or has deviated from the service defined values.
-## Restore Windows update policies  
+## Restore Windows Update policies  
 **To initiate remediation actions for Windows quality update policies:**
@ -83,19 +80,14 @@ There will be an alert for each policy that is missing or has deviated from the
 ## Restore deployment groups  
-**To initiate remediation action for missing groups:**
+Windows Autopatch will automatically restore any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups.
-1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+If policies are misconfigured or unassigned, admins must restore them. In the Release management blade, the service will raise a Policy error workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade.
 1. Navigate to **Tenant administration** > **Tenant management** > **Actions**.
 1. Select **Restore missing group** to launch the workflow.
 1. Review the message and select **Restore group**.
-When a missing deployment group is restored, the policies will be reassigned back to the deployment groups. In the Release management blade, the service will raise a Policy Error that you'll need to complete to repair Windows Update policies. Due to the asynchronous run of service detectors, it may take up to four (4) hours for this error to be displayed.
+Due to the asynchronous run of service detectors, it might take up to four (4) hours for this error to be displayed.
 > [!NOTE]
-> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.<p>Alerts will remain active until an IT admin completes the action to restore them to a healthy state.</p>
+> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.<p>Alerts will remain active until an IT admin completes the action to restore them to a healthy state.</p><p>There are no Autopatch reports for policy alerts and actions at this time.</p>
 There are no Autopatch reports for policy alerts and actions at this time.
 ## Use audit logs to track actions in Microsoft Intune
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@ -1,107 +0,0 @@
 ---
 title: Software update management
 description: This article provides an overview of how updates are handled in Autopatch
 ms.date: 08/08/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: overview
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: andredm7
 ms.collection:
  - highpri
  - tier1
 ---
 # Software update management
 Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf.
 ## Software update workloads
 | Software update workload | Description |
 | ----- | ----- |
 | Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md). |
 | Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-windows-feature-update-overview.md).
 | Anti-virus definition | Updated with each scan. |
 | Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
 | Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
 | Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). |
 ## Windows Autopatch deployment rings
 During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings:
 | Ring | Description |
 | ----- | ----- |
 | **Modern Workplace Devices-Windows Autopatch-Test** | Deployment ring for testing update deployments prior production rollout.|
 | **Modern Workplace Devices-Windows Autopatch-First** | First production deployment ring for early adopters.|
 | **Modern Workplace Devices-Windows Autopatch-Fast** | Fast deployment ring for quick rollout and adoption. |
 | **Modern Workplace Devices-Windows Autopatch-Broad** | Final deployment ring for broad rollout into the organization. |
 Each deployment ring has a different set of update deployment policies to control the updates rollout.
 > [!WARNING]
 > Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
 > [!IMPORTANT]
 > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.
 Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment.
 > [!NOTE]
 > You can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service.
 ### Deployment ring calculation logic
 The Windows Autopatch deployment ring calculation happens during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md) and it works as follows:
 - If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**.
 - If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**.
 | Deployment ring | Default device balancing percentage | Description |
 | ----- | ----- | ----- |
 | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0–500** devices: minimum **one** device.</li><li>**500–5000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
 | First |  **1%** | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
 | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.<p><p>The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.</p> |
 | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.|
 ## Moving devices in between deployment rings
 If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab.
 **To move devices in between deployment rings:**
 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
 2. In the **Windows Autopatch** section, select **Devices**.
 3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify.
 4. Select **Device actions** from the menu.
 5. Select **Assign device to ring**. A fly-in opens.
 6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**.
 When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment.
 > [!NOTE]
 > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.<p>If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
 > [!WARNING]
 > Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
 ## Automated deployment ring remediation functions
 Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
 - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
 - An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md).
 There are two automated deployment ring remediation functions:
 | Function | Description |
 | ----- | ----- |
 | **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). |
 | **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.|
 > [!IMPORTANT]
 > Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
@ -1,85 +0,0 @@
 ---
 title: Windows feature update end user experience
 description: This article explains the Windows feature update end user experience
 ms.date: 07/11/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: hathind
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows feature update end user experience
 Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing restarts during business hours.
 ## User notifications  
 In this section we'll review what an end user would see in the following three scenarios:
 1. Typical update experience
 2. Feature update deadline forces an update
 3. Feature update grace period
 > [!NOTE]
 > Windows Autopatch doesn't yet support feature updates without notifying end users.<p>The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.</p>
 ### Typical update experience
 In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
 1. Restart immediately to install the updates.
 2. Schedule the installation.
 3. Snooze (the device will attempt to install outside of active hours).
 In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
 :::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png":::
 ### Feature update deadline forces an update
 The following example builds on the scenario outlined in the typical user experience, but the user ignores the notification and selects snooze. Further notifications are received, which the user ignores. The device is also unable to install the updates outside of active hours.
 The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
 :::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png":::
 ### Feature update grace period
 In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on.
 The grace period to install the update and restart depends on the deployment ring the device is assigned to:
 | Deployment ring | Grace period (in days) |
 | ----- | ----- |
 | Test | Zero days |
 | First | Two days |
 | Fast | Two days |
 | Broad | Two days |
 The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification.
 :::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png":::
 ## Servicing window
 Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
 | Policy | Description |
 | ----- | ----- |
 | [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
 | [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
 > [!IMPORTANT]
 > Both policies must be deployed for them to work as expected.
 A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
 > [!IMPORTANT]
 > If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management: <ul><li>[Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)</li><li>[Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)</li><li>[Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)</li><li>[Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)</li><li>[Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)</li><li>[Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)</li><li>[Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)</li></ul>
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@ -1,119 +0,0 @@
 ---
 title: Windows feature updates
 description: This article explains how Windows feature updates are managed in Autopatch
 ms.date: 05/02/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: andredm7
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows feature updates
 Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
 Windows feature updates consist of:
 - Keeping Windows devices protected against behavioral issues.
 - Providing new features to boost end-user productivity.
 Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
 ## Enforcing a minimum Windows OS version
 Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
 The policies:
 - Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**.
 - Set a bare minimum Windows OS version required by the service once devices are registered with the service.
 If a device is registered with Windows Autopatch, and the device is:
 - Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria.
 - On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device.
 > [!IMPORTANT]
 > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
 ## Windows feature update policy configuration
 If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal:
 | Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Windows Autopatch – DSS Policy [Test] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM |
 | Windows Autopatch – DSS Policy [First] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM |
 | Windows Autopatch – DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM |
 | Windows Autopatch – DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM |
 > [!IMPORTANT]
 > If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy).
 > [!NOTE]
 > The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:<ul><li>**Modern Workplace DSS Policy [Test]**</li><li>**Modern Workplace DSS Policy [First]**</li><li>**Modern Workplace DSS Policy [Fast]**</li><li>**Modern Workplace DSS Policy [Broad]**</li><p>Since the new Windows feature update policies that set the minimum Windows 10 OS version are already in place, the Modern Workplace DSS policies can be safely removed from your tenant.</p>
 ## Test Windows 11 feature updates
 You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows:
 | Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
 | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM |
 > [!IMPORTANT]
 > Windows Autopatch neither applies its deployment ring distribution, nor configures the [Windows Update for Business gradual rollout settings](/mem/intune/protect/windows-update-rollout-options) in the **Modern Workplace DSS Policy [Windows 11]** policy.<p>Once devices are added to the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, the devices can be offered the Windows 11 22H2 feature update at the same time.</p>
 ## Manage Windows feature update deployments
 Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release).
 Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it.
 ## Release management
 > [!NOTE]
 > To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration).
 ### Pausing and resuming a release
 > [!CAUTION]
 > You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
 > [!IMPORTANT]
 > Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 **To pause or resume a Windows feature update:**
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
 3. Under the **Windows Autopatch** section, select **Release management**.
 4. In the **Release management** blade, select either: **Pause** or **Resume**.
 5. Select the update type you would like to pause or resume.
 6. Select a reason from the dropdown menu.
 7. Optional. Enter details about why you're pausing or resuming the selected update.
 8. If you're resuming an update, you can select one or more deployment rings.
 9. Select **Okay**.
 If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update.
 > [!NOTE]
 > The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
 ## Rollback
 Windows Autopatch doesn’t support the rollback of Windows feature updates.
 > [!CAUTION]
 > You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
 ## Contact support
 If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md).
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
@ -1,43 +0,0 @@
 ---
 title: All devices report—historical
 description: Provides a visual representation of the update status trend for all devices over the last 90 days.
 ms.date: 12/01/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: adnich
 ms.collection:
  - highpri
  - tier1
 ---
 # All devices report—historical
 The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days.
 **To view the historical All devices report:**
 1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **All devices report—historical**.
 :::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png":::
 > [!NOTE]
 > This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
 ## Report options
 The following options are available:
 | Option | Description |
 | ----- | ----- |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
 For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
@ -1,59 +0,0 @@
 ---
 title: All devices report
 description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
 ms.date: 12/01/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: adnich
 ms.collection:
  - highpri
  - tier1
 ---
 # All devices report
 The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
 **To view the All devices report:**
 1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **All devices report**.
 :::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png":::
 > [!NOTE]
 > The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
 ## Report information
 The following information is available in the All devices report:
 | Column name | Description |
 | ----- | ----- |
 | Device name | The name of the device. |
 | Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. |
 | Serial number | The current Intune recorded serial number for the device. |
 | Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
 | Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)). |
 | Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)) |
 | OS version | The current version of Windows installed on the device. |
 | OS revision | The current revision of Windows installed on the device. |
 | Intune last check in time | The last time the device checked in to Intune. |
 ## Report options
 The following options are available:
 | Option | Description |
 | ----- | ----- |
 | Search | Use to search by device name, Azure AD device ID or serial number |
 | Sort | Select the **column headings** to sort the report data in ascending and descending order. |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. |
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
@ -1,68 +0,0 @@
 ---
 title: Windows quality update communications
 description: This article explains Windows quality update communications
 ms.date: 03/30/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: hathind
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows quality update communications
 There are three categories of communication that are sent out during a Windows quality and feature update:
 - [Standard communications](#standard-communications)
 - [Communications during release](#communications-during-release)
 - [Incident communications](#incident-communications)
 Communications are posted to, as appropriate for the type of communication, to the:
 - Message center
 - Service health dashboard
 - Windows Autopatch messages section of the Microsoft Intune admin center 
 :::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
 ## Standard communications
 | Communication | Location | Timing | Description |
 | ----- | ----- |  ----- | ----- |
 | Release schedule | <ul><li>Messages blade</li><li>Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><ul> | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
 | Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. |
 | Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. |
 ### Opt out of receiving emails for standard communications
 > [!IMPORTANT]
 > This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
 If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out.
 **To opt out of receiving emails for standard communications:**
 1. Go to the **[Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)**.
 2. Go to **Windows Autopatch** > **Tenant administration** > select **Admin contacts**.
 3. Select the admin contact you want to opt out for.
 4. Select **Edit Contact**.
 5. Clear the **Send me emails for Windows update releases and status** checkbox in the fly-in pane.
 6. Select **Save** to apply the changes.
 ## Communications during release
 The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
 There are some circumstances where Autopatch will need to change the release schedule based on new information.
 For example, new threat intelligence may require us to expedite a release, or we may pause due to user experience concerns. If the schedule of a quality update is changed, paused, resumed, or expedited, we'll inform you as quickly as possible so that you can adapt to the new information.
 ## Incident communications
 Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
@ -1,43 +0,0 @@
 ---
 title: Eligible devices report—historical
 description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
 ms.date: 12/01/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: adnich
 ms.collection:
  - highpri
  - tier1
 ---
 # Eligible devices report—historical
 The historical Eligible devices report provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
 **To view the historical Eligible devices report:**
 1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **Eligible devices report—historical**.
 :::image type="content" source="../media/windows-autopatch-eligible-devices-historical-report.png" alt-text="Eligible devices—historical report" lightbox="../media/windows-autopatch-eligible-devices-historical-report.png":::
 > [!NOTE]
 > This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
 ## Report options
 The following options are available:
 | Option | Description |
 | ----- | ----- |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
 For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
@ -1,82 +0,0 @@
 ---
 title: Windows quality update end user experience
 description: This article explains the Windows quality update end user experience
 ms.date: 05/30/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: hathind
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows quality update end user experience
 Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing restarts during business hours.
 ## User notifications  
 In this section we'll review what an end user would see in the following three scenarios:
 1. Typical update experience
 2. Quality update deadline forces an update
 3. Quality update grace period
 > [!NOTE]
 > The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.
 ### Typical update experience
 The Windows 10 quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update.
 Once the deferral period has passed, the device will download the update and notify the end user that updates are ready to install. The end user can either:
 - Restart immediately to install the updates
 - Schedule the installation, or
 - Snooze (the device will attempt to install outside of [active hours](#servicing-window).
 In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
 :::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png":::
 ### Quality update deadline forces an update
 In the following example, the user:
 - Ignores the notification and selects snooze.
 - Further notifications are received, which the user ignores.
 - The device is unable to install the updates outside of active hours.
 The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
 :::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png":::
 ### Quality update grace period
 In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on.
 Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.  
 :::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png":::
 ## Servicing window
 Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
 | Policy | Description |
 | ----- | ----- |
 | [Active hours start](/windows/client-management/mdm/policy-csp-update#activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
 | [Active hours end](/windows/client-management/mdm/policy-csp-update#activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
 > [!IMPORTANT]
 > Both policies must be deployed for them to work as expected.
 A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
 > [!IMPORTANT]
 > If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Selecting specific dates to update devices would disrupt the rollout schedule, and prevent Windows Autopatch from delivering the [service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective). The use of any of the following CSPs on a managed device will render it ineligible for the service level objective:<ul><li>[Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#scheduledinstallday)</li><li>[Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstalleveryweek)</li><li>[Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfirstweek)</li><li>[Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallfourthweek)</li><li>[Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallsecondweek)</li><li>[Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#scheduledinstallthirdweek)</li><li>[Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#scheduledinstalltime)</li></ul>
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
@ -1,46 +0,0 @@
 ---
 title: Ineligible devices report—historical
 description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
 ms.date: 12/01/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: adnich
 ms.collection:
  - highpri
  - tier1
 ---
 # Ineligible devices report—historical
 The historical Ineligible devices report provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
 > [!NOTE]
 > Devices must have at least six hours of usage, with at least two hours being continuous. You may see an increase in the number of ineligible devices when the widget refreshes every second Tuesday of each month.
 **To view the historical Ineligible devices report:**
 1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 1. Select the **Reports** tab.
 1. Select **Ineligible devices report—historical**.
 :::image type="content" source="../media/windows-autopatch-ineligible-devices-historical-report.png" alt-text="Ineligible devices—historical report" lightbox="../media/windows-autopatch-ineligible-devices-historical-report.png":::
 > [!NOTE]
 > This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
 ## Report options
 The following options are available:
 | Option | Description |
 | ----- | ----- |
 | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
 | Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
 For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@ -1,155 +0,0 @@
 ---
 title: Windows quality updates
 description: This article explains how Windows quality updates are managed in Autopatch
 ms.date: 05/02/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: andredm7
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows quality updates
 ## Service level objective
 Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release.
 ## Device eligibility
 For a device to be eligible for Windows quality updates as a part of Windows Autopatch they must meet the following criteria:
 | Criteria | Description |
 | ----- | ----- |
 | Activity | Devices must have at least six hours of usage, with at least two hours being continuous. |
 | Intune sync | Devices must have checked with Intune within the last five days. |
 | Storage space | Devices must have more than one GB (GigaBytes) of free storage space. |
 | Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
 | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
 | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
 | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). |
 | Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) |
 > [!IMPORTANT]
 > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
 ## Windows quality update releases
 Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
 To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
 | Policy | Description |
 | ----- | ----- |
 | [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. |
 | [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays)    | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
 | [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
 > [!IMPORTANT]
 > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed.  These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
 Windows Autopatch configures these policies differently across deployment rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
 :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png":::
 ## Release management
 > [!NOTE]
 > To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration).
 In the Release management blade, you can:
 - Track the [Windows quality update schedule](#release-schedule) for devices in the [four deployment rings](windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
 - [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases).
 - Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases).
 ### Release schedule
 For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains:
 - The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
 - The date the update is available.
 - The target completion date of the update.
 - In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pausing-and-resuming-a-release) a Windows quality update release.
 ### Expedited releases
 Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
 When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
 | Release type | Group | Deferral | Deadline | Grace period |
 | ----- | ----- | ----- | ----- | ----- |
 | Standard release | Test<p>First<p>Fast<p>Broad | 0<p>1<p>6<p>9 | 0<p>2<p>2<p>5 | 0<p>2<p>2<p>2 |
 | Expedited release | All devices | 0 | 1 | 1 |
 > [!IMPORTANT]
 > Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates).
 #### Turn off service-driven expedited quality update releases
 Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
 By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune.
 **To turn off service-driven expedited quality updates:**
 1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
 2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
 > [!NOTE]
 > Windows Autopatch doesn't allow customers to request expedited releases.
 ### Out of Band releases
 Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
 **To view deployed Out of Band quality updates:**
 1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
 2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
 > [!NOTE]
 > Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
 ### Pausing and resuming a release
 > [!CAUTION]
 > You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
 The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
 If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
 > [!IMPORTANT]
 > Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 **To pause or resume a Windows quality update:**
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
 3. Under the **Windows Autopatch** section, select **Release management**.
 4. In the **Release management** blade, select either: **Pause** or **Resume**.
 5. Select the update type you would like to pause or resume.
 6. Select a reason from the dropdown menu.
 7. Optional. Enter details about why you're pausing or resuming the selected update.
 8. If you're resuming an update, you can select one or more deployment rings.
 9. Select **Okay**.
 The three following statuses are associated with paused quality updates:
 | Status | Description |
 | ----- | ------ |
 | Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. |
 | Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. |
 | Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. |
 ## Remediating Ineligible and/or Not up to Date devices
 To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action). In addition, the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
@ -1,113 +0,0 @@
 ---
 title: Windows quality update reports
 description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch
 ms.date: 12/01/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: adnich
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows quality update reports
 The Windows quality update reports provide you information about:
 - Quality update device eligibility
 - Device update health
 - Device update trends  
 Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.  
 The report types are organized into the following focus areas:
 | Focus area | Description |
 | ----- | ----- |
 | Operational detail | <ul><li>[Summary dashboard](windows-autopatch-windows-quality-update-summary-dashboard.md): Provides the current update status summary for all devices.</li><li>[All devices report](windows-autopatch-windows-quality-update-all-devices-report.md): Provides the current update status of all devices at the device level.</li></ul> |
 | Device trends | <ul><li>[All devices report – historical](windows-autopatch-windows-quality-update-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.</li><li>[Eligible devices report – historical](windows-autopatch-windows-quality-update-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.</li><li>[Ineligible devices report – historical](windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices haven’t received quality updates over the last 90 days.</li></ul> |
 ## Who can access the reports?
 Users with the following permissions can access the reports:
 - Global Administrator
 - Intune Service Administrator
 - Administrators assigned to an Intune role with read permissions
 ## About data latency
 The data source for these reports is the [Windows diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
 ## Windows quality update statuses
 The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices:  
 - [Healthy devices](#healthy-devices)
 - [Not Up to Date (Microsoft Action)](#not-up-to-date-microsoft-action)
 - [Ineligible Devices (Customer Action)](#ineligible-devices-customer-action)
 Each status has its own set of sub statuses to further describe the status.
 ### Healthy devices
 Healthy devices are devices that meet all of the following prerequisites:
 - [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
 - [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration)
 - [Windows quality update device eligibility](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility)
 > [!NOTE]
 > Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy.
 | Sub status | Description |
 | ----- | ----- |
 | Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). |
 | In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). |
 | Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). |
 ### Not Up to Date (Microsoft Action)
 Not Up to Date means a device isn’t up to date when the:
 - Quality update is more than a month out of date, or the device is on last month’s quality update  
 - Device is more than 21 days overdue from the last release.
 > [!NOTE]
 > Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
 | Sub status | Description |
 | ----- | ----- |
 | No Heartbeat | The Windows Update service hasn’t been able to connect to this device. The service can’t offer the update to that device. |
 | Not Offered | The Windows Update service hasn’t offered the update to that device. |
 | Policy Blocking Update | This device has a policy that is blocking the update, such as a deferral or pause policy. Devices are only in this state after the 21-day threshold. |
 | In Progress—Stuck | This device has downloaded the update but is getting stuck in a loop during the install process. The update isn’t complete. |
 | Other | This device isn't up to date and isn’t reporting back data from the client. |
 ### Ineligible Devices (Customer Action)
 Customer Action refers to the responsibility of the designated customer IT administrator to carry out the appropriate action to resolve the reported device sub status.  
 Within each 24-hour reporting period, devices that are ineligible are updated with one of the following sub statuses.
 | Sub status | Description |
 | ----- | ----- |
 | Insufficient Usage | Devices must have at least six hours of usage, with at least two hours being continuous. |
 | Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). |
 | Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. |
 | Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
 | Not On Supported Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
 | Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
 | Intune Sync Older Than 5 Days | Devices must have checked in with Intune within the last five days. |
 ## Data export
 Select **Export devices** to export data for each report type.  
 > [!NOTE]
 > You can’t export Windows Autopatch report data using Microsoft Graph RESTful web API.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
@ -1,62 +0,0 @@
 ---
 title: Windows quality update release signals
 description: This article explains the Windows quality update release signals
 ms.date: 01/24/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: hathind
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows quality update signals
 Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
 If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release.
 ## Pre-release signals
 Before being released to the Test ring, Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences.
 | Pre-release signal | Description |
 | ----- | ----- |
 | Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. |
 | Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. |
 | Optional non-security preview release review  - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. |
 ## Early signals
 The update is released to the Test ring on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several new Microsoft internal signals that have become available to the service that are monitored throughout the release.
 | Device reliability signal | Description | Microsoft will |
 | ----- | ----- | ----- |
 | Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. | <ul><li>Consider expediting the release</li><li>Update customers with a risk profile</li></ul>
 | B-Release - Internal Signals | Windows Autopatch reviews any active incidents associated with the current release. | <ul><li>Determine if a customer advisory is necessary</li><li>Pause the release if there's significant user impact</li></ul> |
 | B-Release - Social Signals | Windows Autopatch monitors social signals to understand risks associated with the release. | Determine if a customer advisory is necessary |
 ## Device reliability signals
 Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service.
 The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version.
 As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update.
 Autopatch monitors the following reliability signals:
 | Device reliability signal | Description |
 | ----- | ----- |
 | Blue screens | These events are highly disruptive to end users. These events are closely monitored. |
 | Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. |
 | Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. |
 | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
 | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
 When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
@ -1,47 +0,0 @@
 ---
 title: Summary dashboard
 description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
 ms.date: 12/01/2022
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: adnich
 ms.collection:
  - highpri
  - tier1
 ---
 # Summary dashboard
 The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
 **To view the current update status for all your enrolled devices:**
 1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
 :::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
 > [!NOTE]
 > The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
 ## Report information
 The following information is available in the Summary dashboard:
 | Column name | Description |
 | ----- | ----- |
 | Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). |
 | Devices | The number of devices showing as applicable for the state. |
 ## Report options
 The following option is available:
 | Option | Description |
 | ----- | ----- |
 | Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process will ensure that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
@ -1,124 +0,0 @@
 ---
 title: Customize Windows Update settings
 description: This article explains how to customize Windows Updates in Windows Autopatch
 ms.date: 05/02/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: rekhanr
 ms.collection:
  - highpri
  - tier1
 ---
 # Customize Windows Update settings (public preview)
 > [!IMPORTANT]
 > This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback.
 You can customize the Windows Update deployment schedule for each deployment ring per your business and organizational needs. We recommend that you use the Windows Autopatch service default. However, you may have devices that need different schedules for updates deployment.
 When the deployment cadence is customized, Windows Autopatch will override our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) may not count towards the Windows Autopatch [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
 ## Deployment cadence
 ### Cadence types
 For each tenant, at the deployment ring level, there are two cadence types to configure and manage your Windows Update deployments for all the devices in those deployment rings:
 - [Deadline-driven](#deadline-driven)
 - [Scheduled install](#scheduled-install)
 > [!NOTE]
 > Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update).
 #### Deadline-driven
 With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements.
 There are certain limits that Windows Autopatch defines and you'll only be able to make changes with those boundaries. The following boundaries are implemented so that Windows Autopatch can maintain update compliance.
 | Boundary | Description |
 | ----- | ----- |
 | Deferrals and deadlines | Windows Autopatch will enforce that deadline plus deferral days for a deployment ring to be less than or equal to 14 days. |
 | Grace period | The permitted customization range is zero to seven days. |
 > [!NOTE]
 > The configured grace period will apply to both Windows quality updates and Windows feature updates.
 Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, will be applied.
 It's possible for you to change the cadence from the Windows Autopatch Release management blade while update deployments are in progress. Windows Autopatch will abide by the principle to always respect your preferences over service-defined values.
 However, if an update has already started for a particular deployment ring, Windows Autopatch won't be able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle.
 #### Scheduled install
 > [!NOTE]
 >If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
 While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified. 
 If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option.
 > [!NOTE]
 > The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type.
 Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device may have the Windows Update scan and install during active hours.
 ##### Scheduled install types
 > [!NOTE]
 > For devices with **Active hours** configured, if the device is consistently unavailable, Windows will attempt to keep the devices up to date, including installation of updates during Active hours.<p>For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.</p>
 The Scheduled install cadence has two options:
 | Option | Description |
 | ----- | ----- |
 | Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.<p>The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.</p>
 | Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:<ul><li>Weekly</li><li>Bi-weekly</li><li>Monthly</li></ul><p>Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.</p> |
 > [!NOTE]
 > Changes made in one deployment ring won't impact other rings in your tenant.<p>Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.</p>
 ### User notifications
 In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings:
 - Not configured
 - Use the default Windows Update notifications
 - Turn off all notifications excluding restart warnings
 - Turn off all notifications including restart warnings
 For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings).
 ## Customize the Windows Update deployment cadence
 > [!IMPORTANT]
 > The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
 **To customize the Windows Update deployment cadence:**
 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Customize Windows Update cadence (preview)**. The page lists the existing settings for each of the rings in the tenant.
 3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings.
 4. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings.
    1. Select one of the cadence types for the ring:
        1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default".
        1. Select **Scheduled install** to opt-out of deadline-based forced restart.
            1. Select either **Active hours** or **Schedule install and restart time**.
    2. Select **Save**.
 5. Select **Manage notifications**. A fly-in pane opens.
    1. Select one of  following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications.
        1. Not configured
        1. Use the default Windows Update notifications
        1. Turn off all notifications excluding restart warnings
        1. Turn off all notifications included restart warnings
    1. Select **Save** once you select the preferred setting.
 6. Repeat the same process to customize each of the rings. Once done, select **Next**.
 7. In **Review + apply**, you’ll be able to review the selected settings for each of the rings.
 8. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings.
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@ -1,7 +1,7 @@
 ---
 title: Roles and responsibilities
 description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 06/27/2023
+ms.date: 07/25/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@ -49,7 +49,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
 | [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: |
 | [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | :heavy_check_mark: | :x: |
 | [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) |  :heavy_check_mark: | :x: |
-| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices-using-the-classic-method) | :heavy_check_mark: | :x: |
+| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md) | :heavy_check_mark: | :x: |
 | [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
 | [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
 | [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
@ -1,32 +0,0 @@
 ---
 title: Autopatch groups Public Preview Addendum
 description: Addendum for Windows Autopatch groups public preview
 ms.date: 05/01/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 ms.reviewer: andredm7
 ms.collection:
  - highpri
  - tier1
 ---
 # Windows Autopatch groups Public Preview Addendum
 **This is the Autopatch groups Public Preview Addendum ("Addendum") to the Microsoft Product Terms’ Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForallOnlineServices/all) (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
 For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:
 Microsoft desires to preview the Autopatch groups service it is developing ("**Autopatch groups Preview**”) in order to evaluate it. Customer would like to particulate this Autopatch groups Preview under the Product Terms and this Addendum. Autopatch groups Preview consists of features and services that are in preview, beta, or other pre-release form. Autopatch groups Preview is subject to the "preview" terms set forth in the Product Terms’ Universal License Terms for Online Services.
 ## Definitions
 Capitalized terms used but not defined herein have the meanings given in the Product Terms.
 ## Data Handling
 Autopatch groups Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Autopatch groups Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Autopatch groups Preview apply to that data.
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 07/10/2023 
+ms.date: 07/25/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
--- a/windows/security/application-security/index.md
+++ b/windows/security/application-security/index.md
@ -1,12 +1,6 @@
 ---
 title: Windows application security
 description: Get an overview of application security in Windows
 ms.reviewer:
 manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.date: 03/09/2023
 ms.topic: article
 ---
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@ -2,7 +2,7 @@
 ms.date: 11/22/2022
 title: Access Control Overview
 description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
-ms.topic: article
+ms.topic: overview
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@ -2,7 +2,7 @@
 title: Windows Hello for Business cloud-only deployment
 description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
 ms.date: 06/23/2021
-ms.topic: article
+ms.topic: how-to
 ---
 # Cloud-only deployment
@ -10,7 +10,7 @@ ms.topic: article
 ## Introduction
-When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed.
+When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, there's no additional configuration needed.
 You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
@ -27,7 +27,7 @@ Also note that it's possible for federated domains to enable the *Supports MFA*
 Check and view this setting with the following MSOnline PowerShell command:
-`Get-MsolDomainFederationSettings –DomainName <your federated domain name>`
+`Get-MsolDomainFederationSettings -DomainName <your federated domain name>`
 To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain.
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@ -2,7 +2,7 @@
 title: Windows Hello biometrics in the enterprise 
 description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
 ms.date: 01/12/2021
-ms.topic: article
+ms.topic: conceptual
 ---
 # Windows Hello biometrics in the enterprise
@ -72,11 +72,11 @@ To allow facial recognition, you must have devices with integrated special infra
 - Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
 > [!NOTE]
->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
+>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn't allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
 ### Iris recognition sensor requirements
-To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K.
+To use Iris authentication, you'll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K.
 ## Related topics
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@ -2,7 +2,7 @@
 title: Windows Hello for Business Deployment Overview
 description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
 ms.date: 02/15/2022
-ms.topic: article
+ms.topic: overview
 ---
 # Windows Hello for Business Deployment Overview
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@ -2,10 +2,9 @@
 title: Deploy certificates for remote desktop sign-in
 description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
 ms.collection: 
  - ContentEngagementFY23
  - tier1
-ms.topic: article
+ms.topic: how-to
-ms.date: 06/20/2023
+ms.date: 07/25/2023
 ---
 # Deploy certificates for remote desktop (RDP) sign-in
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@ -1,20 +1,17 @@
 ---
 title: Dual Enrollment
-description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
+description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 09/09/2019
+ms.date: 07/05/2023
-ms.topic: article
+ms.topic: conceptual
 ---
 # Dual Enrollment
 **Requirements**
-* Hybrid and On-premises Windows Hello for Business deployments
+- Hybrid and On-premises Windows Hello for Business deployments
-* Enterprise joined or Hybrid Azure joined devices
+- Enterprise joined or Hybrid Azure joined devices
-* Certificate trust
+- Certificate trust
 > [!NOTE]
 > This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
 > [!IMPORTANT]
 > Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature.  Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users.  Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used.  Read [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
@ -65,14 +62,3 @@ You configure Windows 10 or Windows 11 to support dual enrollment using the comp
 5. Restart computers targeted by this Group Policy object.
 The computer is ready for dual enrollment.  Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business.  You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
 ## Related topics
 * [Windows Hello for Business](hello-identity-verification.md)
 * [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 * [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 * [Windows Hello and password changes](hello-and-password-changes.md)
 * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 * [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@ -2,7 +2,7 @@
 title: Remote Desktop
 description: Learn how Windows Hello for Business supports using biometrics with remote desktop
 ms.date: 02/24/2021
-ms.topic: article
+ms.topic: conceptual
 ms.collection:
  - tier1
 ---
@ -10,6 +10,7 @@ ms.collection:
 # Remote Desktop
 **Requirements**
 - Hybrid and On-premises Windows Hello for Business deployments
 - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
@ -24,9 +25,8 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
 - Hybrid and On-premises Windows Hello for Business deployments
 - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
 - Biometric enrollments
 - Windows 10, version 1809 or later
-Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture.  Windows 10, version 1809 or later introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.  The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
+The ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric is on by default.
 ### How does it work
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@ -2,7 +2,7 @@
 ms.date: 07/05/2023
 title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.topic: article
+ms.topic: overview
 ms.collection:
 - tier1
 appliesto: 
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@ -1,7 +1,7 @@
 ---
 title: BCD settings and BitLocker 
 description: This article for IT professionals describes the BCD settings that are used by BitLocker.
-ms.topic: conceptual
+ms.topic: reference
 ms.date: 11/08/2022
 ---
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml
@ -1,68 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker and Active Directory Domain Services (AD DS) FAQ
  description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. 
  ms.collection:
    - highpri
    - tier1
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker and Active Directory Domain Services (AD DS) FAQ
 summary: |
 sections:
  - name: Ignored
    questions:
      - question: |
          What type of information is stored in AD DS?
        answer: |
          Stored information | Description
          -------------------|------------
          Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
          BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
          BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. 
      - question: |
          What if BitLocker is enabled on a computer before the computer has joined the domain?
        answer: |
          If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
          ```powershell
          $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
          $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
          Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
          BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
          ```
          > [!IMPORTANT]
          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
      - question: |
          Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
        answer: |
          Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
          Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
      - question: |
          If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
        answer: |
          No. By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object.
      - question: |
          What happens if the backup initially fails? Will BitLocker retry it?
        answer: |
          If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
          When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@ -1,78 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker deployment and administration FAQ
  description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker frequently asked questions (FAQ)
 summary: |
 sections:
  - name: Ignored
    questions:
      - question: Can BitLocker deployment be automated in an enterprise environment?
        answer: |
          Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps).
      - question: Can BitLocker encrypt more than just the operating system drive?
        answer: Yes.
      - question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
        answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.
      - question: How long will initial encryption take when BitLocker is turned on?
        answer: |
          Although BitLocker encryption occurs in the background while a user continues to work with the system remaining usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn't being used.
          When BitLocker is enabled, BitLocker can also be set to encrypt the entire drive or just the used space on the drive. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
      - question: What happens if the computer is turned off during encryption or decryption?
        answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
      - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
        answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
      - question: How can I prevent users on a network from storing data on an unencrypted drive?
        answer: |
          Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
      - question: What is Used Disk Space Only encryption?
        answer: |
          BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
      - question: What system changes would cause the integrity check on my operating system drive to fail?
        answer: |
          The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
          - Moving the BitLocker-protected drive into a new computer.
          - Installing a new motherboard with a new TPM.
          - Turning off, disabling, or clearing the TPM.
          - Changing any boot configuration settings.
          - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
      - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
        answer: |
          Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. 
          For example: 
          - Changing the BIOS boot order to boot another drive in advance of the hard drive.
          - Adding or removing hardware, such as inserting a new card in the computer.
          - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
          In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. 
          The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
      - question: What can prevent BitLocker from binding to PCR 7?
        answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it.
      - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
        answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
      - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
        answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
      - question: Why is **Turn BitLocker on** not available when I right-click a drive?
        answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted.
      - question: What type of disk configurations are supported by BitLocker?
        answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
@ -11,39 +11,39 @@ This article depicts the BitLocker deployment comparison chart.
 ## BitLocker deployment comparison chart
-| Requirements |Microsoft Intune  |Microsoft Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM) |
+| Requirements | Microsoft Intune | Microsoft Configuration Manager | Microsoft BitLocker Administration and Monitoring (MBAM) |
-|---------|---------|---------|---------|
+|--|--|--|--|
-|*Minimum client operating system version*     |Windows 11 and Windows 10    | Windows 11, Windows 10, and Windows 8.1  | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11      |
+| *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
-|*Supported Windows SKUs*    |    Enterprise, Pro, Education     |    Enterprise, Pro, Education     |     Enterprise    |
+| *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
-|*Minimum Windows version*    |1909   |    None     |    None     |
+| *Minimum Windows version* | 1909 | None | None |
-|*Supported domain-joined status*    |     Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined    |   Active Directory-joined, hybrid Azure AD joined      |     Active Directory-joined    |
+| *Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
-|*Permissions required to manage policies*     |    Endpoint security manager or custom     |   Full administrator or custom      |     Domain Admin or Delegated GPO access    |
+| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
-|*Cloud or on premises*      |     Cloud    |  On premises     |    On premises     |
+| *Cloud or on premises* | Cloud | On premises | On premises |
-|Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| Server components required? |  | ✅ | ✅ |
-|*Additional agent required?*     |     No (device enrollment only)    |   Configuration Manager client      |     MBAM client    |
+| *Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
-|*Administrative plane*     | Microsoft Intune admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
+| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
-|*Administrative portal installation required*     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+| *Administrative portal installation required* |  | ✅ | ✅ |
-|*Compliance reporting capabilities*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| *Compliance reporting capabilities* | ✅ | ✅ | ✅ |
-|*Force encryption*     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| *Force encryption* | ✅ | ✅ | ✅ |
-|*Encryption for storage cards (mobile)*      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |         |
+| *Encryption for storage cards (mobile)* | ✅ | ✅ |  |
-|*Allow recovery password*      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+| *Allow recovery password* | ✅ | ✅ | ✅ |
-|*Manage startup authentication*     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+| *Manage startup authentication* | ✅ | ✅ | ✅ |
-|*Select cipher strength and algorithms for fixed drives*      |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
-|*Select cipher strength and algorithms for removable drives*     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
-|*Select cipher strength and algorithms for operating environment drives*     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
-|*Standard recovery password storage location*     |     Azure AD or Active Directory    |     Configuration Manager site database    |    MBAM database     |
+| *Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
-|*Store recovery password for operating system and fixed drives to Azure AD or Active Directory*     |    Yes (Active Directory and Azure AD)     | Yes (Active Directory only)      |   Yes (Active Directory only)      |
+| *Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
-|*Customize preboot message and recovery link*     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+| *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
-|*Allow/deny key file creation*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+| *Allow/deny key file creation* | ✅ | ✅ | ✅ |
-|*Deny Write permission to unprotected drives*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
-|*Can be administered outside company network*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |         |
+| *Can be administered outside company network* | ✅ | ✅ |  |
-|*Support for organization unique IDs*     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+| *Support for organization unique IDs* |  | ✅ | ✅ |
-|*Self-service recovery*      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+| *Self-service recovery* | Yes (through Azure AD or Company Portal app) | ✅ | ✅ |
-|*Recovery password rotation for fixed and operating environment drives*     |   Yes (Windows 10, version 1909 and later)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
-|*Wait to complete encryption until recovery information is backed up to Azure AD*      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |       |        |
+| *Wait to complete encryption until recovery information is backed up to Azure AD* | ✅ |  |  |
-|*Wait to complete encryption until recovery information is backed up to Active Directory*      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+| *Wait to complete encryption until recovery information is backed up to Active Directory* |  | ✅ | ✅ |
-|*Allow or deny Data Recovery Agent*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
-|*Unlock a volume using certificate with custom object identifier*     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+| *Unlock a volume using certificate with custom object identifier* |  | ✅ | ✅ |
-|*Prevent memory overwrite on restart*    |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+| *Prevent memory overwrite on restart* |  | ✅ | ✅ |
-|*Configure custom Trusted Platform Module Platform Configuration Register profiles*     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
+| *Configure custom Trusted Platform Module Platform Configuration Register profiles* |  |  | ✅ |
-|*Manage auto-unlock functionality*     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
+| *Manage auto-unlock functionality* |  | ✅ | ✅ |
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@ -1,38 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker FAQ (Windows 10)
  description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
  ms.collection:
    - highpri
    - tier1
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker frequently asked questions (FAQ) resources
 summary: This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
  - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
  - [Upgrading](bitlocker-upgrading-faq.yml)
  - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
  - [Key management](bitlocker-key-management-faq.yml)
  - [BitLocker To Go](bitlocker-to-go-faq.yml)
  - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
  - [Security](bitlocker-security-faq.yml)
  - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
  - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
 sections:
  - name: Ignored
    questions:
      - question: |
          More information
        answer: |
          - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
          - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
          - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
          - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
          - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
          - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
          - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
          - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
@ -4,7 +4,7 @@ description: This article for IT professionals describes the function, location,
 ms.collection: 
  - highpri
  - tier1
-ms.topic: conceptual
+ms.topic: reference
 ms.date: 11/08/2022
 ---
@ -1323,6 +1323,6 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod
 - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
 - [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [BitLocker overview](index.md)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@ -97,6 +97,6 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
 ## Related articles
 - [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@ -449,5 +449,5 @@ Follow these steps to configure Network Unlock on these older systems.
 ## Related articles
 - [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml
@ -1,108 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker Key Management FAQ (Windows 10)
  description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker Key Management FAQ
 summary: |  
 sections:
  - name: Ignored
    questions:
      - question: How can I authenticate or unlock my removable data drive?
        answer: |
          Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
          ```cmd
          Manage-bde.exe -protectors -add e: -sid <i>domain\username</i></code>
          ```
      - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
        answer: |
          For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). 
      - question: How can the recovery password and recovery key be stored?
        answer: |
          The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed.
          For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive.
          A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
      - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
        answer: |
          The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
          ```cmd
          manage-bde.exe -protectors -delete %systemdrive% -type tpm
          manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN>
          ```
      - question: When should an additional method of authentication be considered?
        answer: |
          New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack. 
          For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers. 
      - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
        answer: |
          BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
          > [!IMPORTANT]
          > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location.
      - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
        answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
      - question: Can I save the startup key on multiple USB flash drives?
        answer: Yes, computer's startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide the options to save the recovery keys on additional USB flash drives as needed.
      - question: Can I save multiple (different) startup keys on the same USB flash drive?
        answer: Yes, BitLocker startup keys for different  computers can be saved on the same USB flash drive.
      - question: Can I generate multiple (different) startup keys for the same computer?
        answer: Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
      - question: Can I generate multiple PIN combinations?
        answer: Generating multiple PIN combinations can't be done.
      - question: What encryption keys are used in BitLocker? How do they work together?
        answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on the authentication (that is, key protectors or TPM) and recovery scenarios.
      - question: Where are the encryption keys stored?
        answer: |
          The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
          This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
      - question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
        answer: |
          The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 aren't usable in the pre-boot environment on all keyboards.
          When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
      - question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
        answer: |
          It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer.
          The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks.
          After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
      - question: How can I determine the manufacturer of my TPM?
        answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
      - question: How can I evaluate a TPM's dictionary attack mitigation mechanism?
        answer: |
          The following questions can assist when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
          - How many failed authorization attempts can occur before lockout?
          - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
          - What actions can cause the failure count and lockout duration to be decreased or reset?
      - question: Can PIN length and complexity be managed with Group Policy?
        answer: |
          Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy.
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
@ -89,7 +89,7 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
 ## Related Articles
- [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
+- [BitLocker: FAQs](faq.yml)
 - [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
 - [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
 - [BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md)
@ -104,11 +104,10 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
 - [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
 - [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
 - [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
- [BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)  
+- [How to deploy BitLocker on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)  
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+- [How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
 - [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
 ### PowerShell
 - [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
 - [Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml
@ -1,24 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker Network Unlock FAQ (Windows 10)
  description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker Network Unlock FAQ
 summary: |
 sections:
  - name: Ignored
    questions:
      - question: |
          BitLocker Network Unlock FAQ
        answer: |  
          BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
          To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
          BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used.
          Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
          For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@ -1,67 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker overview and requirements FAQ (Windows 10)
  description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
  ms.collection:
    - highpri
    - tier1
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker Overview and Requirements FAQ
 summary: |  
 sections:
  - name: Ignored
    questions:
      - question: How does BitLocker work?
        answer: |
          **How BitLocker works with operating system drives**
          BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
          **How BitLocker works with fixed and removable data drives**
          BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods.
      - question: Does BitLocker support multifactor authentication?
        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection.
      - question: What are the BitLocker hardware and software requirements?
        answer: |
          For requirements, see [System requirements](index.md#system-requirements).
          > [!NOTE]
          > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
      - question: Why are two partitions required? Why does the system drive have to be so large?
        answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
      - question: Which Trusted Platform Modules (TPMs) does BitLocker support?
        answer: |
          BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. 
          > [!NOTE]
          > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature.
          > 
          > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI.
      - question: How can I tell if a computer has a TPM?
        answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer.
      - question: Can I use BitLocker on an operating system drive without a TPM?
        answer: |
          Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
          To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
      - question: How do I obtain BIOS support for the TPM on my computer?
        answer: |
          Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
          - It's compliant with the TCG standards for a client computer.
          - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
      - question: What credentials are required to use BitLocker?
        answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
      - question: What is the recommended boot order for computers that are going to be BitLocker-protected?
        answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked. 
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml
@ -1,34 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker Security FAQ
  description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker Security FAQ
 summary: |
 sections:
  - name: Ignored
    questions:
      - question: |
          What form of encryption does BitLocker use? Is it configurable?
        answer: |
          BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
      - question: |
          What is the best practice for using BitLocker on an operating system drive?
        answer: |
          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer.
      - question: |
          What are the implications of using the sleep or hibernate power management options?
        answer: |
          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
      - question: |
          What are the advantages of a TPM?
        answer: |
          Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
          > [!NOTE]
          > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml
@ -1,24 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker To Go FAQ
  description: "Learn more about BitLocker To Go"
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker To Go FAQ
 summary: |  
 sections:
  - name: Ignored
    questions:
      - question: What is BitLocker To Go?
        answer: |
          BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of: 
          - USB flash drives
          - SD cards
          - External hard disk drives
          - Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. 
          Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
          As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml
@ -1,39 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker Upgrading FAQ
  description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
  ms.topic: faq
  ms.date: 11/08/2022
 title: BitLocker Upgrading FAQ
 summary: |  
 sections:
  - name: Ignored
    questions:
      - question: |
          Can I upgrade to Windows 10 with BitLocker enabled?
        answer: |
          Yes. 
      - question: |
          What is the difference between suspending and decrypting BitLocker?
        answer: |
          **Decrypt** completely removes BitLocker protection and fully decrypts the drive.
          **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
      - question: |
          Do I have to suspend BitLocker protection to download and install system updates and upgrades?
        answer: |
          No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). 
          Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
          -	Non-Microsoft application updates that modify the UEFI\BIOS configuration.
          -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
           -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
          > [!NOTE]
          > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@ -1,26 +1,17 @@
 ---
-title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker 
+title: How to use the BitLocker drive encryption tools to manage BitLocker 
-description: This article for the IT professional describes how to use tools to manage BitLocker.
+description: Learn how to use tools to manage BitLocker.
 ms.collection: 
  - highpri
  - tier1
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 11/08/2022
+ms.date: 07/25/2023
 ---
-# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
+# How to use the BitLocker drive encryption tools to manage BitLocker
-This article for the IT professional describes how to use tools to manage BitLocker.
+BitLocker drive encryption tools include the command-line tools *manage-bde.exe*, *repair-bde.exe*, and the cmdlets for Windows PowerShell.
-BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
+The tools can be used to perform any tasks that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
 Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
 Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console.
 1. [Manage-bde](#manage-bde)
 2. [Repair-bde](#repair-bde)
 3. [BitLocker cmdlets for Windows PowerShell](#bitlocker-cmdlets-for-windows-powershell)
 ## Manage-bde
@ -87,26 +78,24 @@ manage-bde.exe -protectors -add -pw C:
 manage-bde.exe -on C:
 ```
-## Repair-bde
+## BitLocker Repair Tool
 Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly.
-The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted with BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. This key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With this key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package will work only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS.
+The BitLocker Repair Tool (*repair-bde.exe*) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console.
 The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. The key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS.
 > [!TIP]
-> If recovery information is not being backed up to AD DS or if key packages need to be saved in an alternative way, the command:
+> If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume:
 >
 > `manage-bde.exe -KeyPackage`
 >
 > can be used to generate a key package for a volume.
-The Repair-bde command-line tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde if the following conditions are true:
+The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions:
- The drive has been encrypted using BitLocker Drive Encryption.
+- The drive is encrypted using BitLocker Drive Encryption
-
+- Windows doesn't start, or the BitLocker recovery console can't start
- Windows doesn't start, or the BitLocker recovery console can't be started.
+- There isn't a backup copy of the data that is contained on the encrypted drive
 - There isn't a backup copy of the data that is contained on the encrypted drive.
 > [!NOTE]
 > Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
@ -233,7 +222,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
 ## Related articles
 - [BitLocker overview](index.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
 - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@ -1,65 +1,45 @@
 ---
-title: BitLocker Use BitLocker Recovery Password Viewer 
+title: How to use BitLocker Recovery Password Viewer 
-description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
+description: Learn how to use the BitLocker Recovery Password Viewer tool.
 ms.collection: 
  - highpri
  - tier1
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 11/08/2022
+ms.date: 07/25/2023
 ---
-# BitLocker: Use BitLocker Recovery Password Viewer
+# How to use BitLocker Recovery Password Viewer
-**Applies to:**
+BitLocker Recovery Password Viewer is an optional tool included with the *Remote Server Administration Tools (RSAT)*. With Recovery Password Viewer you can view the BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). The tool is an extension for the *Active Directory Users and Computers Microsoft Management Console (MMC)* snap-in.
- Windows 10
+With BitLocker Recovery Password Viewer you can:
 - Windows 11
 - Windows Server 2016 and above
-This article describes how to use the BitLocker Recovery Password Viewer.
+- Check the Active Directory computer object's properties to find the associated BitLocker recovery passwords
 - Search Active Directory for BitLocker recovery password across all the domains in the Active Directory forest. Passwords can also be searched by password identifier (ID)
-The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS) be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords.
+## Requirements
 Additionally a domain container can be searched for BitLocker recovery password across all the domains in the Active Directory forest via a right-click. Passwords can also be searched by password identifier (ID).
 ## Before starting
 To complete the procedures in this scenario, the following requirements must be met:
- Domain administrator credentials.
+- Domain administrator credentials
- Test computers must be joined to the domain.
+- Devices must be joined to the domain
- On the domain-joined test computers, BitLocker must have been turned on.
+- On the domain-joined devices, BitLocker must be enabled
 The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
-### To view the recovery passwords for a computer
+## View the recovery passwords for a computer object
-1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located.
+1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located
 1. Right-click the computer object and select **Properties**
 1. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer
-2. Right-click the computer object, and then select **Properties**.
+## Copy the recovery passwords for a computer object
-3. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer.
+1. Follow the steps in the previous procedure to view the BitLocker recovery passwords
 1. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**
 1. Press <kbd>CTRL</kbd>+<kbd>V</kbd> to paste the copied text to a destination location, such as a text file or spreadsheet
-### To copy the recovery passwords for a computer
+## Locate a recovery password by using a password ID
-1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.
+1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password**
-
+1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search**
-2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**.
+1. Once the recovery password is located, you can use the previous procedure to copy it
 3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
 ### To locate a recovery password by using a password ID
 1. In Active Directory Users and Computers, right-click the domain container, and then select **Find BitLocker Recovery Password**.
 2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then select **Search**.
 By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password.
 ## Related articles
 - [BitLocker Overview](index.md)
 - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
 - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@ -1,109 +0,0 @@
 ### YamlMime:FAQ
 metadata:
  title: Using BitLocker with other programs FAQ
  description: Learn how to integrate BitLocker with other software on a device.
  ms.topic: faq
  ms.date: 11/08/2022
 title: Using BitLocker with other programs FAQ
 summary: |
 sections:
  - name: Ignored
    questions:
      - question: |
          Can I use EFS with BitLocker?
        answer: |
          Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
      - question: |
          Can I run a kernel debugger with BitLocker?
        answer: |
          Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If debugging needs to be turned on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting the computer into recovery mode.
      - question: |
          How does BitLocker handle memory dumps?
        answer: |
          BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
      - question: |
          Can BitLocker support smart cards for pre-boot authentication?
        answer: |
          BitLocker doesn't support smart cards for pre-boot authentication. There's no single industry standard for smart card support in the firmware, and most computers either don't implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
      - question: |
          Can I use a non-Microsoft TPM driver?
        answer: |
          Microsoft doesn't support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM isn't present on the computer and not allow the TPM to be used with BitLocker.
      - question: |
          Can other tools that manage or modify the master boot record work with BitLocker?
        answer: |
          We don't recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for several security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally and complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
      - question: |
          Why is the system check failing when I'm encrypting my operating system drive?
        answer: |
          The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
          - The computer's BIOS or UEFI firmware can't read USB flash drives.
          - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled.
          - There are multiple USB flash drives inserted into the computer.
          - The PIN wasn't entered correctly.
          - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
          - The startup key was removed before the computer finished rebooting.
          - The TPM has malfunctioned and fails to unseal the keys.
      - question: |
          What can I do if the recovery key on my USB flash drive can't be read?
        answer: |
          Some computers can't read USB flash drives in the pre-boot environment. First, check the BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it isn't enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings, and then try to read the recovery key from the USB flash drive again. If the USB flash drive still can't be read, the hard drive will need to be mounted as a data drive on another computer so that there's an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, a recovery password may need to be supplied or use the recovery information that was backed up to AD DS. Also, if the recovery key is being used in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
      - question: |
          Why am I unable to save my recovery key to my USB flash drive?
        answer: |
          The **Save to USB** option isn't shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
      - question: |
          Why am I unable to automatically unlock my drive?
        answer: |
          Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If a computer is being used that doesn't have a BitLocker-protected operating system drive, then the fixed drive can't be automatically unlocked. For removable data drives, automatic unlocking can be added by right-clicking the drive in Windows Explorer and selecting **Manage BitLocker**. Password or smart card credentials that were supplied when BitLocker was turned on can still be used to unlock the removable drive on other computers.
      - question: |
          Can I use BitLocker in Safe Mode?
        answer: |
          Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer isn't available in Safe Mode.
      - question: |
          How do I "lock" a data drive?
        answer: |
          Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command.
          > [!NOTE]
          > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
          The syntax of this command is:
          ```cmd
          manage-bde.exe <driveletter> -lock
          ````
          Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
      - question: |
          Can I use BitLocker with the Volume Shadow Copy Service?
        answer: |
          Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If a hardware encrypted drive is being used, the shadow copies are retained.
      - question: |
          Does BitLocker support virtual hard disks (VHDs)?
        answer: |
          BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
          - With TPM: Yes, it's supported.
          - Without  TPM: Yes, it's supported (with password protector).
          BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
      - question: |
          Can I use BitLocker with virtual machines (VMs)?
        answer: |
          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@ -0,0 +1,476 @@
 ### YamlMime:FAQ
 metadata:
  title: BitLocker FAQ
  description: Learn more about BitLocker by reviewing the frequently asked questions. 
  ms.collection:
    - tier1
  ms.topic: faq
  ms.date: 07/25/2023
 title: BitLocker FAQ
 summary: Learn more about BitLocker by reviewing the frequently asked questions.
 sections:
 ### YamlMime:FAQ
  - name: Overview and requirements
    questions:
      - question: How does BitLocker work?
        answer: |
          **How BitLocker works with operating system drives**
          BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
          **How BitLocker works with fixed and removable data drives**
          BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods.
      - question: Does BitLocker support multifactor authentication?
        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection.
      - question: What are the BitLocker hardware and software requirements?
        answer: |
          For requirements, see [System requirements](index.md#system-requirements).
          > [!NOTE]
          > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
      - question: Why are two partitions required? Why does the system drive have to be so large?
        answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
      - question: Which Trusted Platform Modules (TPMs) does BitLocker support?
        answer: |
          BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. 
          > [!NOTE]
          > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature.
          > 
          > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI.
      - question: How can I tell if a computer has a TPM?
        answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer.
      - question: Can I use BitLocker on an operating system drive without a TPM?
        answer: |
          Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
          To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
      - question: How do I obtain BIOS support for the TPM on my computer?
        answer: |
          Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
          - It's compliant with the TCG standards for a client computer.
          - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
      - question: What credentials are required to use BitLocker?
        answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
      - question: What is the recommended boot order for computers that are going to be BitLocker-protected?
        answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked. 
  - name: BitLocker and Windows upgrade
    questions:
      - question: |
          Can I upgrade to Windows 10 with BitLocker enabled?
        answer: |
          Yes. 
      - question: |
          What is the difference between suspending and decrypting BitLocker?
        answer: |
          **Decrypt** completely removes BitLocker protection and fully decrypts the drive.
          **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
      - question: |
          Do I have to suspend BitLocker protection to download and install system updates and upgrades?
        answer: |
          No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). 
          Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
          -	Non-Microsoft application updates that modify the UEFI\BIOS configuration.
          -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
           -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
          > [!NOTE]
          > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
  - name: Deployment and administration
    questions:
      - question: Can BitLocker deployment be automated in an enterprise environment?
        answer: |
          Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps).
      - question: Can BitLocker encrypt more than just the operating system drive?
        answer: Yes.
      - question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
        answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.
      - question: How long will initial encryption take when BitLocker is turned on?
        answer: |
          Although BitLocker encryption occurs in the background while a user continues to work with the system remaining usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn't being used.
          When BitLocker is enabled, BitLocker can also be set to encrypt the entire drive or just the used space on the drive. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
      - question: What happens if the computer is turned off during encryption or decryption?
        answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
      - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
        answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
      - question: How can I prevent users on a network from storing data on an unencrypted drive?
        answer: |
          Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
      - question: What is Used Disk Space Only encryption?
        answer: |
          BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
      - question: What system changes would cause the integrity check on my operating system drive to fail?
        answer: |
          The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
          - Moving the BitLocker-protected drive into a new computer.
          - Installing a new motherboard with a new TPM.
          - Turning off, disabling, or clearing the TPM.
          - Changing any boot configuration settings.
          - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
      - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
        answer: |
          Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. 
          For example: 
          - Changing the BIOS boot order to boot another drive in advance of the hard drive.
          - Adding or removing hardware, such as inserting a new card in the computer.
          - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
          In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. 
          The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
      - question: What can prevent BitLocker from binding to PCR 7?
        answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it.
      - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
        answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
      - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
        answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
      - question: Why is **Turn BitLocker on** not available when I right-click a drive?
        answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted.
      - question: What type of disk configurations are supported by BitLocker?
        answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
  - name: Key Management
    questions:
      - question: How can I authenticate or unlock my removable data drive?
        answer: |
          Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
          ```cmd
          Manage-bde.exe -protectors -add e: -sid <i>domain\username</i></code>
          ```
      - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
        answer: |
          For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). 
      - question: How can the recovery password and recovery key be stored?
        answer: |
          The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed.
          For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive.
          A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
      - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
        answer: |
          The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
          ```cmd
          manage-bde.exe -protectors -delete %systemdrive% -type tpm
          manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN>
          ```
      - question: When should an additional method of authentication be considered?
        answer: |
          New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack. 
          For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers. 
      - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
        answer: |
          BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
          > [!IMPORTANT]
          > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location.
      - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
        answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
      - question: Can I save the startup key on multiple USB flash drives?
        answer: Yes, computer's startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide the options to save the recovery keys on additional USB flash drives as needed.
      - question: Can I save multiple (different) startup keys on the same USB flash drive?
        answer: Yes, BitLocker startup keys for different  computers can be saved on the same USB flash drive.
      - question: Can I generate multiple (different) startup keys for the same computer?
        answer: Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
      - question: Can I generate multiple PIN combinations?
        answer: Generating multiple PIN combinations can't be done.
      - question: What encryption keys are used in BitLocker? How do they work together?
        answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on the authentication (that is, key protectors or TPM) and recovery scenarios.
      - question: Where are the encryption keys stored?
        answer: |
          The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
          This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
      - question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
        answer: |
          The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 aren't usable in the pre-boot environment on all keyboards.
          When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
      - question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
        answer: |
          It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer.
          The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks.
          After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
      - question: How can I determine the manufacturer of my TPM?
        answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
      - question: How can I evaluate a TPM's dictionary attack mitigation mechanism?
        answer: |
          The following questions can assist when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
          - How many failed authorization attempts can occur before lockout?
          - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
          - What actions can cause the failure count and lockout duration to be decreased or reset?
      - question: Can PIN length and complexity be managed with Group Policy?
        answer: |
          Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy.
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
  - name: BitLocker To Go
    questions:
      - question: What is BitLocker To Go?
        answer: |
          BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of: 
          - USB flash drives
          - SD cards
          - External hard disk drives
          - Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. 
          Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
          As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
  - name: BitLocker and Active Directory Domain Services (AD DS) 
    questions:
      - question: |
          What type of information is stored in AD DS?
        answer: |
          Stored information | Description
          -------------------|------------
          Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
          BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
          BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. 
      - question: |
          What if BitLocker is enabled on a computer before the computer has joined the domain?
        answer: |
          If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
          ```powershell
          $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
          $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
          Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
          BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
          ```
          > [!IMPORTANT]
          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
      - question: |
          Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
        answer: |
          Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
          Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
      - question: |
          If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
        answer: |
          No. By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object.
      - question: |
          What happens if the backup initially fails? Will BitLocker retry it?
        answer: |
          If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
          When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
  - name: Security
    questions:
      - question: |
          What form of encryption does BitLocker use? Is it configurable?
        answer: |
          BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
      - question: |
          What is the best practice for using BitLocker on an operating system drive?
        answer: |
          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer.
      - question: |
          What are the implications of using the sleep or hibernate power management options?
        answer: |
          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
      - question: |
          What are the advantages of a TPM?
        answer: |
          Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
          > [!NOTE]
          > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
  - name: Network Unlock
    questions:
      - question: |
          BitLocker Network Unlock FAQ
        answer: |  
          BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
          To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
          BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used.
          Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
          For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
  - name: Use BitLocker with other programs
    questions:
      - question: |
          Can I use EFS with BitLocker?
        answer: |
          Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
      - question: |
          Can I run a kernel debugger with BitLocker?
        answer: |
          Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If debugging needs to be turned on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting the computer into recovery mode.
      - question: |
          How does BitLocker handle memory dumps?
        answer: |
          BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled.
      - question: |
          Can BitLocker support smart cards for pre-boot authentication?
        answer: |
          BitLocker doesn't support smart cards for pre-boot authentication. There's no single industry standard for smart card support in the firmware, and most computers either don't implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
      - question: |
          Can I use a non-Microsoft TPM driver?
        answer: |
          Microsoft doesn't support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM isn't present on the computer and not allow the TPM to be used with BitLocker.
      - question: |
          Can other tools that manage or modify the master boot record work with BitLocker?
        answer: |
          We don't recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for several security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally and complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
      - question: |
          Why is the system check failing when I'm encrypting my operating system drive?
        answer: |
          The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
          - The computer's BIOS or UEFI firmware can't read USB flash drives.
          - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled.
          - There are multiple USB flash drives inserted into the computer.
          - The PIN wasn't entered correctly.
          - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
          - The startup key was removed before the computer finished rebooting.
          - The TPM has malfunctioned and fails to unseal the keys.
      - question: |
          What can I do if the recovery key on my USB flash drive can't be read?
        answer: |
          Some computers can't read USB flash drives in the pre-boot environment. First, check the BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it isn't enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings, and then try to read the recovery key from the USB flash drive again. If the USB flash drive still can't be read, the hard drive will need to be mounted as a data drive on another computer so that there's an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, a recovery password may need to be supplied or use the recovery information that was backed up to AD DS. Also, if the recovery key is being used in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
      - question: |
          Why am I unable to save my recovery key to my USB flash drive?
        answer: |
          The **Save to USB** option isn't shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
      - question: |
          Why am I unable to automatically unlock my drive?
        answer: |
          Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If a computer is being used that doesn't have a BitLocker-protected operating system drive, then the fixed drive can't be automatically unlocked. For removable data drives, automatic unlocking can be added by right-clicking the drive in Windows Explorer and selecting **Manage BitLocker**. Password or smart card credentials that were supplied when BitLocker was turned on can still be used to unlock the removable drive on other computers.
      - question: |
          Can I use BitLocker in Safe Mode?
        answer: |
          Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer isn't available in Safe Mode.
      - question: |
          How do I "lock" a data drive?
        answer: |
          Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command.
          > [!NOTE]
          > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
          The syntax of this command is:
          ```cmd
          manage-bde.exe <driveletter> -lock
          ````
          Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
      - question: |
          Can I use BitLocker with the Volume Shadow Copy Service?
        answer: |
          Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If a hardware encrypted drive is being used, the shadow copies are retained.
      - question: |
          Does BitLocker support virtual hard disks (VHDs)?
        answer: |
          BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
          - With TPM: Yes, it's supported.
          - Without  TPM: Yes, it's supported (with password protector).
          BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
      - question: |
          Can I use BitLocker with virtual machines (VMs)?
        answer: |
          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@ -10,30 +10,18 @@ ms.date: 11/08/2022
 # BitLocker overview
-This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+Bitlocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes.\
 BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
+BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
-BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline.
+On computers that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
 On computers that don't have a TPM version 1.2 or later versions, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, an operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
 In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
 ## Practical applications
-Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
+Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled.
 There are two additional tools in the Remote Server Administration Tools that can be used to manage BitLocker.
 - **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables the BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS) to be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
    By using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. Additionally, a domain container can be searched for a BitLocker recovery password across all the domains in the Active Directory forest by right clicking on the domain container. Viewing recovery passwords can only be viewed by domain administrator or having delegated permissions by a domain administrator.
 - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
 BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
 [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
 ## System requirements
@ -64,22 +52,4 @@ A partition subject to encryption can't be marked as an active partition. This r
 When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
-## In this section
+[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
 | Article | Description |
 | - | - |
 | [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This article provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. |
 | [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This article answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
 | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This article explains the procedure you can use to plan your BitLocker deployment. |
 | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This article explains how BitLocker features can be used to protect your data through drive encryption. |
 | [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This article explains how to deploy BitLocker on Windows Server.|
 | [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This article describes how BitLocker Network Unlock works and how to configure it. |
 | [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This article describes how to use tools to manage BitLocker.|
 | [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This article describes how to use the BitLocker Recovery Password Viewer. |
 | [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
 | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
 | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
 | [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
 | [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
 | [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |
--- a/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@ -185,7 +185,7 @@ On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generate
 ## Related articles
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [BitLocker](index.md)
 - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
 - [BitLocker basic deployment](bitlocker-basic-deployment.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml
@ -3,54 +3,43 @@ items:
  href: index.md
 - name: BitLocker device encryption
  href: bitlocker-device-encryption-overview-windows-10.md
 - name: BitLocker frequently asked questions (FAQ)
  href: bitlocker-frequently-asked-questions.yml
  items:
  - name: Overview and requirements
    href: bitlocker-overview-and-requirements-faq.yml
  - name: Upgrading
    href: bitlocker-upgrading-faq.yml
  - name: Deployment and administration
    href: bitlocker-deployment-and-administration-faq.yml
  - name: Key management
    href: bitlocker-key-management-faq.yml
  - name: BitLocker To Go
    href: bitlocker-to-go-faq.yml
  - name: Active Directory Domain Services
    href: bitlocker-and-adds-faq.yml
  - name: Security
    href: bitlocker-security-faq.yml
  - name: BitLocker Network Unlock
    href: bitlocker-network-unlock-faq.yml
  - name: General
    href: bitlocker-using-with-other-programs-faq.yml
 - name: "Prepare your organization for BitLocker: Planning and policies"
  href: prepare-your-organization-for-bitlocker-planning-and-policies.md
 - name: BitLocker deployment comparison
  href: bitlocker-deployment-comparison.md
 - name: BitLocker basic deployment
  href: bitlocker-basic-deployment.md
 - name: Deploy BitLocker on Windows Server 2012 and later
  href: bitlocker-how-to-deploy-on-windows-server.md
 - name: BitLocker management
  href: bitlocker-management-for-enterprises.md
 - name: Enable Network Unlock with BitLocker
  href: bitlocker-how-to-enable-network-unlock.md
 - name: Use BitLocker Drive Encryption Tools to manage BitLocker
  href: bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
 - name: Use BitLocker Recovery Password Viewer
  href: bitlocker-use-bitlocker-recovery-password-viewer.md
 - name: BitLocker Group Policy settings
  href: bitlocker-group-policy-settings.md
 - name: BCD settings and BitLocker
  href: bcd-settings-and-bitlocker.md
 - name: BitLocker Recovery Guide
  href: bitlocker-recovery-guide-plan.md
 - name: BitLocker Countermeasures
  href: bitlocker-countermeasures.md
- name: Protecting cluster shared volumes and storage area networks with BitLocker
+- name: Deployment guides
-  href: protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+  items:
- name: Troubleshoot BitLocker
+    - name: Planning for BitLocker
      href: prepare-your-organization-for-bitlocker-planning-and-policies.md
    - name: BitLocker basic deployment
      href: bitlocker-basic-deployment.md
    - name: BitLocker deployment comparison
      href: bitlocker-deployment-comparison.md
 - name: How-to guides
  items:
    - name: Manage BitLocker in your organization
      href: bitlocker-management-for-enterprises.md
    - name: Configure BitLocker on Windows Server
      href: bitlocker-how-to-deploy-on-windows-server.md
    - name: Manage BitLocker with Drive Encryption Tools
      href: bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
    - name: Use BitLocker Recovery Password Viewer
      href: bitlocker-use-bitlocker-recovery-password-viewer.md
    - name: BitLocker Recovery Guide
      href: bitlocker-recovery-guide-plan.md
    - name: Protect cluster shared volumes and storage area networks with BitLocker
      href: protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
 - name: BitLocker features
  items:
    - name: Network Unlock
      href: bitlocker-how-to-enable-network-unlock.md
 - name: Reference
  items:
    - name: BitLocker Group Policy settings
      href: bitlocker-group-policy-settings.md
    - name: BCD settings
      href: bcd-settings-and-bitlocker.md
    - name: BitLocker frequently asked questions (FAQ)
      href: faq.yml
 - name: Troubleshooting
  items:
    - name: Troubleshoot BitLocker 🔗
      href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@ -2,13 +2,11 @@
 title: Advanced security audit policy settings 
 description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
 ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
 ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
 ms.author: vinpa
 ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: low
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@ -261,7 +261,7 @@ The table below contains the list of the most common error codes for this event:
 | 0x43 | KRB\_AP\_ERR\_NO\_TGT                  | No TGT was presented or available                                           | In user-to-user authentication if the service doesn't possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | 0x44 | KDC\_ERR\_WRONG\_REALM                 | Incorrect domain or principal                                               | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS.                                                                                                                                                                                                                                                                                                                                                                                                                           |
-   **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used.
+-   **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if constrained Kerberos delegation was used. 
 > **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
--- a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
@ -6,7 +6,6 @@ ms.author: jogeurte
 ms.reviewer: jsuther1974
 ms.topic: how-to
 ms.date: 04/05/2023
 ms.custom: template-how-to
 ms.prod: windows-client
 ms.technology: itpro-security
 ---
--- a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md
@ -6,7 +6,6 @@ ms.author: jogeurte
 ms.reviewer: jsuther1974
 ms.topic: how-to
 ms.date: 04/06/2023
 ms.custom: template-how-to
 ms.prod: windows-client
 ms.technology: itpro-security
 ---
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@ -2,11 +2,10 @@
 title: Zero Trust and Windows device health
 description: Describes the process of Windows device health attestation
 ms.reviewer:
-ms.topic: article
+ms.topic: conceptual
 manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
 ms.custom: intro-overview
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.date: 12/31/2017