Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into ntlm-dep-8396018

2025-05-12 13:27:23 +00:00 · 2024-04-23 10:23:02 -07:00 · 2024-04-23 10:23:02 -07:00 · c9b8217b5b
commit c9b8217b5b
parent b1ceeaf01d d5c39940e0
107 changed files with 1785 additions and 1447 deletions
--- a/.openpublishing.redirection.education.json
+++ b/.openpublishing.redirection.education.json
@ -229,6 +229,11 @@
      "source_path": "education/windows/windows-editions-for-education-customers.md",
      "redirect_url": "/education/windows",
      "redirect_document_id": false
    },
    {
      "source_path": "education/windows/configure-windows-for-education.md",
      "redirect_url": "/education/windows",
      "redirect_document_id": false
    }
  ]
 }
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@ -1,159 +0,0 @@
 ---
 title: Windows 10 configuration recommendations for education customers
 description: Learn how to configure the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Windows 10 configuration recommendations for education customers
 Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. For more information, see the following table. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
 We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store, and use devices running Windows 10 S, will be able to configure the device at no extra charge to Windows 10 Pro Education. To learn more about the steps to configure this device, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
 In Windows 10, version 1703 (Creators Update), it's straightforward to configure Windows to be education ready.
 | Area | How to configure | What this area does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | 
 | --- | --- | --- | --- | --- | --- |
 | **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This feature is already set | This feature is already set | The policy must be set |
 | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This feature is already set | This feature is already set | The policy must be set |
 | **Cortana** | **AllowCortana** | Disables Cortana </br></br> * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. </br></br> See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
 | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This feature is already set | This feature is already set | The policy must be set |
 | **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
 | **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready </br></br> * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This feature is already set | This feature is already set | The policy must be set |
 ## Recommended configuration
 It's easy to be education ready when using Microsoft products. We recommend the following configuration:
 1. Use an Office 365 Education tenant. 
    With Office 365, you also have Microsoft Entra ID. To learn more about Office 365 Education features and pricing, see [Office 365 Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans).
 2. Activate Intune for Education in your tenant.
    You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
 3. On PCs running Windows 10, version 1703:
   1. Provision the PC using one of these methods:
      * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - The usage of this method will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
      * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
   2. Join the PC to Microsoft Entra ID.
      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Microsoft Entra ID.
      * Manually Microsoft Entra join the PC during the Windows device setup experience.
   3. Enroll the PCs in MDM.
      * If you've activated Intune for Education in your Microsoft Entra tenant, enrollment will happen automatically when the PC is joined to Microsoft Entra ID. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
   4. Ensure that needed assistive technology apps can be used.
      * If you've students or school personnel who rely on assistive technology apps that aren't available in the Microsoft Store, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
 4. Distribute the PCs to students.
    Students sign in with their Azure AD/Office 365 identity, which enables single sign-on to Bing in Microsoft Edge, enabling an ad-free search experience with Bing in Microsoft Edge.
 5. Ongoing management through Intune for Education.
    You can set many policies through Intune for Education, including **SetEduPolicies** and **AllowCortana**, for ongoing management of the PCs.
 ## Configuring Windows
 You can configure Windows through provisioning or management tools including industry standard MDM.
 - Provisioning - A one-time setup process.
 - Management - A one-time and/or ongoing management of a PC by setting policies.
 You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
 - [Set up School PCs](use-set-up-school-pcs-app.md)
 - [Intune for Education](/intune-education/available-settings)
 ## AllowCortana
 **AllowCortana** is a policy that enables or disables Cortana. It's a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana). 
 > [!NOTE]
 > See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
 Use one of these methods to set this policy.
 ### MDM
 - Intune for Education automatically sets this policy in the **All devices** group policy configuration.
 - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
      For example, in Intune, create a new configuration policy and add an OMA-URI. 
    - OMA-URI:  ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
    - Data type:  Integer
    - Value:  0
 ### Group Policy
 Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
 ### Provisioning tools
 - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
    - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
 ## SetEduPolicies
 **SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It's a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
 Use one of these methods to set this policy. 
 ### MDM
 - Intune for Education automatically sets this policy in the **All devices** group policy configuration.
 - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
      For example, in Intune, create a new configuration policy and add an OMA-URI.
    - OMA-URI:  ./Vendor/MSFT/SharedPC/SetEduPolicies
    - Data type:  Boolean
    - Value:  true
      ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
 ### Group Policy
 **SetEduPolicies** isn't natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
 For example:
 - Open PowerShell as an administrator and enter the following:
    ```
    $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
    $sharedPC.SetEduPolicies = $True
    Set-CimInstance -CimInstance $sharedPC
    Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
    ```
 ### Provisioning tools
 - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
    - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
        ![Set SetEduPolicies to True in Windows Configuration Designer.](images/wcd/setedupolicies.png)
 ## Ad-free search with Bing
 Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. 
 ### Configurations
 <a name='azure-ad-and-office-365-education-tenant'></a>
 #### Microsoft Entra ID and Office 365 Education tenant
 To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
 1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
 2. Domain join the Windows 10 PCs to your Microsoft Entra tenant (this tenant is the same as your Office 365 tenant).
 3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
 4. Have students sign in with their Microsoft Entra identity, which is the same as your Office 365 identity, to use the PC.
 > [!NOTE]
 > If you are verifying your Office 365 domain to prove education status (step 1 above), you may need to wait up to 7 days for the ad-free experience to take effect. Microsoft recommends not to roll out the browser to your students until that time.
 #### Office 365 sign-in to Bing
 To suppress ads only when the student signs into Bing with their Office 365 account in Microsoft Edge, follow these steps:
 1. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
 2. Have students sign into Bing with their Office 365 account.
 ## Related topics
 [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
--- a/education/windows/images/setedupolicies_omauri.png
+++ b/education/windows/images/setedupolicies_omauri.png
--- a/education/windows/images/wcd/setedupolicies.png
+++ b/education/windows/images/wcd/setedupolicies.png
--- a/education/windows/images/wcd/wcd_settings_assignedaccess.png
+++ b/education/windows/images/wcd/wcd_settings_assignedaccess.png
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@ -102,10 +102,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `ContentKeeper Cloud`                     | 9.01.45           | `Win32`    | `ContentKeeper Technologies`              |
 | `DigiExam`                                | 14.1.0            | `Win32`    | `Digiexam`                                |
 | `Digital Secure testing browser`          | 15.0.0            | `Win32`    | `Digiexam`                                |
-| `Dolphin Guide Connect`                   | 1.25              | `Win32`    | `Dolphin Guide Connect`                   |
+| `Dolphin Guide Connect`                   | 1.27              | `Win32`    | `Dolphin Guide Connect`                   |
 | `Dragon Professional Individual`          | 15.00.100         | `Win32`    | `Nuance Communications`                   |
 | `DRC INSIGHT Online Assessments`          | 14.0.0.0          | `Store`  | `Data recognition Corporation`              |
-| `Duo from Cisco`                          | 3.0.0             | `Win32`    | `Cisco`                                   |
+| `Duo from Cisco`                          | 6.3.0            | `Win32`    | `Cisco`                                   |
 | `Dyknow`                                  | 7.9.13.7          | `Win32`    | `Dyknow`                                  |
 | `e-Speaking Voice and Speech recognition` | 4.4.0.11          | `Win32`    | `e-speaking`                              |
 | `EasyReader`                              | 10.0.4.498        | `Win32`    | `Dolphin Computer Access`                 |
@ -114,7 +114,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `ESET Endpoint Security`                  | 10.1.2046.0       | `Win32`    | `ESET`                                    |
 | `ESET Remote Administrator Agent`         | 10.0.1126.0       | `Win32`    | `ESET`                                    |
 | `eTests`                                  | 4.0.25            | `Win32`    | `CASAS`                                   |
-| `Exam Writepad`                           | 23.2.4.2338       | `Win32`    | `Sheldnet`                                |
+| `Exam Writepad`                           | 23.12.10.1200      | `Win32`    | `Sheldnet`                                |
 | `FirstVoices Keyboard`                    | 15.0.270          | `Win32`    | `SIL International`                       |
 | `FortiClient`                             | 7.2.0.4034+       | `Win32`    | `Fortinet`                                |
 | `Free NaturalReader`                      | 16.1.2            | `Win32`    | `Natural Soft`                            |
@ -126,8 +126,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Immunet`                                 | 7.5.8.21178       | `Win32`    | `Immunet`                                 |
 | `Impero Backdrop Client`                  | 5.0.151           | `Win32`    | `Impero Software`                         |
 | `IMT Lazarus`                             | 2.86.0            | `Win32`    | `IMTLazarus`                              |
 | `Inprint`                                 | 3.7.6             | `Win32`    | `Inprint`                                 |
 | `Inspiration 10`                          | 10.11             | `Win32`    | `TechEdology Ltd`                         |
-| `JAWS for Windows`                        | 2023.2307.37      | `Win32`    | `Freedom Scientific`                      |
+| `Instashare`                              | 1.3.13.0            | `Win32`    | `Instashare`                            |
 | `JAWS for Windows`                        | 2024.2312.53      | `Win32`    | `Freedom Scientific`                      |
 | `Kite Student Portal`                     | 9.0.0.0           | `Win32`    | `Dynamic Learning Maps`                   |
 | `Keyman`                                  | 16.0.142          | `Win32`    | `SIL International`                       |
 | `Kortext`                                 | 2.3.433.0         | `Store`  | `Kortext`                                 |
@ -155,7 +157,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `NetSupport School`                       | 14.00.0012        | `Win32`    | `NetSupport`                              |
 | `NextUp Talker`                           | 1.0.49            | `Win32`    | `NextUp Technologies`                     |
 | `Netsweeper Workstation Agent`            | 4.50.54.54        | `Win32`    | `Netsweeper`                              |
-| `NonVisual Desktop Access`                | 2023.1.           | `Win32`    | `NV Access`                               |
+| `NonVisual Desktop Access`                | 2023.3            | `Win32`    | `NV Access`                               |
 | `NWEA Secure Testing Browser`             | 5.4.387.0         | `Win32`    | `NWEA`                                    |
 | `PC Talker Neo`                           | 2209              | `Win32`    | `Kochi System Development`                |
 | `PC Talker Neo Plus`                      | 2209              | `Win32`    | `Kochi System Development`                |
@ -166,7 +168,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `ReadAndWriteForWindows`                  | 12.0.78           | `Win32`    | `Texthelp Ltd.`                           |
 | `Remote Desktop client (MSRDC)`           | 1.2.4487.0        | `Win32`    | `Microsoft`                               |
 | `Remote Help`                             | 5.0.1311.0        | `Win32`    | `Microsoft`                               |
-| `Respondus Lockdown Browser`              | 2.0.9.03          | `Win32`    | `Respondus`                               |
+| `Respondus Lockdown Browser`              | 2.1.1.05          | `Win32`    | `Respondus`                               |
 | `Safe Exam Browser`                       | 3.5.0.544         | `Win32`    | `Safe Exam Browser`                       |
 |`SchoolYear`                               | 3.5.4             | `Win32`    |`SchoolYear`                               |
 |`School Manager`                           | 3.6.10-1149       | `Win32`    |`Linewize`                                 |
@ -175,9 +177,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Senso.Cloud`                             |2021.11.15.0       | `Win32`    | `Senso.Cloud`                             |
 | `Skoolnext`                               | 2.19              | `Win32`    | `Skool.net`                               |
 | `Smoothwall Monitor`                      | 2.9.2             | `Win32`    | `Smoothwall Ltd`                          |
-| `SuperNova Magnifier & Screen Reader`     | 22.03             | `Win32`    | `Dolphin Computer Access`                 |
+| `SuperNova Magnifier & Screen Reader`     | 22.04             | `Win32`    | `Dolphin Computer Access`                 |
 | `SuperNova Magnifier & Speech`            | 21.03             | `Win32`    | `Dolphin Computer Access`                 |
-|`TX Secure Browser`                        | 15.0.0            | `Win32`    | `Cambium Development`                     |
+| `Snapplify`                               | 6.9.7             | `Win32`    | `Snapplify`                               |
 |`TX Secure Browser`                        | 16.0.0            | `Win32`    | `Cambium Development`                     |
 | `VitalSourceBookShelf`                    | 10.2.26.0         | `Win32`    | `VitalSource Technologies Inc`            |
 |`WA Secure Browser`                        | 16.0.0            | `Win32`    | `Cambium Development`                     |
 | `Winbird`                                 | 19                | `Win32`    | `Winbird Co., Ltd.`                       |
@ -185,8 +188,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Windows SEB`                             | 3.4.0             | `Win32`    | `Illinois Stateboard of Education`        |
 | `Windows Notepad`                         | 12.0.78           | `Store`    | `Microsoft Corporation`                   |
 | `Zoom`                                    | 5.12.8 (10232)    | `Win32`    | `Zoom`                                    |
-| `ZoomText Fusion`                         | 2023.2307.7.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Fusion`                         | 2024.2310.13.400  | `Win32`    | `Freedom Scientific`                      |
-| `ZoomText Magnifier/Reader`               | 2023.2307.29.400  | `Win32`    | `Freedom Scientific`                      |
+| `ZoomText Magnifier/Reader`               | 2024.2312.26.400  | `Win32`    | `Freedom Scientific`                      |
 ## Add your own applications
@ -224,4 +227,4 @@ For more information on Intune requirements for adding education apps, see [Conf
 [EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps
 [EDUWIN-2]: /education/windows/tutorial-school-deployment/
-[WIN-1]: /windows/whats-new/windows-11-requirements
+[WIN-1]: /windows/whats-new/windows-11-requirements
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@ -11,7 +11,7 @@ ms.collection:
 # Use Quick Assist to help users
-Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
+Quick Assist is an application that enables a person to share their [Windows](#install-quick-assist-on-windows) or [macOS](#install-quick-assist-on-macos) device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
 ## Before you begin
@ -89,7 +89,7 @@ Microsoft logs a small amount of session data to monitor the health of the Quick
 In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device.
-## Install Quick Assist
+## Install Quick Assist on Windows
 ### Install Quick Assist from the Microsoft Store
@ -127,7 +127,7 @@ To install Quick Assist offline, you need to download your APPXBUNDLE and unenco
 1. Run the following command to install Quick Assist: `Add-AppxProvisionedPackage -Online -PackagePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe.AppxBundle" -LicensePath "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe_4bc27046-84c5-8679-dcc7-d44c77a47dd0.xml"`
 1. After Quick Assist has installed, run this command to confirm that Quick Assist is installed for the user: `Get-AppxPackage *QuickAssist* -AllUsers`
-## Microsoft Edge WebView2
+### Microsoft Edge WebView2
 The Microsoft Edge WebView2 is a development control that uses Microsoft Edge as the rendering engine to display web content in native apps. The new Quick Assist application has been developed using this control, making it a necessary component for the app to function.
@ -136,6 +136,13 @@ The Microsoft Edge WebView2 is a development control that uses Microsoft Edg
 For more information on distributing and installing Microsoft Edge WebView2, visit [Distribute your app and the WebView2 Runtime](/microsoft-edge/webview2/concepts/distribution)
 ## Install Quick Assist on macOS
 Quick Assist for macOS is available for interactions with Microsoft Support. If Microsoft products on your macOS device are not working as expected, contact [Microsoft Support](https://support.microsoft.com/contactus) for assistance. Your Microsoft Support agent will guide you through the process of downloading and installing it on your device.
 > [!NOTE]
 > Quick Assist for macOS is not available outside of Microsoft Support interactions.
 ## Next steps
 If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -1,7 +1,7 @@
 ---
 title: Update Policy CSP
 description: Learn more about the Update Area in Policy CSP.
-ms.date: 02/14/2024
+ms.date: 02/14/2024 
 ---
 <!-- Auto-Generated CSP Document -->
@ -1556,7 +1556,8 @@ Configure this policy to specify whether to receive **Windows Feature Updates**
 - SetPolicyDrivenUpdateSourceForOtherUpdates
 > [!NOTE]
-> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
 > - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration.
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-Editable-End -->
 <!-- SetPolicyDrivenUpdateSourceForFeatureUpdates-DFProperties-Begin -->
@ -1694,7 +1695,8 @@ Configure this policy to specify whether to receive **Windows Quality Updates**
 - SetPolicyDrivenUpdateSourceForOtherUpdates
 > [!NOTE]
-> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+> - If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
 > - If you're also using the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](policy-csp-admx-servicing.md)) policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](/windows/deployment/update/fod-and-lang-packs) to verify your policy configuration.
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-Editable-End -->
 <!-- SetPolicyDrivenUpdateSourceForQualityUpdates-DFProperties-Begin -->
--- a/windows/configuration/cellular/provisioning-apn.md
+++ b/windows/configuration/cellular/provisioning-apn.md
@ -1,47 +1,44 @@
 ---
-title: Configure cellular settings for tablets and PCs
+title: Configure cellular settings
-description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
+description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
 ms.topic: concept-article
-ms.date: 04/13/2018
+ms.date: 04/23/2024
 ---
-# Configure cellular settings for tablets and PCs
+# Configure cellular settings
->**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings)
+This article describes how to configure cellular settings for devices that have a cellular modem using a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined in the provisioning package, without needing to connect manually.
-Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](../provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect.
+For users who work in different locations, you can configure one APN to connect when the users are at work, and a different APN when the users are traveling.
 For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling.
 ## Prerequisites
- Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education)
+- Device with built-in cellular modem or plug-in USB modem dongle
 - Tablet or PC with built-in cellular modem or plug-in USB modem dongle
 - [Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md)
- APN (the address that your PC uses to connect to the Internet when using the cellular data connection)
+- APN (the address that the device uses to connect to the Internet when using the cellular data connection)
 ## How to configure cellular settings in a provisioning package
-1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
+1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option
-1. Enter a name for your project, and then click **Next**.
+1. Enter a name for your project, and then select **Next**
-1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
+1. Select **All Windows desktop editions**, select **Next**, and then select **Finish**
-1. Go to **Runtime settings > Connections > EnterpriseAPN**.
+1. Go to **Runtime settings > Connections > EnterpriseAPN**
-1. Enter a name for the connection, and then click **Add**.
+1. Enter a name for the connection, and then select **Add**
 ![Example of APN connection name.](images/apn-add.png)
-1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
+1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection
 ![settings for new connection.](images/apn-add-details.png)
-1. The following table describes the settings available for the connection.
+1. The following table describes the settings available for the connection
    | Setting | Description |
    | --- | --- |
-    | AlwaysOn | By default, the Connection Manager will automatically attempt to connect to the APN when a connection is available. You can disable this setting. |
+    | AlwaysOn | By default, the Connection Manager automatically attempts to connect to the APN when a connection is available. You can disable the setting. |
    | APNName | Enter the name of the APN. |
    | AuthType | You can select **None** (the default), or specify **Auto**, **PAP**, **CHAP**, or **MSCHAPv2** authentication. If you select PAP, CHAP, or MSCHAPv2 authentication, you must also enter a user name and password.  |
-    | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attach APN is not only used as the Internet APN. |
+    | ClassId | This is a GUID that defines the APN class to the modem. This is only required when **IsAttachAPN** is **true** and the attached APN isn't only used as the Internet APN. |
    | Enabled | By default, the connection is enabled. You can change this setting. |
    | IccId | This is the Integrated Circuit Card ID (ICCID) associated with the cellular connection profile.  |
    | IPType | By default, the connection can use IPv4 and IPv6 concurrently. You can change this setting to only IPv4, only IPv6, or IPv6 with IPv4 provided by 46xlat. |
@ -55,22 +52,22 @@ For users who work in different locations, you can configure one APN to connect
 ## Confirm the settings
-After you apply the provisioning package, you can confirm that the settings have been applied.
+After you apply the provisioning package, you can confirm that the settings are applied.
-1. On the configured device, open a command prompt as an administrator.
+1. On the configured device, open a command prompt as an administrator
 1. Run the following command:
    ```cmd
    netsh mbn show profiles
    ```
-1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
+1. The command lists the mobile broadband profiles. Using the **Name** for the listed mobile broadband profile, run:
    ```cmd
    netsh mbn show profiles name="name"
    ```
-    This command will list details for that profile, including Access Point Name.
+    This command lists the details for that profile, including Access Point Name.
 Alternatively, you can also use the command:
@ -84,4 +81,4 @@ From the results of that command, get the name of the cellular/mobile broadband
 netsh mbn show connection interface="name"
 ```
-The result of that command will show details for the cellular interface, including Access Point Name.
+The result of that command shows the details for the cellular interface, including Access Point Name.
--- a/windows/configuration/images/icons/notification.svg
+++ b/windows/configuration/images/icons/notification.svg
@ -0,0 +1,3 @@
 <svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M4.71289 13.625H2.33105C2.03809 13.625 1.75684 13.5664 1.4873 13.4492C1.22363 13.3262 0.989258 13.165 0.78418 12.9658C0.584961 12.7607 0.423828 12.5264 0.300781 12.2627C0.183594 11.9932 0.125 11.7119 0.125 11.4189V2.33105C0.125 2.03809 0.183594 1.75977 0.300781 1.49609C0.423828 1.22656 0.584961 0.992188 0.78418 0.792969C0.989258 0.587891 1.22363 0.426758 1.4873 0.30957C1.75684 0.186523 2.03809 0.125 2.33105 0.125H13.6689C13.9619 0.125 14.2402 0.186523 14.5039 0.30957C14.7734 0.426758 15.0078 0.587891 15.207 0.792969C15.4121 0.992188 15.5732 1.22656 15.6904 1.49609C15.8135 1.75977 15.875 2.03809 15.875 2.33105V11.4189C15.875 11.7236 15.8135 12.0107 15.6904 12.2803C15.5674 12.5439 15.4033 12.7754 15.1982 12.9746C14.9932 13.1738 14.7529 13.332 14.4775 13.4492C14.208 13.5664 13.9238 13.625 13.625 13.625H11.2871L8.42188 16.8154C8.31055 16.9385 8.16992 17 8 17C7.83008 17 7.68945 16.9385 7.57812 16.8154L4.71289 13.625ZM14.75 11.375V2.375C14.75 2.22266 14.7207 2.0791 14.6621 1.94434C14.6035 1.80371 14.5215 1.68359 14.416 1.58398C14.3164 1.47852 14.1963 1.39648 14.0557 1.33789C13.9209 1.2793 13.7773 1.25 13.625 1.25H2.375C2.2168 1.25 2.07031 1.2793 1.93555 1.33789C1.80078 1.39648 1.68066 1.47852 1.5752 1.58398C1.47559 1.68359 1.39648 1.80078 1.33789 1.93555C1.2793 2.07031 1.25 2.2168 1.25 2.375V11.375C1.25 11.5332 1.2793 11.6826 1.33789 11.8232C1.39648 11.958 1.47559 12.0752 1.5752 12.1748C1.6748 12.2744 1.79199 12.3535 1.92676 12.4121C2.06738 12.4707 2.2168 12.5 2.375 12.5H4.95898C5.04102 12.5 5.11719 12.5146 5.1875 12.5439C5.26367 12.5732 5.32812 12.6201 5.38086 12.6846L8 15.5938L10.6191 12.6846C10.6719 12.6201 10.7334 12.5732 10.8037 12.5439C10.8799 12.5146 10.959 12.5 11.041 12.5H13.625C13.7832 12.5 13.9297 12.4707 14.0645 12.4121C14.1992 12.3535 14.3164 12.2744 14.416 12.1748C14.5215 12.0693 14.6035 11.9492 14.6621 11.8145C14.7207 11.6797 14.75 11.5332 14.75 11.375Z" fill="#0883D9"/>
 </svg>
--- a/windows/configuration/images/icons/taskbar.svg
+++ b/windows/configuration/images/icons/taskbar.svg
@ -0,0 +1,3 @@
 <svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M14.6953 2.25C15.1348 2.25 15.5537 2.33789 15.9521 2.51367C16.3506 2.68945 16.7021 2.92969 17.0068 3.23438C17.3115 3.53906 17.5518 3.89062 17.7275 4.28906C17.9033 4.6875 17.9941 5.10938 18 5.55469V12.4453C18 12.8848 17.9121 13.3037 17.7363 13.7021C17.5605 14.1006 17.3203 14.4521 17.0156 14.7568C16.7109 15.0615 16.3594 15.3018 15.9609 15.4775C15.5625 15.6533 15.1406 15.7441 14.6953 15.75H3.30469C2.86523 15.75 2.44629 15.6621 2.04785 15.4863C1.64941 15.3105 1.29785 15.0703 0.993164 14.7656C0.688477 14.4609 0.448242 14.1094 0.272461 13.7109C0.0966797 13.3125 0.00585938 12.8906 0 12.4453V5.55469C0 5.11523 0.0878906 4.69629 0.263672 4.29785C0.439453 3.89941 0.679688 3.54785 0.984375 3.24316C1.28906 2.93848 1.64062 2.69824 2.03906 2.52246C2.4375 2.34668 2.85938 2.25586 3.30469 2.25H14.6953ZM3.33105 3.375C3.03809 3.375 2.75977 3.43359 2.49609 3.55078C2.23242 3.66797 1.99805 3.8291 1.79297 4.03418C1.58789 4.23926 1.42676 4.47363 1.30957 4.7373C1.19238 5.00098 1.13086 5.28223 1.125 5.58105V11.25H16.875V5.58105C16.875 5.28809 16.8164 5.00977 16.6992 4.74609C16.582 4.48242 16.4209 4.24805 16.2158 4.04297C16.0107 3.83789 15.7764 3.67676 15.5127 3.55957C15.249 3.44238 14.9678 3.38086 14.6689 3.375H3.33105ZM14.6689 14.625C14.9619 14.625 15.2402 14.5664 15.5039 14.4492C15.7676 14.332 16.002 14.1709 16.207 13.9658C16.4121 13.7607 16.5732 13.5264 16.6904 13.2627C16.8076 12.999 16.8691 12.7178 16.875 12.4189V12.375H1.125V12.4189C1.125 12.7119 1.18359 12.9902 1.30078 13.2539C1.41797 13.5176 1.5791 13.752 1.78418 13.957C1.98926 14.1621 2.22363 14.3232 2.4873 14.4404C2.75098 14.5576 3.03223 14.6191 3.33105 14.625H14.6689ZM12.9375 12.375C12.7852 12.375 12.6533 12.4307 12.542 12.542C12.4307 12.6533 12.375 12.7852 12.375 12.9375C12.375 13.0898 12.4307 13.2217 12.542 13.333C12.6533 13.4443 12.7852 13.5 12.9375 13.5C13.0898 13.5 13.2217 13.4443 13.333 13.333C13.4443 13.2217 13.5 13.0898 13.5 12.9375C13.5 12.7852 13.4443 12.6533 13.333 12.542C13.2217 12.4307 13.0898 12.375 12.9375 12.375ZM15.1875 12.375C15.0352 12.375 14.9033 12.4307 14.792 12.542C14.6807 12.6533 14.625 12.7852 14.625 12.9375C14.625 13.0898 14.6807 13.2217 14.792 13.333C14.9033 13.4443 15.0352 13.5 15.1875 13.5C15.3398 13.5 15.4717 13.4443 15.583 13.333C15.6943 13.2217 15.75 13.0898 15.75 12.9375C15.75 12.7852 15.6943 12.6533 15.583 12.542C15.4717 12.4307 15.3398 12.375 15.1875 12.375Z" fill="#0883D9"/>
 </svg>
--- a/windows/configuration/images/icons/touch.svg
+++ b/windows/configuration/images/icons/touch.svg
@ -0,0 +1,3 @@
 <svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M3.375 6.1875C3.375 5.49023 3.50684 4.83398 3.77051 4.21875C4.03418 3.60352 4.39746 3.06738 4.86035 2.61035C5.32324 2.15332 5.85937 1.79297 6.46875 1.5293C7.07813 1.26562 7.73438 1.13086 8.4375 1.125C8.90039 1.125 9.3457 1.18359 9.77344 1.30078C10.2012 1.41797 10.6055 1.58789 10.9863 1.81055C11.3672 2.0332 11.71 2.2998 12.0146 2.61035C12.3193 2.9209 12.583 3.26367 12.8057 3.63867C13.0283 4.01367 13.1982 4.41504 13.3154 4.84277C13.4326 5.27051 13.4941 5.71875 13.5 6.1875V6.37207C13.5 6.43066 13.4941 6.49512 13.4824 6.56543L12.375 6.37207V6.11719C12.375 5.58398 12.2695 5.08301 12.0586 4.61426C11.8477 4.14551 11.5605 3.73535 11.1973 3.38379C10.834 3.03223 10.415 2.75684 9.94043 2.55762C9.46582 2.3584 8.96484 2.25586 8.4375 2.25C7.91602 2.25 7.41797 2.34961 6.94336 2.54883C6.46875 2.74805 6.0498 3.02637 5.68652 3.38379C5.32324 3.74121 5.03613 4.15137 4.8252 4.61426C4.61426 5.07715 4.50586 5.57813 4.5 6.11719C4.5 6.47461 4.53809 6.81152 4.61426 7.12793C4.69043 7.44434 4.81348 7.76367 4.9834 8.08594H4.89551C4.53223 8.08594 4.16895 8.13574 3.80566 8.23535C3.51855 7.5791 3.375 6.89648 3.375 6.1875ZM10.2129 16.8574C9.9668 16.8574 9.72949 16.8223 9.50098 16.752C9.27246 16.6816 9.06152 16.582 8.86816 16.4531C8.6748 16.3242 8.49316 16.1748 8.32324 16.0049C8.15332 15.835 8.00391 15.6475 7.875 15.4424C7.61719 15.0381 7.33008 14.6748 7.01367 14.3525C6.69727 14.0303 6.33984 13.7314 5.94141 13.4561C5.68359 13.2803 5.42871 13.1338 5.17676 13.0166C4.9248 12.8994 4.66992 12.8027 4.41211 12.7266C4.1543 12.6504 3.8877 12.583 3.6123 12.5244C3.33691 12.4658 3.0498 12.416 2.75098 12.375C2.59863 12.3516 2.47852 12.29 2.39062 12.1904C2.30273 12.0908 2.25586 11.9648 2.25 11.8125C2.25 11.7773 2.25586 11.7305 2.26758 11.6719C2.34375 11.332 2.4668 11.0303 2.63672 10.7666C2.80664 10.5029 3.01172 10.2803 3.25195 10.0986C3.49219 9.91699 3.76172 9.7793 4.06055 9.68555C4.35938 9.5918 4.68457 9.54492 5.03613 9.54492C5.3291 9.54492 5.61621 9.57129 5.89746 9.62402C6.17871 9.67676 6.46289 9.75 6.75 9.84375V5.0625C6.75 4.83398 6.79395 4.61719 6.88184 4.41211C6.96973 4.20703 7.08984 4.02832 7.24219 3.87598C7.39453 3.72363 7.57617 3.60059 7.78711 3.50684C7.99805 3.41309 8.21484 3.36914 8.4375 3.375C8.66602 3.375 8.88281 3.41895 9.08789 3.50684C9.29297 3.59473 9.47168 3.71484 9.62402 3.86719C9.77637 4.01953 9.89941 4.20117 9.99316 4.41211C10.0869 4.62305 10.1309 4.83984 10.125 5.0625V7.40039L13.4297 7.98047C13.7637 8.03906 14.0713 8.15332 14.3525 8.32324C14.6338 8.49316 14.8799 8.70117 15.0908 8.94727C15.3018 9.19336 15.4658 9.46875 15.583 9.77344C15.7002 10.0781 15.7588 10.4033 15.7588 10.749C15.7588 11.0771 15.7002 11.4023 15.583 11.7246L14.4756 14.7305C14.2998 15.2051 14.0215 15.6006 13.6406 15.917C13.2598 16.2334 12.8203 16.4355 12.3223 16.5234L10.6084 16.8223C10.4912 16.8457 10.3594 16.8574 10.2129 16.8574ZM14.6338 10.7578C14.6338 10.5527 14.5986 10.3594 14.5283 10.1777C14.458 9.99609 14.3613 9.8291 14.2383 9.67676C14.1152 9.52441 13.9688 9.39844 13.7988 9.29883C13.6289 9.19922 13.4414 9.12891 13.2363 9.08789L9.46582 8.42871C9.33105 8.40527 9.21973 8.34082 9.13184 8.23535C9.04395 8.12988 9 8.00977 9 7.875V5.0625C9 4.91016 8.94434 4.77832 8.83301 4.66699C8.72168 4.55566 8.58984 4.5 8.4375 4.5C8.28516 4.5 8.15332 4.55566 8.04199 4.66699C7.93066 4.77832 7.875 4.91016 7.875 5.0625V10.6875C7.875 10.8457 7.82227 10.9775 7.7168 11.083C7.61133 11.1885 7.47656 11.2441 7.3125 11.25C7.25977 11.25 7.21582 11.2471 7.18066 11.2412C7.14551 11.2354 7.10449 11.2178 7.05762 11.1885C6.74121 11.042 6.41895 10.9189 6.09082 10.8193C5.7627 10.7197 5.41992 10.6699 5.0625 10.6699C4.75195 10.6699 4.47363 10.7197 4.22754 10.8193C3.98145 10.9189 3.77051 11.1006 3.59473 11.3643C4.71973 11.5693 5.71582 11.959 6.58301 12.5332C7.4502 13.1074 8.19727 13.8779 8.82422 14.8447C8.90039 14.9619 8.98828 15.0732 9.08789 15.1787C9.1875 15.2842 9.29883 15.3779 9.42188 15.46C9.54492 15.542 9.67383 15.6064 9.80859 15.6533C9.94336 15.7002 10.084 15.7266 10.2305 15.7324H10.3271C10.3623 15.7324 10.3945 15.7266 10.4238 15.7148L12.1289 15.416C12.4277 15.3633 12.6914 15.2402 12.9199 15.0469C13.1484 14.8535 13.3154 14.6162 13.4209 14.335L14.5283 11.3379C14.5986 11.1563 14.6338 10.9629 14.6338 10.7578Z" fill="#0883D9"/>
 </svg>
--- a/windows/configuration/start/layout.md
+++ b/windows/configuration/start/layout.md
@ -291,19 +291,18 @@ To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-c
 The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile:
 ```XML
-<start:DesktopApplicationTile
+<start:DesktopApplicationTile DesktopApplicationID="http://www.contoso.com/"
-          DesktopApplicationID="http://www.contoso.com/"
+Size="2x2"
-          Size="2x2"
+Row="0"
-          Row="0"
+Column="2"/>
          Column="2"/>
 ```
 >[!NOTE]
->In Windows 10, version 1703, `Export-StartLayout` will use `DesktopApplicationLinkPath` for the .url shortcut. You must change `DesktopApplicationLinkPath` to `DesktopApplicationID` and provide the URL.
+>`Export-StartLayout` uses `DesktopApplicationLinkPath` for the .url shortcut. You must change `DesktopApplicationLinkPath` to `DesktopApplicationID` and provide the URL.
 #### start:SecondaryTile
-You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require more actions compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag).
+You can use the `start:SecondaryTile` tag to pin a web link through a Microsoft Edge secondary tile. This method doesn't require more actions compared to the method of using legacy `.url` shortcuts (through the `start:DesktopApplicationTile` tag).
 The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
--- a/windows/configuration/start/policy-settings.md
+++ b/windows/configuration/start/policy-settings.md
@ -81,7 +81,7 @@ Select one of the tabs to see the list of available settings:
 |[Prevent users from customizing their Start](#prevent-users-from-customizing-their-start)|❌|✅|
 |[Prevent users from uninstalling applications from Start](#prevent-users-from-uninstalling-applications-from-start)|❌|✅|
 |[Remove common program groups](#remove-common-program-groups)|❌|✅|
-|[Show "Run as different user" command](#show-run-as-different-user-command)|❌|✅|
+|[Show **Run as different user** command](#show-run-as-different-user-command)|❌|✅|
 ::: zone-end
 [!INCLUDE [clear-history-of-recently-opened-documents-on-exit](includes/clear-history-of-recently-opened-documents-on-exit.md)]
@ -116,7 +116,6 @@ Select one of the tabs to see the list of available settings:
 [!INCLUDE [remove-common-program-groups](includes/remove-common-program-groups.md)]
 [!INCLUDE [show-run-as-different-user-command](includes/show-run-as-different-user-command.md)]
 #### [:::image type="icon" source="../images/icons/allapps.svg"::: **All apps**](#tab/allapps)
 |Policy name| CSP | GPO |
--- a/windows/configuration/taskbar/images/pin-add-10.png
+++ b/windows/configuration/taskbar/images/pin-add-10.png
--- a/windows/configuration/taskbar/images/pin-add-11.png
+++ b/windows/configuration/taskbar/images/pin-add-11.png
--- a/windows/configuration/taskbar/images/pin-layout-10.png
+++ b/windows/configuration/taskbar/images/pin-layout-10.png
--- a/windows/configuration/taskbar/images/pin-layout-11.png
+++ b/windows/configuration/taskbar/images/pin-layout-11.png
--- a/windows/configuration/taskbar/images/pin-remove-10.png
+++ b/windows/configuration/taskbar/images/pin-remove-10.png
--- a/windows/configuration/taskbar/images/pin-remove-11.png
+++ b/windows/configuration/taskbar/images/pin-remove-11.png
--- a/windows/configuration/taskbar/images/pin-replace-10.png
+++ b/windows/configuration/taskbar/images/pin-replace-10.png
--- a/windows/configuration/taskbar/images/pin-replace-11.png
+++ b/windows/configuration/taskbar/images/pin-replace-11.png
--- a/windows/configuration/taskbar/images/start-layout-group-policy.png
+++ b/windows/configuration/taskbar/images/start-layout-group-policy.png
--- a/windows/configuration/taskbar/images/taskbar-10.png
+++ b/windows/configuration/taskbar/images/taskbar-10.png
--- a/windows/configuration/taskbar/images/taskbar-11.png
+++ b/windows/configuration/taskbar/images/taskbar-11.png
--- a/windows/configuration/taskbar/images/taskbar-default-plus.png
+++ b/windows/configuration/taskbar/images/taskbar-default-plus.png
--- a/windows/configuration/taskbar/images/taskbar-default-removed.png
+++ b/windows/configuration/taskbar/images/taskbar-default-removed.png
--- a/windows/configuration/taskbar/images/taskbar-default.png
+++ b/windows/configuration/taskbar/images/taskbar-default.png
--- a/windows/configuration/taskbar/images/taskbar-generic.png
+++ b/windows/configuration/taskbar/images/taskbar-generic.png
--- a/windows/configuration/taskbar/images/taskbar-region-defr.png
+++ b/windows/configuration/taskbar/images/taskbar-region-defr.png
--- a/windows/configuration/taskbar/images/taskbar-region-other.png
+++ b/windows/configuration/taskbar/images/taskbar-region-other.png
--- a/windows/configuration/taskbar/images/taskbar-region-usuk.png
+++ b/windows/configuration/taskbar/images/taskbar-region-usuk.png
--- a/windows/configuration/taskbar/images/taskbar-sections-10.png
+++ b/windows/configuration/taskbar/images/taskbar-sections-10.png
--- a/windows/configuration/taskbar/images/taskbar-sections-11.png
+++ b/windows/configuration/taskbar/images/taskbar-sections-11.png
--- a/windows/configuration/taskbar/includes/allow-widgets.md
+++ b/windows/configuration/taskbar/includes/allow-widgets.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Allow widgets
 This policy specifies whether the widgets feature is allowed on the device.
 - Widgets are turned on by default, unless you change this in your settings
 - If you turn on this policy setting, widgets are enabled automatically, unless you turn it off in your settings
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/`[AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests) |
 | **GPO** | **Computer Configuration**  > **Administrative Templates** > **Windows Components** > **Widgets** |
--- a/windows/configuration/taskbar/includes/configure-start-layout.md
+++ b/windows/configuration/taskbar/includes/configure-start-layout.md
@ -0,0 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/10/2024
 ms.topic: include
 ---
 ### Configure Start layout
 <!--Applied at logon only.-->
 This policy setting lets you specify the applications pinned to the taskbar. The layout that you specify has an XML format.
 |  | Path |
 |--|--|
 | **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout)<br><br>- `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`/[Configure start layout](/windows/client-management/mdm/policy-csp-start#startlayout) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br> **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
 For more information, see [Customize the taskbar pinned applications](../pinned-apps.md).
--- a/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/configures-search-on-the-taskbar.md
@ -0,0 +1,21 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Configures search on the taskbar
 This policy setting allows you to configure search on the taskbar.
 - If you enable this policy setting and set it to **hide**, search on taskbar is hidden by default. Users can't change it in Settings
 - If you enable this policy setting and set it to **search icon only**, the search icon is displayed on the taskbar by default. Users can't change it in Settings
 - If you enable this policy setting and set it to **search icon and label**, the search icon and label are displayed on the taskbar by default. Users can't change it in Settings
 - If you enable this policy setting and set it to **search box**, the search box is displayed on the taskbar by default. Users can't change it in Settings
 - If you disable or don't configure this policy setting, search on taskbar is configured according to the defaults for your Windows edition. Users can change search on taskbar in Settings
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Search/`[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) |
 | **GPO** | **Computer Configuration**  > **Windows Components** > **Search** |
--- a/windows/configuration/taskbar/includes/disable-editing-quick-settings.md
+++ b/windows/configuration/taskbar/includes/disable-editing-quick-settings.md
@ -5,9 +5,10 @@ ms.date: 03/18/2024
 ms.topic: include
 ---
-### Disable editing quick settings
+### Disable editing Quick Settings
-When you enable this policy setting, users can't modify quick settings. If you disable or don't configure this policy setting, users can edit quick settings, like pinning or unpinning buttons.
+- If you enable this policy setting, users can't modify Quick Settings
 - If you disable or don't configure this policy setting, users can edit Quick Settings
 |  | Path |
 |--|--|
--- a/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md
+++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-items-in-jump-lists.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Do not allow pinning items in Jump Lists
 With this policy setting you control the pinning of items in Jump Lists.
 - If you enable this policy setting, users can't pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users can't unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists continue to show
 - If you disable or don't configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items are always present in this menu
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-programs-to-the-taskbar.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Do not allow pinning programs to the Taskbar
 This policy setting allows you to control pinning programs to the Taskbar.
 - If you enable this policy setting, users can't change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users can't unpin these programs already pinned to the Taskbar, and they can't pin new programs to the Taskbar
 - If you disable or don't configure this policy setting, users can change the programs currently pinned to the Taskbar
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar) |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/do-not-allow-pinning-store-app-to-the-taskbar.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Do not allow pinning Store app to the Taskbar
 This policy setting allows you to control pinning the Store app to the Taskbar.
 - If you enable this policy setting, users can't pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next sign in
 - If you disable or don't configure this policy setting, users can pin the Store app to the Taskbar
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md
+++ b/windows/configuration/taskbar/includes/do-not-allow-taskbars-on-more-than-one-display.md
@ -0,0 +1,15 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Do not allow taskbars on more than one display
 This policy setting allows you to prevent taskbars from being displayed on more than one monitor. If you enable this policy setting, users aren't able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. If you disable or don't configure this policy setting, users can show taskbars on more than one display.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md
+++ b/windows/configuration/taskbar/includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md
@ -0,0 +1,21 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Do not display or track items in Jump Lists from remote locations
 This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites, and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.
 - If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers aren't tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections
 - If you disable or don't configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer
 > [!NOTE]
 > This setting doesn't prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/example-add-pins.md
+++ b/windows/configuration/taskbar/includes/example-add-pins.md
@ -0,0 +1,27 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 03/13/2024
 ms.topic: include
 ---
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:UWA AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftLoop_8wekyb3d8bbwe!App" />
        <taskbar:UWA AppUserModelID="MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
--- a/windows/configuration/taskbar/includes/example-region.md
+++ b/windows/configuration/taskbar/includes/example-region.md
@ -0,0 +1,43 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 03/13/2024
 ms.topic: include
 ---
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout Region="US|UK">
      <taskbar:TaskbarPinList >
        <taskbar:UWA AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
        <taskbar:DesktopApp DesktopApplicationID="MSEdge"/>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"/>
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
    <defaultlayout:TaskbarLayout Region="DE|FR|IT">
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationID="MSEdge"/>
        <taskbar:UWA AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftLoop_8wekyb3d8bbwe!App" />
        <taskbar:UWA AppUserModelID="MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationID="MSEdge"/>
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftLoop_8wekyb3d8bbwe!App" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
--- a/windows/configuration/taskbar/includes/example-remove-pins.md
+++ b/windows/configuration/taskbar/includes/example-remove-pins.md
@ -0,0 +1,24 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 03/13/2024
 ms.topic: include
 ---
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath="#leaveempty"/>
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
--- a/windows/configuration/taskbar/includes/example-replace-pins.md
+++ b/windows/configuration/taskbar/includes/example-replace-pins.md
@ -0,0 +1,27 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 03/13/2024
 ms.topic: include
 ---
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:UWA AppUserModelID="windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" />
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftLoop_8wekyb3d8bbwe!App" />
        <taskbar:UWA AppUserModelID="MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
--- a/windows/configuration/taskbar/includes/example.md
+++ b/windows/configuration/taskbar/includes/example.md
@ -0,0 +1,53 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 03/13/2024
 ms.topic: include
 ---
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <!-- your pins list goes here -->
    </defaultlayout:TaskbarLayout>
 </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 ::: zone pivot="windows-10"
 ### Sample taskbar configuration added to Start layout XML file
 If you configure the Start layout using policy settings, you can modify the existing XML file by adding the taskbar customizations to it. Here's an example of a Start layout XML file that includes the `CustomTaskbarLayoutCollection` node.
 ```xml
 <LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="">
          <!-- your Start layout goes here -->
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
    <CustomTaskbarLayoutCollection>
      <defaultlayout:TaskbarLayout>
        <taskbar:TaskbarPinList>
          <!-- your pins list goes here -->
        </taskbar:TaskbarPinList>
      </defaultlayout:TaskbarLayout>
    </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 ::: zone-end
--- a/windows/configuration/taskbar/includes/hide-recent-jumplists.md
+++ b/windows/configuration/taskbar/includes/hide-recent-jumplists.md
@ -0,0 +1,23 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/12/2024
 ms.topic: include
 ---
 ### Hide recent jumplists
 Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.
 - If you enable this setting:
  - The system and apps don't create shortcuts to documents opened
  - The system empties the Recent Items menu on the Start menu, and apps don't display shortcuts at the bottom of the File menu
  - The Jump Lists in the Start Menu and Taskbar don't show lists of recently or frequently used files, folders, or websites
 - If you disable or don't configure this setting, the system stores and displays shortcuts to recently and frequently used files, folders, and websites
 - If you enable this setting but don't enable the **Remove Recent Items menu from Start Menu** setting, the Recent Items menu appears on the Start menu, but it's empty.
 - If you enable this setting, but then later disable it or set it to **Not Configured**, the document shortcuts saved before the setting was enabled reappear in the Recent Items menu and program File menus, and Jump Lists. This setting doesn't hide or prevent the user from pinning files, folders, or websites to the Jump Lists. This setting doesn't hide document shortcuts displayed in the Open dialog box
 |  | Path |
 |--|--|
 | **CSP** | - `./Device/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)<br><br>- `./User/Vendor/MSFT/Policy/Config/Start/`[HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**<br><br> **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **don't keep history of recently opened documents**|
--- a/windows/configuration/taskbar/includes/hide-the-notification-area.md
+++ b/windows/configuration/taskbar/includes/hide-the-notification-area.md
@ -0,0 +1,15 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Hide the notification area
 This setting affects the notification area (previously called the "system tray") on the taskbar. Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. If this setting is enabled, the user?s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. If this setting is disabled or isn't configured, the notification area is shown in the user's taskbar. Note: Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there's no need to clean up the icons.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/hide-the-taskview-button.md
+++ b/windows/configuration/taskbar/includes/hide-the-taskview-button.md
@ -0,0 +1,15 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Hide the TaskView button
 This policy setting allows you to hide the TaskView button. If you enable this policy setting, the TaskView button is hidden and the Settings toggle disabled.
 |  | Path |
 |--|--|
 | **CSP** |- `./Device/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) <br><br>- `./User/Vendor/MSFT/Policy/Config/Start/`[HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) |
 | **GPO** |- **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md
+++ b/windows/configuration/taskbar/includes/lock-all-taskbar-settings.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Lock all taskbar settings
 With this policy setting you lock all taskbar settings.
 - If you enable this policy setting, the user can't access the taskbar control panel. The user can't resize, move, or rearrange toolbars on their taskbar
 - If you disable or don't configure this policy setting, the user can set any taskbar setting that isn't prevented by another policy setting
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/lock-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/lock-the-taskbar.md
@ -0,0 +1,15 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Lock the Taskbar
 This setting affects the taskbar, which is used to switch between running applications. The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it's locked, it can't be moved or resized. If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, autohide and other taskbar options are still available in Taskbar properties. If you disable this setting or don't configure it, the user can configure the taskbar position. Note: Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user can't show and hide various toolbars using the taskbar context menu.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md
+++ b/windows/configuration/taskbar/includes/prevent-changes-to-taskbar-and-start-menu-settings.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Prevent changes to Taskbar and Start Menu Settings
 With this policy setting you prevent changes to taskbar and Start settings.
 - If you enable this policy setting, the user can't open the Taskbar properties dialog box. If the user right-clicks the taskbar and then selects Properties, a message appears explaining that a setting prevents the action
 - If you disable or don't configure this policy setting, the Taskbar and Start menu items are available from Settings on the Start menu
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md
+++ b/windows/configuration/taskbar/includes/prevent-grouping-of-taskbar-items.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Prevent grouping of taskbar items
 Taskbar grouping consolidates similar applications when there's no room on the taskbar. It kicks in when the user's taskbar is full.
 - If you enable this policy setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled
 - If you disable or don't configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md
+++ b/windows/configuration/taskbar/includes/prevent-users-from-adding-or-removing-toolbars.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Prevent users from adding or removing toolbars
 With this policy setting you prevent users from adding or removing toolbars.
 - If you enable this policy setting, the user isn't allowed to add or remove any toolbars to the taskbar. Applications can't add toolbars either
 - If you disable or don't configure this policy setting, the users and applications can add toolbars to the taskbar
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md
+++ b/windows/configuration/taskbar/includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Prevent users from moving taskbar to another screen dock location
 With this policy setting you prevent users from moving taskbar to another screen dock location.
 - If you enable this policy setting, users can't drag their taskbar to another area of the monitor(s)
 - If you disable or don't configure this policy setting, users can drag their taskbar to another area of the monitor, unless prevented by another policy setting
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md
+++ b/windows/configuration/taskbar/includes/prevent-users-from-rearranging-toolbars.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Prevent users from rearranging toolbars
 With this policy setting you prevent users from rearranging toolbars.
 - If you enable this policy setting, users can't drag or drop toolbars to the taskbar
 - If you disable or don't configure this policy setting, users can rearrange the toolbars on the taskbar
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/prevent-users-from-resizing-the-taskbar.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Prevent users from resizing the taskbar
 With this policy setting you prevent users from resizing the taskbar.
 - If you enable this policy setting, users can't resize their taskbar
 - If you disable or don't configure this policy setting, users can resize their taskbar, unless prevented by another setting
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/remove-access-to-the-context-menus-for-the-taskbar.md
@ -0,0 +1,20 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove access to the context menus for the taskbar
 With this policy setting you can remove access to the context menus for the taskbar.
 - If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden. For example the Start button, the clock, and the taskbar buttons.
 - If you disable or don't configure this policy setting, the context menus for the taskbar are available
 This policy setting doesn't prevent users from using other methods to issue the commands that appear on these menus.
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md
+++ b/windows/configuration/taskbar/includes/remove-clock-from-the-system-notification-area.md
@ -0,0 +1,16 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove Clock from the system notification area
 - If you enable this policy setting, the clock isn't displayed in the system notification area
 - If you disable or don't configure this policy setting, the default behavior accur, and the clock appears in the notification area
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md
+++ b/windows/configuration/taskbar/includes/remove-notifications-and-action-center.md
@ -0,0 +1,20 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove Notifications and Action Center
 This policy setting removes *Notifications* and *Action Center* from the notification area on the taskbar.
 The notification area is located at the far right end of the taskbar, and includes icons for current notifications and the system clock.
 - If this setting is enabled, Notifications and Action Center aren't displayed in the notification area. The user can read notifications when they appear, but they can't review any notifications they miss
 - If you disable or don't configure this policy setting, Notification and Security and Maintenance are displayed on the taskbar
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/remove-pinned-programs-from-the-taskbar.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove pinned programs from the Taskbar
 This policy setting allows you to remove pinned programs from the taskbar.
 - If you enable this policy setting, pinned programs are removed from the taskbar. Users can't pin programs to the taskbar
 - If you disable or don't configure this policy setting, users can pin programs so that the program shortcuts stay on the taskbar
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | - **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**<br><br>- **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-quick-settings.md
+++ b/windows/configuration/taskbar/includes/remove-quick-settings.md
@ -0,0 +1,20 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove Quick Settings
 This policy setting removes Quick Settings from the bottom right area on the taskbar. The Quick Settings area is located at the left of the clock in the taskbar and includes icons for current network and volume.
 If this setting is enabled, Quick Settings isn't displayed in the Quick Settings area.
 > [!NOTE]
 > A reboot is required for this policy setting to take effect.
 |  | Path |
 |--|--|
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[DisableControlCenter](/windows/client-management/mdm/policy-csp-start#disablecontrolcenter) |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-the-battery-meter.md
+++ b/windows/configuration/taskbar/includes/remove-the-battery-meter.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove the battery meter
 With this policy setting you can remove the battery meter from the system control area.
 - If you enable this policy setting, the battery meter isn't displayed in the system notification area
 - If you disable or don't configure this policy setting, the battery meter is displayed in the system notification area
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md
+++ b/windows/configuration/taskbar/includes/remove-the-meet-now-icon.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove the Meet Now icon
 With this policy setting allows you can remove the Meet Now icon from the system control area.
 - If you enable this policy setting, the Meet Now icon isn't displayed in the system notification area
 - If you disable or don't configure this policy setting, the Meet Now icon is displayed in the system notification area
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-the-networking-icon.md
+++ b/windows/configuration/taskbar/includes/remove-the-networking-icon.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove the networking icon
 With this policy setting you can remove the networking icon from the system control area.
 - If you enable this policy setting, the networking icon isn't displayed in the system notification area
 - If you disable or don't configure this policy setting, the networking icon is displayed in the system notification area
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/remove-the-people-bar-from-the-taskbar.md
@ -0,0 +1,15 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove the People Bar from the taskbar
 With this policy allows you can remove the People Bar from the taskbar and disables the My People experience. If you enable this policy setting, the people icon is removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users can't pin people to the taskbar.
 |  | Path |
 |--|--|
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/`[HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar) |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md
+++ b/windows/configuration/taskbar/includes/remove-the-volume-control-icon.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Remove the volume control icon
 With this policy setting you can remove the volume control icon from the system control area.
 - If you enable this policy setting, the volume control icon isn't displayed in the system notification area
 - If you disable or don't configure this policy setting, the volume control icon is displayed in the system notification area
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/show-additional-calendar.md
+++ b/windows/configuration/taskbar/includes/show-additional-calendar.md
@ -0,0 +1,22 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Show additional calendar
 By default, the calendar is set according to the locale of the operating system, and users can show an additional calendar.
 - For `zh-CN` and `zh-SG` locales, an additional calendar shows the lunar month and date and holiday names in Simplified Chinese (Lunar) by default
 - For `zh-TW`, `zh-HK`, and `zh-MO` locales, an additional calendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default
 - If you enable this policy setting, users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar), regardless of the locale
 - If you disable this policy setting, users can't show an additional calendar, regardless of the locale
 - If you don't configure this policy setting, the calendar will be set according to the default logic
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md
+++ b/windows/configuration/taskbar/includes/simplify-quick-settings-layout.md
@ -0,0 +1,16 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Simplify Quick Settings Layout
 - If you enable this policy, Quick Settings is reduced to only having the Wi-Fi, Bluetooth, Accessibility, and VPN buttons. The brightness slider, volume slider, and battery indicator and link to the Settings app
 - If you disable or don't configure this policy setting, the regular Quick Settings layout appears whenever Quick Settings is invoked
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[SimplifyQuickSettings](/windows/client-management/mdm/policy-csp-start#simplifyquicksettings) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md
+++ b/windows/configuration/taskbar/includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Turn off automatic promotion of notification icons to the taskbar
 With this policy setting you can turn off automatic promotion of notification icons to the taskbar.
 - If you enable this policy setting, newly added notification icons aren't temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
 - If you disable or don't configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md
+++ b/windows/configuration/taskbar/includes/turn-off-notification-area-cleanup.md
@ -0,0 +1,21 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Turn off notification area cleanup
 This setting affects the notification area, also called the *system tray*. The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications.
 This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup `<<` icon can be referred to as the *notification chevron*.
 - If you enable this setting, the system notification area expands to show all of the notifications that use this area
 - If you disable this setting, the system notification area always collapses notifications
 - If you don't configure it, the user can choose if they want notifications collapsed or expanded
 |  | Path |
 |--|--|
 | **CSP** | Not available. |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** |
--- a/windows/configuration/taskbar/includes/turn-off-windows-copilot.md
+++ b/windows/configuration/taskbar/includes/turn-off-windows-copilot.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 04/11/2024
 ms.topic: include
 ---
 ### Turn off Windows Copilot
 This policy setting allows you to turn off Windows Copilot.
 - If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either
 - If you disable or don't configure this policy setting, users can use Copilot, if available
 |  | Path |
 |--|--|
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/WindowsAI/`[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) |
 | **GPO** | **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Copilot** |
--- a/windows/configuration/taskbar/index.md
+++ b/windows/configuration/taskbar/index.md
@ -2,588 +2,104 @@
 title: Configure the Windows taskbar
 description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
 ms.topic: how-to
-ms.date: 08/18/2023
+ms.date: 04/17/2024
 appliesto:
 zone_pivot_groups: windows-versions-11-10
 ---
 # Configure the Windows taskbar
-::: zone pivot="windows-10"
+The Windows taskbar is an essential component of the Windows operating system. The taskbar acts as a versatile platform for multitasking and quick access to applications and system notifications. For organizations, the ability to customize the taskbar's layout and features through policy settings is invaluable, especially in scenarios where specific roles or functions require streamlined access to certain tools and programs.
 Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `<TaskbarLayout>` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar.
 > [!NOTE]
 > The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
 You can specify different taskbar configurations based on device locale and region. There's no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application).
 If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
 The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, starting to the right of any existing apps pinned by the user.
 > [!NOTE]
 > In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
 The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
 ![Windows left, user center, enterprise to the right.](images/taskbar-generic.png)
 ## Configure taskbar (general)
 To configure the taskbar:
 1. Create the XML file
    - If you're also [customizing the Start layout](../start/layout.md), use `Export-StartLayout` to create the XML, and then add the `<CustomTaskbarLayoutCollection>` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file.
    - If you're only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file
 1. Edit and save the XML file. You can use [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar
    - Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>.
    - Use `<taskbar:UWA>` and [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps
    - Use `<taskbar:DesktopApp>` and Desktop Application Link Path to pin desktop applications
 1. Apply the layout modification XML file to devices using Group Policy or a provisioning package.
 >[!IMPORTANT]
 >If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
 >
 >If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](../start/layout.md), users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
 ### Tips for finding AUMID and Desktop Application Link Path
 In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
 The easiest way to find this data for an application is to:
 1. Pin the application to the Start menu on a reference or testing PC
 1. Open Windows PowerShell and run the `Export-StartLayout` cmdlet
 1. Open the generated XML file
 1. Look for an entry corresponding to the app you pinned
 1. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`
 ### Sample taskbar configuration XML file
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
 </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 ### Sample taskbar configuration added to Start layout XML file
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <LayoutOptions StartTileGroupCellWidth="6" StartTileGroupsColumnCount="1" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
        <start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
          <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
          <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
          <start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
    <CustomTaskbarLayoutCollection>
      <defaultlayout:TaskbarLayout>
        <taskbar:TaskbarPinList>
          <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
          <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
        </taskbar:TaskbarPinList>
      </defaultlayout:TaskbarLayout>
    </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 ## Keep default apps and add your own
 The `<CustomTaskbarLayoutCollection>` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 **Before:**
 ![default apps pinned to taskbar.](images/taskbar-default.png)
 **After:**
 ![additional apps pinned to taskbar.](images/taskbar-default-plus.png)
 ## Remove default apps and add your own
 By adding `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar.
 If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk"/>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 **Before:**
 ![Taskbar with default apps.](images/taskbar-default.png)
 **After:**
 ![Taskbar with default apps removed.](images/taskbar-default-removed.png)
 ## Remove default apps
 By adding `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`, you remove all default pinned apps.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath="#leaveempty"/>
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 ## Configure taskbar by country or region
 The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there's no `<TaskbarPinList>` node with a region tag for the current region, the first `<TaskbarPinList>` node that has no specified region will be applied. When you specify one or more countries or regions in a `<TaskbarPinList>` node, the specified apps are pinned on computers configured for any of the specified countries or regions.
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout region="US|UK">
      <taskbar:TaskbarPinList >
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
    <defaultlayout:TaskbarLayout region="DE|FR">
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
        <taskbar:UWA AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
        <taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
        <taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
  </CustomTaskbarLayoutCollection>
 </LayoutModificationTemplate>
 ```
 When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK:
 ![taskbar for US and UK locale.](images/taskbar-region-usuk.png)
 The resulting taskbar for computers in Germany or France:
 ![taskbar for DE and FR locale.](images/taskbar-region-defr.png)
 The resulting taskbar for computers in any other country region:
 ![taskbar for all other regions.](images/taskbar-region-other.png)
 > [!NOTE]
 > [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20))
 ## Layout Modification Template schema definition
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
            xmlns:local="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
            targetNamespace="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
            elementFormDefault="qualified">
  <xsd:complexType name="ct_PinnedUWA">
    <xsd:attribute name="AppUserModelID" type="xsd:string" />
  </xsd:complexType>
  <xsd:complexType name="ct_PinnedDesktopApp">
    <xsd:attribute name="DesktopApplicationID" type="xsd:string" />
    <xsd:attribute name="DesktopApplicationLinkPath" type="xsd:string" />
  </xsd:complexType>
  <xsd:complexType name="ct_TaskbarPinList">
    <xsd:sequence>
      <xsd:choice minOccurs="1" maxOccurs="unbounded">
        <xsd:element name="UWA" type="local:ct_PinnedUWA" />
        <xsd:element name="DesktopApp" type="local:ct_PinnedDesktopApp" />
      </xsd:choice>
    </xsd:sequence>
    <xsd:attribute name="Region" type="xsd:string" use="optional" />
  </xsd:complexType>
  <xsd:simpleType name="st_TaskbarPinListPlacement">
    <xsd:restriction base="xsd:string">
      <xsd:enumeration value="Append" />
      <xsd:enumeration value="Replace" />
    </xsd:restriction>
  </xsd:simpleType>
  <xsd:attributeGroup name="ag_SelectionAttributes">
    <xsd:attribute name="SKU" type="xsd:string" use="optional"/>
    <xsd:attribute name="Region" type="xsd:string" use="optional"/>
  </xsd:attributeGroup>
  <xsd:complexType name="ct_TaskbarLayout">
    <xsd:sequence>
      <xsd:element name="TaskbarPinList" type="local:ct_TaskbarPinList" minOccurs="1" maxOccurs="1" />
    </xsd:sequence>
    <xsd:attributeGroup ref="local:ag_SelectionAttributes"/>
  </xsd:complexType>
 </xsd:schema>
 ```
 ::: zone-end
 ::: zone pivot="windows-11"
-> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
+:::image type="content" source="images/taskbar-11.png" alt-text="Screenshot of the Windows 11 taskbar." border="false" lightbox="./images/taskbar-11.png":::
 Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps.
 For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar.
 To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
 This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons).
 ## Before you begin
 - There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app).
 - There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar.
 - The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
 - Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
 - It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
  In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
  - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
  - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
  - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
 ## Create the XML file
 1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins 2 apps to the taskbar - File Explorer and the Command Prompt:
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
    <LayoutModificationTemplate
        xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
        xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
        xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
        xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
        Version="1">
      <CustomTaskbarLayoutCollection>
        <defaultlayout:TaskbarLayout>
          <taskbar:TaskbarPinList>
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" />
            <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
          </taskbar:TaskbarPinList>
        </defaultlayout:TaskbarLayout>
     </CustomTaskbarLayoutCollection>
    </LayoutModificationTemplate>
    ```
 1. In the `<taskbar:TaskbarPinList>` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
    - `<taskbar:UWA>`: Select this option for UWP apps. Add the [AUMID](../kiosk/find-the-application-user-model-id-of-an-installed-app.md) of the UWP app.
    - `<taskbar:DesktopApp>`: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app.
    You can pin as many apps as you want.  Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar.
    For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
 1. In the `<CustomTaskbarLayoutCollection>` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
    - `<CustomTaskbarLayoutCollection>`: Keeps the default pinned apps. After the default apps, the apps you add are pinned.
    - `<CustomTaskbarLayoutCollection PinListPlacement="Replace">`: Unpins the default apps. Only the apps you add are pinned.
    If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to `<taskbar:TaskbarPinList>`, include the default apps you still want pinned.
 1. In the `<defaultlayout:TaskbarLayout>` node, use `region=" | "` to use different taskbar configurations based on the device locale and region.
    In the following XML example, two regions are added: `US|UK` and `DE|FR`:
    ```xml
    <?xml version="1.0" encoding="utf-8"?>
    <LayoutModificationTemplate
        xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
        xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
        xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
        xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
        Version="1">
      <CustomTaskbarLayoutCollection PinListPlacement="Replace">
        <defaultlayout:TaskbarLayout region="US|UK">
          <taskbar:TaskbarPinList >
            <taskbar:DesktopApp DesktopApplicationID="MSEdge"/>
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
            <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"/>
          </taskbar:TaskbarPinList>
        </defaultlayout:TaskbarLayout>
        <defaultlayout:TaskbarLayout region="DE|FR">
          <taskbar:TaskbarPinList>
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.EXCEL.EXE.15" />
            <taskbar:UWA AppUserModelID="Microsoft.WindowsTerminal_8wekyb3d8bbwe!App" />
          </taskbar:TaskbarPinList>
        </defaultlayout:TaskbarLayout>
        <defaultlayout:TaskbarLayout>
          <taskbar:TaskbarPinList>
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
            <taskbar:DesktopApp DesktopApplicationID="Microsoft.Office.WINWORD.EXE.15" />
            <taskbar:UWA AppUserModelID="Microsoft.WindowsTerminal_8wekyb3d8bbwe!App" />
          </taskbar:TaskbarPinList>
        </defaultlayout:TaskbarLayout>
      </CustomTaskbarLayoutCollection>
    </LayoutModificationTemplate>
    ```
    The taskbar applies when:
    - If the `<TaskbarPinList>` node has a country or region, then the apps are pinned on devices configured for that country or region.
    - If the `<TaskbarPinList>` node doesn't have a region tag for the current region, then the first `<TaskbarPinList>` node with no region is applied.
 1. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices.
 ## Use Group Policy or MDM to create and deploy a taskbar policy
 Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Intune.
 This section shows you how to deploy the XML both ways.
 ### Use Group Policy to deploy your XML file
 Use the following steps to add your XML file to a group policy, and apply the policy:
 1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies.
 1. Go to one of the following policies:
    - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
    - `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
 1. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled.
    Your policy looks like the following policy:
    :::image type="content" source="images/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices.":::
    The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices.
 1. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
    For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
 ### Create a Microsoft Intune policy to deploy your XML file
 MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list.
 Use the following steps to create an Intune policy that deploys your taskbar XML file:
 1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Configuration profiles** > **Create profile**.
 1. Enter the following properties:
    - **Platform**: Select **Windows 10 and later**.
    - **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
 1. In **Basics**, enter the following properties:
    - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**.
    - **Description**: Enter a description for the profile. This setting is optional, and recommended.
 1. Select **Next**.
 1. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file.
 1. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure).
 1. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time.
    For more information and guidance on assigning policies using Microsoft Intune, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
 > [!NOTE]
 > For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
 ## Get the AUMID and Desktop app link path
 In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet:
 1. On an existing Windows 11 device, pin the app to the Start menu.
 1. Create a folder to save an output file. For example, create the `C:\Layouts` folder.
 1. Open the Windows PowerShell app, and run the following cmdlet:
    ```powershell
    Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml"
    ```
 1. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file.
 ## Pin order for all apps
 On a taskbar, the following apps are typically pinned:
 - Apps pinned by the user
 - Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Microsoft Store.
 - Apps pinned by your organization, such as in an unattended Windows setup.
  In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
 Apps are pinned in the following order:
 1. Windows default apps are pinned first.
 1. User-pinned apps are pinned after the Windows default apps.
 1. XML-pinned apps are pinned after the user-pinned apps.
 If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
 ## OS install and upgrade
 - On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar:
  - Apps you specifically add
  - Any default apps you don't remove
  After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps.
 - On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior:
  - If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps.
  - If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned.
  - If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps.
  - New apps in updated layout file are pinned after the user's pinned apps.
  After the layout is applied, users can pin more apps, change the order, and unpin apps.
 ::: zone-end
-<!-- form Start article to move
+::: zone pivot="windows-10"
-Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default.
+:::image type="content" source="images/taskbar-10.png" alt-text="Screenshot of the Windows 10 taskbar." border="false" lightbox="./images/taskbar-10.png":::
-> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu)
+::: zone-end
 >
 > **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
-For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file.
+For example, students can benefit from a customized taskbar that can provide access to educational tools and resources, minimizing distractions and optimizing the learning environment.
-## Taskbar options
+Frontline workers, who often operate in fast-paced and dynamic settings, can benefit from a taskbar that is configured to provide immediate access to the most critical applications and functions they need. The taskbar customization can streamline workflows and enhance productivity by reducing the time spent navigating through unnecessary applications or menus.
-There are three app categories that could be pinned to a taskbar:
+Kiosks, which are designed for public use, can also take advantage of taskbar customization to offer a simplified and focused interface. This can help users quickly find the information or services they're looking for, which is useful in environments like retail, information centers, or public service areas.
- Apps pinned by the user
+Overall, the ability to customize the Windows taskbar using policy settings enables organizations to create a more controlled, efficient, and user-friendly computing environment tailored to the specific needs of different user groups.
 - Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Store
 - Apps pinned by your organization, such as in an unattended Windows setup
-  In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](../taskbar/configure.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
+## Taskbar structure
-The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed:
+The Windows taskbar consists of several key components that can be customized to meet the needs of different scenarios.
- Windows default apps to the left (blue circle)
+::: zone pivot="windows-11"
 - Apps pinned by the user in the center (orange triangle)
 - Apps that you pin using XML to the right (green square)
-![Windows left, user center, enterprise to the right.](images/taskbar-generic.png)
+Let's review the components of the Windows taskbar by dividing it into three areas:
-If you apply the taskbar configuration to a clean install or an update, users can still:
+1. The *left area* contains Widgets, which provide personalized news, weather, and other information
 1. The *center area* contains:
    1. Start menu
    1. Search
    1. Task view
    1. Pinned and running apps
 1. The *right area* contains:
    1. The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, and any application icons that are running in the background like OneDrive, Teams, or antivirus software
    1. Quick Actions
    1. Calendar
    1. Action Center
    1. Copilot
- Pin more apps
+:::image type="content" source="images/taskbar-sections-11.png" alt-text="Screenshot of the Windows 11 taskbar with the three areas highlighted." border="false" lightbox="./images/taskbar-sections-11.png":::
 - Change the order of pinned apps
 - Unpin any app
-> [!TIP]
+::: zone-end
 > In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar.
-### Taskbar configuration applied to clean install of Windows 10
+::: zone pivot="windows-10"
-In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar:
+Let's review the components of the Windows taskbar by dividing it into two areas:
- Apps you specifically add
+1. The *left area* contains:
- Any default apps you don't remove
+    - Start menu
    - Search
    - Cortana
    - Task view
    - Pinned and running apps
-After the layout is applied, users can pin more apps to the taskbar.
+1. The *right area* contains:
    - People
    - News and interests
    - The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, power, network, volume, and any application icons that are running in the background like OneDrive, Teams, or antivirus software
    - Calendar
    - Action center
    - Copilot
-If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
+:::image type="content" source="images/taskbar-sections-10.png" alt-text="Screenshot of the Windows 11 taskbar with the two areas highlighted." border="false" lightbox="./images/taskbar-sections-10.png":::
-->
+
 ::: zone-end
 ## Configuration options
 There are several options to configure the Windows taskbar.
 If you need to configure a device for a single user, you can pin/unpin applications to the taskbar and rearrange them. The taskbar can be further customized from Settings. Go to **Settings** > **Personalization** > **[Taskbar](ms-settings:taskbar)**.
 For advanced customizations and when you need to configure multiple devices, you can use one of the following options:
 - Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md#csps-in-windows-configuration-designer), which are used at deployment time or for unmanaged devices. To configure the taskbar, use the [Start Policy CSP][WIN-1]
 - Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and not managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
 > [!NOTE]
 > While many of the taskbar policy settings can be configured using both CSP and GPO, there are some settings that are exclusive to one or the other. To learn about the available policy settings to configure the Start menu via CSP and GPO, see [Taskbar policy settings](policy-settings.md).
 ## Next steps
 In the next sections, you can learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO):
 - [Taskbar policy settings](policy-settings.md)
 - [Configure the taskbar pinned applications](pinned-apps.md)
 <!--links-->
 [WIN-1]: /windows/client-management/mdm/policy-csp-start
--- a/windows/configuration/taskbar/pinned-apps.md
+++ b/windows/configuration/taskbar/pinned-apps.md
@ -0,0 +1,233 @@
 ---
 title: Configure the applications pinned to the taskbar
 description: Learn how to configure the applications pinned to the Windows taskbar.
 ms.topic: how-to
 ms.date: 04/17/2024
 appliesto:
 zone_pivot_groups: windows-versions-11-10
 ---
 # Configure the applications pinned to the taskbar
 The configuration of the applications pinned to the taskbar is done with the use of an XML file. This article describes how to create and deploy the XML configuration file.
 > [!NOTE]
 > If you are looking for OEM information, see the article [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar).
 To learn about all the policy settings to customize the taskbar layout and configure the taskbar behaviors, see [Taskbar policy settings](policy-settings.md).
 ## Before you begin
 Here are some considerations before you start configuring the taskbar pinned applications:
 - There's no limit to the number of apps that you can pin
 - In the XML file, add apps using the Application User Model ID (AUMID), the Desktop Application ID, or the Desktop Application Link Path
 - Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Make sure to enter the correct Application ID. To learn more, see [Find the Application User Model ID of an installed app](../store/find-aumid.md)
 - If you specify an app to be pinned that isn't provisioned for the user on the device, the pinned icon doesn't appear on the taskbar
 - The order of applications in the XML file dictates the order of pinned apps on the taskbar, from left to right. If the OS is configured to use a right-to-left language, then the taskbar order is reversed
 - Applications can be pinned using the following methods:
  - Default Windows apps, pinned during the OS installation. For example: Microsoft Edge, File Explorer, and Store. These applications are pinned first (blue square)
  - Pinned manually by the user. These applications are usually pinned next to the default pinned apps (red circle)
  - Pinned via policy settings. These applications are pinned after the apps pinned manually by the user (green triangle)
 ::: zone pivot="windows-10"
 :::image type="content" source="images/pin-layout-10.png" border="false" lightbox="images/pin-layout-10.png" alt-text="Screenshot of the taskbar with Windows default pinned apps, user pinned apps, and policy-pinned apps.":::
 ::: zone-end
 ::: zone pivot="windows-11"
 :::image type="content" source="images/pin-layout-11.png" border="false" lightbox="images/pin-layout-11.png" alt-text="Screenshot of the taskbar with Windows default pinned apps, user pinned apps, and policy-pinned apps.":::
 ::: zone-end
 ## Configuration steps
 The following steps describe how to configure the taskbar pinned applications using policy settings:
 1. Create the XML file. You can start with the [XML example](#taskbar-layout-example)
 1. Edit the XML file to meet your requirements and save it
 1. Deploy the XML file to devices using configuration service provider (CSP), provisioning packages (PPKG), or group policy (GPO)
 >[!IMPORTANT]
 >If you use a provisioning package or `import-startlayout` to configure the taskbar, your configuration will be reapplied each time the `explorer.exe` process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using CSP or GPO.
 ::: zone pivot="windows-10"
 >[!NOTE]
 >If you use GPO and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use GPO and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a partial Start layout, users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
 >
 > For more information, see [Configure the Start menu](../start/index.md).
 ::: zone-end
 ## Taskbar layout example
 Here you can find an example of taskbar layout that you can use as a reference:
 [!INCLUDE [example](includes/example.md)]
 ### Modify the configuration file
 > [!CAUTION]
 > When you make changes to the XML file, be aware that the XML format must adhere to an [XML schema definition (XSD)](xsd.md).
 You can change the apps pinned to the taskbar by modifying the `<TaskbarLayout>` node.
 1. In the `<taskbar:TaskbarPinList>` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
    - `<taskbar:UWA>`: Select this option for UWP apps. Add the *AUMID* of the UWP app
    - `<taskbar:DesktopApp>`: Select this option for desktop apps. Add the *Desktop Application ID* or the *Desktop Application Link Path* of the desktop app
 1. In the `<CustomTaskbarLayoutCollection>` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
    - `<CustomTaskbarLayoutCollection>`: Keeps the default pinned apps. After the default apps, the apps you add are pinned
    - `<CustomTaskbarLayoutCollection PinListPlacement="Replace">`: Unpins the default apps. Only the apps you add are pinned. If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to `<taskbar:TaskbarPinList>`, include the default apps you still want pinned
 1. In the `<defaultlayout:TaskbarLayout>` node, use `region=" | "` to use different taskbar configurations based on the device locale and region
 1. Save the file
 For practical examples of how to add, remove, or replace pinned apps, see the following sections:
 - [Add pins](#example-add-pins)
 - [Remove default pins](#example-remove-pins)
 - [Replace default pins](#example-replace-pins)
 - [Configure the taskbar by country or region](#example-configure-the-taskbar-by-country-or-region)
 #### Example: add pins
 The `<CustomTaskbarLayoutCollection>` section appends the listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt.
 [!INCLUDE [example-add-pins](includes/example-add-pins.md)]
 **Before and after:**
 ::: zone pivot="windows-11"
 :::image type="content" source="images/pin-add-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after adding pins." border="false" lightbox="./images/pin-add-11.png":::
 ::: zone-end
 ::: zone pivot="windows-10"
 :::image type="content" source="images/pin-add-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after adding pins." border="false" lightbox="./images/pin-add-10.png":::
 ::: zone-end
 #### Example: remove pins
 To remove all pins, add `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`.
 [!INCLUDE [example-remove-pins](includes/example-remove-pins.md)]
 **Before and after:**
 ::: zone pivot="windows-11"
 :::image type="content" source="images/pin-remove-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after removing pins." border="false" lightbox="images/pin-remove-11.png":::
 ::: zone-end
 ::: zone pivot="windows-10"
 :::image type="content" source="images/pin-remove-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after removing pins." border="false" lightbox="images/pin-remove-10.png":::
 ::: zone-end
 #### Example: replace pins
 To replace all default pins and add your own pins, add `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`. Then, add the pins that you want to `TaskbarPinList`.
 [!INCLUDE [example-replace-pins](includes/example-replace-pins.md)]
 **Before and after:**
 ::: zone pivot="windows-11"
 :::image type="content" source="images/pin-replace-11.png" alt-text="Screenshot of the Windows 11 taskbar, before and after replacing pins." border="false" lightbox="images/pin-replace-11.png":::
 ::: zone-end
 ::: zone pivot="windows-10"
 :::image type="content" source="images/pin-replace-10.png" alt-text="Screenshot of the Windows 10 taskbar, before and after replacing pins." border="false" lightbox="images/pin-replace-10.png":::
 ::: zone-end
 #### Example: configure the taskbar by country or region
 In the following XML example, two regions are added: `US|UK` and `DE|FR|IT`:
 [!INCLUDE [example](includes/example-region.md)]
 - If the `<TaskbarPinList>` node has region matching the one configured on the device, then the configuration applies
 - If the `<TaskbarPinList>` node doesn't have a region matching the one configured on the device, then the first `<TaskbarPinList>` node without region applies
 > [!NOTE]
 > [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20))
 ## Deploy the taskbar configuration
 [!INCLUDE [tab-intro](../../../includes/configure/tab-intro.md)]
 #### [:::image type="icon" source="../images/icons/intune.svg"::: **Intune/CSP**](#tab/intune)
 To configure devices with Microsoft Intune, [create a Settings catalog policy](/mem/intune/configuration/settings-catalog) and use one of the following settings:
 | Category | Setting name | Value |
 |--|--|--|
 | **Start** | Start Layout | Content of the XML file|
 | **Start** | Start Layout (User) | Content of the XML file|
 [!INCLUDE [intune-settings-catalog-2](../../../includes/configure/intune-settings-catalog-2.md)]
 Alternatively, you can configure devices using a [custom policy][MEM-1] with the [Start CSP][WIN-1]. Use one of the following settings:
 | Setting |
 |--|
 | - **OMA-URI:** `./User/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **String:** <br>- **Value:** content of the XML file |
 | - **OMA-URI:** `./Device/Vendor/MSFT/Policy/Config/Start/`[StartLayout](/windows/client-management/mdm/policy-csp-Start#startlayout)<br>- **Data type:** <br>- **Value:** content of the XML file |
 [!INCLUDE [intune-custom-settings-2](../../../includes/configure/intune-custom-settings-2.md)]
 #### [:::image type="icon" source="../images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 [!INCLUDE [provisioning-package-1](../../../includes/configure/provisioning-package-1.md)]
 - **Path:** `Policies/Start/StartLayout`
 - **Value:** content of the XML file
 > [!NOTE]
 > The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
 [!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]
 #### [:::image type="icon" source="../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 To configure a device with group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use one of the following settings:
 | Group policy path | Group policy setting | Value |
 | - | - | - |
 |**Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file |
 |**User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**| Start Layout | Path to the XML file |
 [!INCLUDE [gpo-settings-2](../../../includes/configure/gpo-settings-2.md)]
 The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
 ---
 ## User experience
 After the taskbar layout is applied, the users must sign out and sign in again to see the new layout. Unless prohibited via policy settings, users can pin more apps, change the order, and unpin apps from the taskbar.
 ### OS install and upgrade experience
 On a clean install of Windows, if you apply a taskbar layout, the following apps are pinned to the taskbar:
 - Any default apps you don't remove
 - Apps that you specifically pin in the XML file
 On a Windows OS upgrade, apps are already pinned to the taskbar. The taskbar layout applies the following logic:
 - If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps
 - If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned
 - If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps
 - New apps in updated layout file are pinned after the user's pinned apps
 If you apply the taskbar configuration to a clean install or an update, users can still:
 - Pin more apps
 - Change the order of pinned apps
 - Unpin any app
 ## Next steps
 Learn more about the options available to configure Start menu settings using the Configuration Service Provider (CSP) and Group Policy (GPO):
 - [Taskbar policy settings](policy-settings.md)
--- a/windows/configuration/taskbar/policy-settings.md
+++ b/windows/configuration/taskbar/policy-settings.md
@ -1,101 +1,186 @@
 ---
-title: Supported CSP policies to customize the Taskbar on Windows 11
+title: Taskbar policy settings
-description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar.
+description: Learn about the policy settings to configure the Windows taskbar.
-ms.date: 12/31/2017
+ms.topic: reference
-ms.topic: article
+ms.date: 04/17/2024
 appliesto:
- ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+zone_pivot_groups: windows-versions-11-10
 ---
-# Supported configuration service provider (CSP) policies for Windows 11 taskbar
+# Taskbar policy settings
-The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices.
+This reference article outlines the policy settings available for customizing the Windows taskbar, using Configuration Service Provider (CSP) or group policy (GPO). For information about how to configure these settings, see [Configure the Windows taskbar](index.md).
-For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
+The settings are categorized and presented in alphabetical order to facilitate navigation and configuration.
-## CSP policies to customize Windows 11 taskbar buttons
+1. **Taskbar layout**: settings to control the taskbar layout and appearance
 1. **Taskbar behaviors**: settings to control the taskbar behaviors and the users' allowed actions
- [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode)
+Select one of the tabs to see the list of available settings:
  - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar`
  - Local setting: Settings > Personalization > Taskbar > Search
- [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
+#### [:::image type="icon" source="../images/icons/taskbar.svg"::: **Taskbar layout**](#tab/taskbar)
  - Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button`
  - Local setting: Settings > Personalization > Taskbar > Task view
 - [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests)
  - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets`
  - Local setting: Settings > Personalization > Taskbar > Widgets
 - [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar)
  - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting`
  - Local setting: Settings > Personalization > Taskbar > Chat
 ## Existing CSP policies that Windows 11 taskbar supports
 - [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
  - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
 - [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
  - Local setting: None
 ## Existing CSP policies that Windows 11 doesn't support
 The following list includes some of the CSP policies that aren't supported on Windows 11:
 - [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
 - [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
 - [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
 - [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
 - [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
 - [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
 - [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
 - [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
 - [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar)
  - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
 <!--
 ## Taskbar
 [DisableControlCenter](/windows/client-management/mdm/policy-csp-start#disablecontrolcenter)
 [HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar)
 [HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton)
 [NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar)
 [SimplifyQuickSettings](/windows/client-management/mdm/policy-csp-start#simplifyquicksettings)
 |[Prevent changes to Taskbar and Start Menu Settings](#prevent-changes-to-taskbar-and-start-menu-settings)|❌|✅|
 [!INCLUDE [disable-editing-quick-settings](includes/disable-editing-quick-settings.md)]
 ::: zone pivot="windows-11"
-|Policy name| CSP | GPO |
+
 |Setting Name|CSP|GPO|
 |-|-|-|
-|[Disable editing quick settings](#disable-editing-quick-settings)|✅|✅|
+|[Allow widgets](#allow-widgets)|✅|✅|
 |[Configure Start layout](#configure-start-layout)|✅|✅|
 |[Configures search on the taskbar](#configures-search-on-the-taskbar)|✅|✅|
 |[Do not display or track items in Jump Lists from remote locations](#do-not-display-or-track-items-in-jump-lists-from-remote-locations)|❌|✅|
 |[Hide recent jumplists](#hide-recent-jumplists)|✅|✅|
 |[Hide the TaskView button](#hide-the-taskview-button)|✅|✅|
 |[Remove Clock from the system notification area](#remove-clock-from-the-system-notification-area)|❌|✅|
 |[Remove Notifications and Action Center](#remove-notifications-and-action-center)|❌|✅|
 |[Remove pinned programs from the Taskbar](#remove-pinned-programs-from-the-taskbar)|❌|✅|
 |[Remove Quick Settings](#remove-quick-settings)|✅|✅|
 |[Show additional calendar](#show-additional-calendar)|❌|✅|
 |[Simplify Quick Settings Layout](#simplify-quick-settings-layout)|✅|✅|
 |[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅|
 |[Turn off Windows Copilot](#turn-off-windows-copilot)|✅|✅|
 ::: zone-end
 ::: zone pivot="windows-10"
 |Policy name| CSP | GPO |
 |-|-|-|
-::: zone-end
+|Setting Name|CSP|GPO|
 |-|-|-|
 |[Allow widgets](#allow-widgets)|✅|✅|
 |[Configure Start layout](#configure-start-layout)|✅|✅|
 |[Configures search on the taskbar](#configures-search-on-the-taskbar)|✅|✅|
 |[Do not display or track items in Jump Lists from remote locations](#do-not-display-or-track-items-in-jump-lists-from-remote-locations)|❌|✅|
 |[Hide recent jumplists](#hide-recent-jumplists)|✅|✅|
 |[Hide the notification area](#hide-the-notification-area)|❌|✅|
 |[Remove Clock from the system notification area](#remove-clock-from-the-system-notification-area)|❌|✅|
 |[Remove Notifications and Action Center](#remove-notifications-and-action-center)|❌|✅|
 |[Remove pinned programs from the Taskbar](#remove-pinned-programs-from-the-taskbar)|❌|✅|
 |[Remove the battery meter](#remove-the-battery-meter)|❌|✅|
 |[Remove the Meet Now icon](#remove-the-meet-now-icon)|❌|✅|
 |[Remove the networking icon](#remove-the-networking-icon)|❌|✅|
 |[Remove the People Bar from the taskbar](#remove-the-people-bar-from-the-taskbar)|✅|✅|
 |[Remove the volume control icon](#remove-the-volume-control-icon)|❌|✅|
 |[Show additional calendar](#show-additional-calendar)|❌|✅|
 |[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅|
 |[Turn off notification area cleanup](#turn-off-notification-area-cleanup)|❌|✅|
 |[Turn off Windows Copilot](#turn-off-windows-copilot)|✅|✅|
 ::: zone-end
 [!INCLUDE [allow-widgets](includes/allow-widgets.md)]
 [!INCLUDE [configure-start-layout](includes/configure-start-layout.md)]
 [!INCLUDE [configures-search-on-the-taskbar](includes/configures-search-on-the-taskbar.md)]
 [!INCLUDE [do-not-display-or-track-items-in-jump-lists-from-remote-locations](includes/do-not-display-or-track-items-in-jump-lists-from-remote-locations.md)]
 ::: zone pivot="windows-10"
 [!INCLUDE [hide-the-notification-area](includes/hide-the-notification-area.md)]
 ::: zone-end
 [!INCLUDE [hide-recent-jumplists](includes/hide-recent-jumplists.md)]
 ::: zone pivot="windows-11"
 [!INCLUDE [hide-the-taskview-button](includes/hide-the-taskview-button.md)]
 ::: zone-end
 [!INCLUDE [remove-clock-from-the-system-notification-area](includes/remove-clock-from-the-system-notification-area.md)]
 [!INCLUDE [remove-notifications-and-action-center](includes/remove-notifications-and-action-center.md)]
 [!INCLUDE [remove-pinned-programs-from-the-taskbar](includes/remove-pinned-programs-from-the-taskbar.md)]
 ::: zone pivot="windows-11"
 [!INCLUDE [remove-quick-settings](includes/remove-quick-settings.md)]
 ::: zone-end
 ::: zone pivot="windows-10"
 [!INCLUDE [remove-the-battery-meter](includes/remove-the-battery-meter.md)]
 [!INCLUDE [remove-the-meet-now-icon](includes/remove-the-meet-now-icon.md)]
 [!INCLUDE [remove-the-networking-icon](includes/remove-the-networking-icon.md)]
 [!INCLUDE [remove-the-people-bar-from-the-taskbar](includes/remove-the-people-bar-from-the-taskbar.md)]
 [!INCLUDE [remove-the-volume-control-icon](includes/remove-the-volume-control-icon.md)]
 ::: zone-end
 [!INCLUDE [show-additional-calendar](includes/show-additional-calendar.md)]
 ::: zone pivot="windows-11"
 [!INCLUDE [simplify-quick-settings-layout](includes/simplify-quick-settings-layout.md)]
 ::: zone-end
 [!INCLUDE [turn-off-automatic-promotion-of-notification-icons-to-the-taskbar](includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md)]
 ::: zone pivot="windows-10"
 [!INCLUDE [turn-off-notification-area-cleanup](includes/turn-off-notification-area-cleanup.md)]
 ::: zone-end
 [!INCLUDE [turn-off-windows-copilot](includes/turn-off-windows-copilot.md)]
 #### [:::image type="icon" source="../images/icons/touch.svg"::: **Taskbar behaviors**](#tab/actions)
 ::: zone pivot="windows-11"
 |Setting Name|CSP|GPO|
 |-|-|-|
 |[Disable editing Quick Settings](#disable-editing-quick-settings)|✅|✅|
 |[Do not allow pinning items in Jump Lists](#do-not-allow-pinning-items-in-jump-lists)|❌|✅|
 |[Do not allow pinning programs to the Taskbar](#do-not-allow-pinning-programs-to-the-taskbar)|✅|✅|
 |[Do not allow pinning Store app to the Taskbar](#do-not-allow-pinning-store-app-to-the-taskbar)|❌|✅|
 |[Do not allow taskbars on more than one display](#do-not-allow-taskbars-on-more-than-one-display)|❌|✅|
 |[Prevent changes to Taskbar and Start Menu Settings](#prevent-changes-to-taskbar-and-start-menu-settings)|❌|✅|
 |[Prevent grouping of taskbar items](#prevent-grouping-of-taskbar-items)|❌|✅|
 |[Remove access to the context menus for the taskbar](#remove-access-to-the-context-menus-for-the-taskbar)|❌|✅|
 ::: zone-end
 ::: zone pivot="windows-10"
 |Setting Name|CSP|GPO|
 |-|-|-|
 |[Do not allow pinning items in Jump Lists](#do-not-allow-pinning-items-in-jump-lists)|❌|✅|
 |[Do not allow pinning programs to the Taskbar](#do-not-allow-pinning-programs-to-the-taskbar)|✅|✅|
 |[Do not allow pinning Store app to the Taskbar](#do-not-allow-pinning-store-app-to-the-taskbar)|❌|✅|
 |[Lock all taskbar settings](#lock-all-taskbar-settings)|❌|✅|
 |[Lock the Taskbar](#lock-the-taskbar)|❌|✅|
 |[Prevent changes to Taskbar and Start Menu Settings](#prevent-changes-to-taskbar-and-start-menu-settings)|❌|✅|
 |[Prevent grouping of taskbar items](#prevent-grouping-of-taskbar-items)|❌|✅|
 |[Prevent users from adding or removing toolbars](#prevent-users-from-adding-or-removing-toolbars)|❌|✅|
 |[Prevent users from moving taskbar to another screen dock location](#prevent-users-from-moving-taskbar-to-another-screen-dock-location)|❌|✅|
 |[Prevent users from rearranging toolbars](#prevent-users-from-rearranging-toolbars)|❌|✅|
 |[Prevent users from resizing the taskbar](#prevent-users-from-resizing-the-taskbar)|❌|✅|
 |[Remove access to the context menus for the taskbar](#remove-access-to-the-context-menus-for-the-taskbar)|❌|✅|
 |[Turn off notification area cleanup](#turn-off-notification-area-cleanup)|❌|✅|
 ::: zone-end
 ::: zone pivot="windows-11"
 [!INCLUDE [disable-editing-quick-settings](includes/disable-editing-quick-settings.md)]
 ::: zone-end
 [!INCLUDE [do-not-allow-pinning-items-in-jump-lists](includes/do-not-allow-pinning-items-in-jump-lists.md)]
 [!INCLUDE [do-not-allow-pinning-programs-to-the-taskbar](includes/do-not-allow-pinning-programs-to-the-taskbar.md)]
 [!INCLUDE [do-not-allow-pinning-store-app-to-the-taskbar](includes/do-not-allow-pinning-store-app-to-the-taskbar.md)]
 [!INCLUDE [do-not-allow-taskbars-on-more-than-one-display](includes/do-not-allow-taskbars-on-more-than-one-display.md)]
 ::: zone pivot="windows-10"
 [!INCLUDE [lock-all-taskbar-settings](includes/lock-all-taskbar-settings.md)]
 [!INCLUDE [lock-the-taskbar](includes/lock-the-taskbar.md)]
 ::: zone-end
 [!INCLUDE [prevent-changes-to-taskbar-and-start-menu-settings](includes/prevent-changes-to-taskbar-and-start-menu-settings.md)]
 [!INCLUDE [prevent-grouping-of-taskbar-items](includes/prevent-grouping-of-taskbar-items.md)]
 ::: zone pivot="windows-10"
 [!INCLUDE [prevent-users-from-adding-or-removing-toolbars](includes/prevent-users-from-adding-or-removing-toolbars.md)]
 [!INCLUDE [prevent-users-from-moving-taskbar-to-another-screen-dock-location](includes/prevent-users-from-moving-taskbar-to-another-screen-dock-location.md)]
 [!INCLUDE [prevent-users-from-rearranging-toolbars](includes/prevent-users-from-rearranging-toolbars.md)]
 [!INCLUDE [prevent-users-from-resizing-the-taskbar](includes/prevent-users-from-resizing-the-taskbar.md)]
 ::: zone-end
 [!INCLUDE [remove-access-to-the-context-menus-for-the-taskbar](includes/remove-access-to-the-context-menus-for-the-taskbar.md)]
 [!INCLUDE [turn-off-automatic-promotion-of-notification-icons-to-the-taskbar](includes/turn-off-automatic-promotion-of-notification-icons-to-the-taskbar.md)]
 ::: zone pivot="windows-10"
 [!INCLUDE [turn-off-notification-area-cleanup](includes/turn-off-notification-area-cleanup.md)]
 ::: zone-end
 ---
 ## Next steps
 The configuration of pinned applications to the taskbar requires the use of an XML file that specifies their pinning order. To learn more about how to create and apply an XML file to configure pinned applications, see [Configure the taskbar pinned applications](pinned-apps.md).
--- a/windows/configuration/taskbar/toc.yml
+++ b/windows/configuration/taskbar/toc.yml
@ -1,7 +1,10 @@
 items:
- name: Customize the Taskbar
+- name: Overview
  href: index.md
- name: Supported Taskbar CSPs
+  displayName: Configure the Windows taskbar
 - name: Policy settings
  href: policy-settings.md
 - name: Configure the pinned applications
  href: pinned-apps.md
 - name: XML schema definition (XSD)
  href: xsd.md
--- a/windows/configuration/taskbar/xsd.md
+++ b/windows/configuration/taskbar/xsd.md
@ -27,15 +27,6 @@ This reference article contains the Taskbar XML schema definition (XSD).
        <xsd:attribute name="DesktopApplicationLinkPath" type="xsd:string" />
    </xsd:complexType>
    <xsd:complexType name="ct_TaskbarSecondaryTile">
        <xsd:attribute name="AppUserModelID" type="xsd:string" use="required"/>
        <xsd:attribute name="TileID" type="xsd:string" use="required"/>
        <xsd:attribute name="Arguments" type="xsd:string" use="required"/>
        <xsd:attribute name="DisplayName" type="xsd:string" use="required"/>
        <xsd:attribute name="Square150x150LogoUri" type="xsd:string" use="required"/>
        <xsd:attribute name="Wide310x150LogoUri" type="xsd:string" use="optional"/>
    </xsd:complexType>
    <xsd:complexType name="ct_TaskbarPinList">
        <xsd:sequence>
            <xsd:choice minOccurs="0" maxOccurs="unbounded">
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -372,6 +372,8 @@
          href: update/update-other-microsoft-products.md
        - name: Delivery Optimization reference
          href: do/waas-delivery-optimization-reference.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
        - name: FoD and language packs for WSUS and Configuration Manager
          href: update/fod-and-lang-packs.md         
        - name: Windows client in S mode
          href: s-mode.md
        - name: Switch to Windows client Pro or Enterprise from S mode
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@ -3,7 +3,7 @@ title: FoD and language packs for WSUS and Configuration Manager
 description: Learn how to make FoD and language packs available to clients when you're using WSUS or Configuration Manager.
 ms.service: windows-client
 ms.subservice: itpro-updates
-ms.topic: conceptual
+ms.topic: reference
 ms.author: mstewart
 author: mestew
 ms.localizationpriority: medium
@ -13,28 +13,44 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/mem/configmgr/ > Microsoft Configuration Manager</a>
 - ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>
-ms.date: 03/13/2019
+ms.date: 04/22/2024
 ---
 # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
 This reference article describes how to make Features on Demand (FoDs) and language packs available when you're using Windows Server Update Services (WSUS) or Configuration Manager for specific versions of Windows.
-This article describes how to make Features on Demand and language packs available when you're using WSUS or Configuration Manager for specific versions of Windows.
+## High-level changes affecting Features on Demand and language pack content
-## Version information for Features on Demand and language packs
+The following changes for FoD and language pack content affected how client policy needs to be configured:
 - Starting in Windows 10 version 1709, you can't use WSUS to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FoDs) locally.
 - Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
-In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
+Due to these changes, the **Specify settings for optional component installation and component repair** ([ADMX_Servicing](/windows/client-management/mdm/policy-csp-admx-servicing)) policy, located under `Computer Configuration\Administrative Templates\System` was used to specify alternate ways to acquire FoDs and language packs, along with content for corruption repair. This policy allows specifying one alternate location. It's important to note the policy behaves differently across OS versions. For more information, see the [Version specific information for Features on Demand and language packs](#version-specific-information-for-features-on-demand-and-language-packs) section. 
-As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
+The introduction of the **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<UpdateClass\>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) policy in Windows 10, version 2004 further complicated configuring settings for FoD and language pack content. 
-The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
+Starting in Windows 11, version 22H2, on-premises Unified Update Platform (UUP) updates were introduced. FoDs and language packs are available from WSUS again. It's no longer necessary to use the **Specify settings for optional component installation and component repair** policy for FoD and language pack content.  
-In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location.  Changing this policy on these OS versions doesn't influence how language packs are acquired.
+## Version specific information for Features on Demand and language packs
-In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
+Windows 11, version 22H2, and later clients use on-premises Unified Update Platform (UUP) updates with WSUS and Microsoft Configuration Manager. These clients don't need to use **Specify settings for optional component installation and component repair** for FoDs and language packs since the content is available in WSUS due to on-premises UUP.
 For Windows 10, version 2004 through Windows 11, version 21H2, clients can't download FoDs or language packs when **Specify settings for optional component installation and component repair** is set to Windows Update and **Specify source service for specific classes of Windows Updates** ([SetPolicyDrivenUpdateSourceFor<FeatureUpdates/QualityUpdates>](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourceforfeatureupdates)) for either feature or quality updates is set to WSUS. If you need this content, you can set **Specify settings for optional component installation and component repair** to Windows Update and then either:
 - Change the source selection for feature and quality updates to Windows Update 
 - Allow all classes of updates to come from WSUS by not configuring any source selections <!--8907933-->
 > [!Note]
 > In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
 In Windows 10 version 1809 and later, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update (until Windows 11 version 22H2). It's currently not possible to acquire them from a network share. Specifying a network location works for FoD packages or corruption repair, depending on the content at that location.
 In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FoD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions doesn't influence how language packs are acquired.
 For all OS versions, changing the **Specify settings for optional component installation and component repair** policy doesn't affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
-Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
+Learn about other client management options, including using Group Policy and administrative templates, in [Manage Windows clients](/windows/client-management/).
 ## More resources
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@ -11,11 +11,11 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-ms.date: 03/15/2023
+ms.date: 04/22/2024
 ---
 # Migrating and acquiring optional Windows content during updates
-
+ 
 This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
 When you update the operating system, it's critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a *media-based* or *task-sequence-based* update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a *servicing-based* update). 
@ -28,7 +28,8 @@ Optional content includes the following items:
 - General Features on Demand also referred to as FODs (for example, Windows Mixed Reality)
 - Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
- Local Experience Packs 
+- Local Experience Packs
 - Language packs 
 Optional content isn't included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it's released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user's data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
@ -137,7 +138,8 @@ Several of the options address ways to address optional content migration issues
 - This setting doesn't support installing language packs from an alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
 - If this setting isn't configured or disabled, files are downloaded from the default Windows Update location, for example Windows Update for Business or WSUS.
-For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source).
+
 For more information, see [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) and [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md).
 ## More resources
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@ -15,11 +15,11 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus > WSUS </a>	
-ms.date: 12/31/2017
+ms.date: 04/22/2024
 ---
 # Deploy Windows client updates using Windows Server Update Services (WSUS)
-
+ 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@ -11,10 +11,10 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 01/13/2022
+ms.date: 04/22/2024
 ---
-# Use Windows Update for Business and WSUS together
+# Use Windows Update for Business and WSUS together 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@ -69,7 +69,8 @@ The policy can be configured using the following two methods:
 > [!NOTE]
 > - You should configure **all** of these policies if you are using CSPs.
-> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered. 
+> - Editing the registry to change the behavior of update policies isn't recommended. Use Group Policy or the Configuration Service Provider (CSP) policy instead of directly writing to the registry. However, if you choose to edit the registry, ensure you've configured the `UseUpdateClassPolicySource` registry key too, or the scan source won't be altered.
 > - If you're also using the **Specify settings for optional component installation and component repair** policy to enable content for FoDs and language packs, see [How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager](fod-and-lang-packs.md) to verify your policy configuration. 
 - [Update/SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourcefordriver)
 - [Update/SetPolicyDrivenUpdateSourceForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-setpolicydrivenupdatesourceforfeature)
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@ -32,7 +32,7 @@ The following methodology was used to derive the network endpoints:
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 11 Family
+## Windows 11 Home
 | **Area** | **Description** | **Protocol** | **Destination** |
 |-----------|--------------- |------------- |-----------------|
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@ -32,7 +32,7 @@ We used the following methodology to derive these network endpoints:
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
 | **Destination** | **Protocol** | **Description** |
 | --- | --- | --- |
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@ -36,7 +36,7 @@ The following methodology was used to derive the network endpoints:
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
 | Destination | Protocol | Description |
 | ----------- | -------- | ----------- |
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints:
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
 | **Destination** | **Protocol** | **Description** |
 | --- | --- | --- |
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@ -35,7 +35,7 @@ The following methodology was used to derive the network endpoints:
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
 | **Destination** | **Protocol** | **Description** |
 | --- | --- | --- |
--- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints:
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
 | **Area** | **Description** | **Protocol** | **Destination** |
 |-----------|--------------- |------------- |-----------------|
--- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@ -34,7 +34,7 @@ The following methodology was used to derive the network endpoints:
 > [!NOTE]
 > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-## Windows 10 Family
+## Windows 10 Home
 | **Area** | **Description** | **Protocol** | **Destination** |
 |-----------|--------------- |------------- |-----------------|
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/deploy-multiple-wdac-policies.md
@ -2,7 +2,7 @@
 title: Use multiple Windows Defender Application Control Policies
 description: Windows Defender Application Control supports multiple code integrity policies for one device.
 ms.localizationpriority: medium
-ms.date: 07/19/2021
+ms.date: 04/15/2024
 ms.topic: article
 ---
@ -11,17 +11,22 @@ ms.topic: article
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
+Beginning with Windows 10 version 1903 and Windows Server 2022, you can deploy multiple Windows Defender Application Control (WDAC) policies side-by-side on a device. To allow more than 32 active policies, install the Windows security update released on, or after, April 9, 2024 and then restart the device. With these updates, there's no limit for the number of policies you can deploy at once to a given device. Until you install the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies and you must not exceed that number.
 >[!NOTE]
 >The policy limit was not removed on Windows 11 21H2 and will remain limited to 32 policies.
 Here are some common scenarios where multiple side-by-side policies are useful:
 1. Enforce and Audit Side-by-Side
    - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy
 2. Multiple Base Policies
    - Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
-    - If two base policies exist on a device, an application has to be allowed by both to run
+    - If two base policies exist on a device, an application must pass both policies for it to run
 3. Supplemental Policies
    - Users can deploy one or more supplemental policies to expand a base policy
    - A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy
-    - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run
+    - For supplemental policies, applications allowed by either the base policy or its supplemental policy/policies run
 > [!NOTE]
 > Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies.
@ -31,11 +36,11 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a
 - Multiple base policies: intersection
  - Only applications allowed by both policies run without generating block events
 - Base + supplemental policy: union
-  - Files that are allowed by either the base policy or the supplemental policy aren't blocked
+  - Files allowed by either the base policy or the supplemental policy run
 ## Creating WDAC policies in Multiple Policy Format
-In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format.
+In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique values generated for the policy ID and 2) the policy type set as a Base policy. The below example describes the process of creating a new policy in the multiple policy format.
 ```powershell
 New-CIPolicy -MultiplePolicyFormat -ScanPath "<path>" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash
@ -55,7 +60,7 @@ Add-SignerRule -FilePath ".\policy.xml" -CertificatePath <certificate_path_> [-K
 ### Supplemental policy creation
-In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown above. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy.
+In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format as shown earlier. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy.
 - "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to
 - "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to
@ -66,11 +71,11 @@ Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicy
 ### Merging policies
-When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \<ID>, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \<ID>.
+When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \<ID>, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy is a base policy with ID \<ID>.
 ## Deploying multiple policies
-In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Intune's custom OMA-URI feature.
+In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP.
 ### Deploying multiple policies locally
@ -86,15 +91,9 @@ To deploy policies locally using the new multiple policy format, follow these st
 Multiple Windows Defender Application Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.<br>
-However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
+However, when policies are unenrolled from an MDM server, the CSP attempts to remove every policy not actively deployed, not just the policies added by the CSP. This behavior happens because the system doesn't know what deployment methods were used to apply individual policies.
 For more information on deploying multiple policies, optionally using Microsoft Intune's custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
 > [!NOTE]
 > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
 ### Known Issues in Multiple Policy Format
 * If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. 
 * If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit. 
 * This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.
--- a/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/operations/known-issues.md
@ -2,7 +2,7 @@
 title: WDAC Admin Tips & Known Issues
 description: WDAC Known Issues
 ms.manager: jsuther
-ms.date: 11/22/2023
+ms.date: 04/15/2024
 ms.topic: article
 ms.localizationpriority: medium
 ---
@ -43,32 +43,30 @@ When the WDAC engine evaluates files against the active set of policies on the d
 4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option.
-5. If no explicit rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
+5. Any file not allowed by an explicit rule or based on ISG or MI is blocked implicitly.
 ## Known issues
 ### Boot stop failure (blue screen) occurs if more than 32 policies are active
-If the maximum number of policies is exceeded, the device will bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit.
+Until you apply the Windows security update released on or after April 9, 2024, your device is limited to 32 active policies. If the maximum number of policies is exceeded, the device bluescreens referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. To remove the maximum policy limit, install the Windows security update released on, or after, April 9, 2024 and then restart the device. Otherwise, reduce the number of policies on the device to remain below 32 policies.
 **Note:** The policy limit was not removed on Windows 11 21H2, and will remain limited to 32 policies.
 ### Audit mode policies can change the behavior for some apps or cause app crashes
-Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that includes the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
+Although WDAC audit mode is designed to avoid impact to apps, some features are always on/always enforced with any WDAC policy that turns on user mode code integrity (UMCI) with the option **0 Enabled:UMCI**. Here's a list of known system changes in audit mode:
 - Some script hosts might block code or run code with fewer privileges even in audit mode. See [Script enforcement with WDAC](/windows/security/application-security/application-control/windows-defender-application-control/design/script-enforcement) for information about individual script host behaviors.
 - Option **19 Enabled:Dynamic Code Security** is always enforced if any UMCI policy includes that option. See [WDAC and .NET](/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-and-dotnet#wdac-and-net-hardening).
 ### Managed Installer and ISG may cause excessive events
 When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events were moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
 ### .NET native images may generate false positive block events
 In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window.
 ### Signatures using elliptical curve cryptography (ECC) aren't supported
-WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
+WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If WDAC blocks a file based on ECC signatures, the corresponding 3089 signature information events show VerificationError = 23. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
 ### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule
@ -88,18 +86,19 @@ As a workaround, download the MSI file and run it locally:
 ```console
 msiexec -i c:\temp\Windows10_Version_1511_ADMX.msi  
 ```
 ### Slow boot and performance with custom policies
-WDAC evaluates all processes that run, including inbox Windows processes. If policies don't build off the WDAC templates or don't trust the Windows signers, you'll see slower boot times, degraded performance and possibly boot issues. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
+WDAC evaluates all processes that run, including inbox Windows processes. You can cause slower boot times, degraded performance, and possibly boot issues if your policies don't build upon the WDAC templates or don't trust the Windows signers. For these reasons, you should use the [WDAC base templates](../design/example-wdac-base-policies.md) whenever possible to create your policies.
 #### AppId Tagging policy considerations
-If the AppId Tagging Policy wasn't built off the WDAC base templates or doesn't allow the Windows in-box signers, you'll notice a significant increase in boot times (~2 minutes). 
+AppId Tagging policies that aren't built upon the WDAC base templates or don't allow the Windows in-box signers might cause a significant increase in boot times (~2 minutes). 
-If you can't allowlist the Windows signers, or build off the WDAC base templates, it's recommended to add the following rule to your policies to improve the performance:
+If you can't allowlist the Windows signers or build off the WDAC base templates, add the following rule to your policies to improve the performance:
 :::image type="content" source="../images/known-issue-appid-dll-rule.png" alt-text="Allow all dlls in the policy.":::
 :::image type="content" source="../images/known-issue-appid-dll-rule-xml.png" alt-text="Allow all dll files in the xml policy.":::
-Since AppId Tagging policies evaluate but can't tag dll files, this rule will short circuit dll evaluation and improve evaluation performance.
+Since AppId Tagging policies evaluate but can't tag dll files, this rule short circuits dll evaluation and improve evaluation performance.
--- a/windows/security/cloud-security/index.md
+++ b/windows/security/cloud-security/index.md
@ -1,6 +1,6 @@
 ---
 title: Windows and cloud security
-description: Get an overview of cloud security features in Windows
+description: Get an overview of cloud security features in Windows.
 ms.date: 08/02/2023
 ms.topic: overview
 author: paolomatarazzo
@ -9,7 +9,7 @@ ms.author: paoloma
 # Windows and cloud security
-Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
 From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@ -2,7 +2,7 @@
 title: Configure Windows Hello for Business
 description: Learn about the configuration options for Windows Hello for Business and how to implement them in your organization.
 ms.topic: how-to
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ---
 # Configure Windows Hello for Business
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@ -1,7 +1,7 @@
 ---
 title: Dynamic lock
 description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 02/29/2024
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@ -1,7 +1,7 @@
 ---
 title: Configure single sign-on (SSO) for Microsoft Entra joined devices
 description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
-ms.date: 12/30/2022
+ms.date: 04/23/2024
 ms.topic: how-to
 ---
@ -9,7 +9,7 @@ ms.topic: how-to
 [!INCLUDE [apply-to-hybrid-key-and-cert-trust](deploy/includes/apply-to-hybrid-key-and-cert-trust.md)]
-Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Microsoft Entra joined devices may need to access these resources. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
+Windows Hello for Business combined with Microsoft Entra joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. As organizations transition resources to the cloud, some resources might remain on-premises, and Microsoft Entra joined devices might need to access them. With additional configurations to the hybrid deployment, you can provide single sign-on to on-premises resources for Microsoft Entra joined devices using Windows Hello for Business, using a key or a certificate.
 > [!NOTE]
 > These steps are not needed when using the cloud Kerberos trust model.
@ -25,14 +25,14 @@ Unlike Microsoft Entra hybrid joined devices, Microsoft Entra joined devices don
 ### CRL Distribution Point (CDP)
-Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
+Certificates issued by a certificate authority can be revoked. When a certificate authority revokes a certificate, it writes information about the certificate into a *certificate revocation list* (CRL).\
 During certificate validation, Windows compares the current certificate with information in the CRL to determine if the certificate is valid.
-![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
+:::image type="content" source="images/aadj/Certificate-CDP.png" alt-text="Screenshot of a certificate's CDP property.":::
-The preceding domain controller certificate shows a *CRL distribution point* (CDP) in Active Directory. The value in the URL begins with *ldap*. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
+In the screenshot, the CDP property of the domain controller certificate shows an LDAP path. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Microsoft Entra joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the CRL. The authentication becomes a circular problem: the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
-To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+To resolve this issue, the CRL distribution point must be a location accessible by Microsoft Entra joined devices that don't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
 If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first, in the list of distribution points.
@ -45,17 +45,18 @@ Certificate authorities write CDP information in certificates as they're issued.
 #### Why does Windows need to validate the domain controller certificate?
-Windows Hello for Business enforces the strict KDC validation security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the *strict KDC validation* security feature when authenticating from a Microsoft Entra joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on a Microsoft Entra joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
 - The domain controller has the private key for the certificate provided
 - The root CA that issued the domain controller's certificate is in the device's *Trusted Root Certificate Authorities*
 - Use the *Kerberos Authentication certificate template* instead of any other older template
 - The domain controller's certificate has the *KDC Authentication* extended key usage (EKU)
 - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain
- The domain controller's certificate's signature hash algorithm is **sha256**
+- The domain controller's certificate's signature hash algorithm is *sha256*
- The domain controller's certificate's public key is **RSA (2048 Bits)**
+- The domain controller's certificate's public key is *RSA (2048 Bits)*
-Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
+> [!IMPORTANT]
 > Authenticating from a Microsoft Entra hybrid joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the *KDC Authentication* EKU. If you're adding Microsoft Entra joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the *KDC Authentication* EKU.
 ## Configure a CRL distribution point for an issuing CA
@ -118,7 +119,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 1. In the **Advanced Sharing** dialog box, select **OK**
 > [!Tip]
-> Make sure that users can access **\\\Server FQDN\sharename**.
+> Make sure that users can access `\\Server FQDN\sharename`.
 ### Disable Caching
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server)
@ -216,6 +217,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 1. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**
 1. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**
 1. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**
    ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
 ## Deploy the root CA certificate to Microsoft Entra joined devices
--- a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business authentication works
 description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: reference
 ---
 # Windows Hello for Business authentication
@ -19,11 +19,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
-|B | The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
+|B | The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
-|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
+|C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
-|D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
+|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
-|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 ## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a domain controller.
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
 |B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
 ## Microsoft Entra join authentication to Active Directory using a key
@ -40,9 +40,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
-|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 > [!NOTE]
 > You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
@ -53,12 +53,12 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
-|B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed preauthentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 > [!NOTE]
-> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
+> You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
 ## Microsoft Entra hybrid join authentication using cloud Kerberos trust
@ -66,11 +66,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
 |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
 |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
 |D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 ## Microsoft Entra hybrid join authentication using a key
@ -78,13 +78,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
 |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.  Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 > [!IMPORTANT]
 > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
@ -95,13 +95,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed preauthentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
 |D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Microsoft Entra ID.  Microsoft Entra ID returns a nonce.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.  Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 > [!IMPORTANT]
 > In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
--- a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business provisioning works
 description: Learn about the provisioning flows for Windows Hello for Business.
-ms.date: 01/03/2024
+ms.date: 04/23/2024
 ms.topic: reference
 appliesto:
 ---
--- a/Show More
+++ b/Show More