Merge branch 'public' of https://github.com/MicrosoftDocs/windows-itpro-docs into public

2025-05-12 13:27:23 +00:00 · 2022-08-01 12:59:55 -07:00 · 2022-08-01 12:59:55 -07:00 · caa6a7b8af
commit caa6a7b8af
parent 0a1f5247dd 26164c43a1
50 changed files with 915 additions and 930 deletions
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@ -6,9 +6,9 @@ metadata:
  title: Internet Explorer 11 documentation
  description: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
  ms.topic: landing-page
-  author: lizap 
+  author: aczechowski
-  ms.author: elizapo
+  ms.author: aaroncz
-  ms.date: 07/06/2020
+  ms.date: 07/29/2022
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
@ -38,14 +38,6 @@ landingContent:
            url: https://www.microsoft.com/download/details.aspx?id=49974
          - text: Cumulative security updates for Internet Explorer 11
            url: https://www.catalog.update.microsoft.com/Search.aspx?q=cumulative%20security%20update%20for%20internet%20explorer%2011
      - linkListType: learn
        links:
          - text: Getting started with Windows 10 for IT professionals
            url: https://mva.microsoft.com/training-courses/getting-started-with-windows-10-for-it-professionals-10629?l=fCowqpy8_5905094681
          - text: 'Windows 10: Top Features for IT Pros'
            url: https://mva.microsoft.com/training-courses/windows-10-top-features-for-it-pros-16319?l=xBnT2ihhC_7306218965
          - text: 'Virtual Lab: Enterprise Mode'
            url: https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02
  # Card
  - title: Plan
@ -62,8 +54,6 @@ landingContent:
            url: ./ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
          - text: Manage Windows upgrades with Upgrade Readiness
            url: /windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness
          - text: 'Demo: Plan and manage Windows 10 upgrades and feature updates with'
            url: https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content-2017/Windows-Analytics-Plan-and-manage-Windows-10-upgrades-and/td-p/98639
      - linkListType: how-to-guide
        links:
          - text: Turn on Enterprise Mode and use a site list
@ -125,11 +115,7 @@ landingContent:
          - text: Out-of-date ActiveX control blocking
            url: ./ie11-deploy-guide/out-of-date-activex-control-blocking.md
          - text: Update to block out-of-date ActiveX controls in Internet Explorer
-            url: https://support.microsoft.com/help/2991000/update-to-block-out-of-date-activex-controls-in-internet-explorer
+            url: https://support.microsoft.com/topic/update-to-block-out-of-date-activex-controls-in-internet-explorer-39ced8f8-5d98-3c7b-4792-b62fad4e2277
          - text: Script to join user to AD with automatic Local user Profile Migration
            url: https://gallery.technet.microsoft.com/scriptcenter/script-to-join-active-7b16d9d3
          - text: Scripts for IT professionals
            url: https://gallery.technet.microsoft.com/scriptcenter/site/search?query=Microsoft%20Edge%20or%20Internet
  # Card 
  - title: Support
@ -137,25 +123,19 @@ landingContent:
      - linkListType: get-started
        links:
          - text: Change or reset Internet Explorer settings
-            url: https://support.microsoft.com/help/17441/windows-internet-explorer-change-reset-settings
+            url: https://support.microsoft.com/windows/change-or-reset-internet-explorer-settings-2d4bac50-5762-91c5-a057-a922533f77d5
          - text: Troubleshoot problems with setup, installation, auto configuration, and more
            url: ./ie11-deploy-guide/troubleshoot-ie11.md
          - text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone
-            url: https://support.microsoft.com/help/4012494/option-to-disable-vbscript-execution-in-internet-explorer-for-internet
+            url: https://support.microsoft.com/topic/option-to-disable-vbscript-execution-in-internet-explorer-for-internet-zone-and-restricted-sites-zone-3a2104c0-5af0-9aae-6c57-8207d3cb3e65
          - text: Frequently asked questions about IEAK 11
            url: ./ie11-faq/faq-ieak11.yml
          - text: Internet Explorer 8, 9, 10, 11 forum
            url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver
          - text: Contact a Microsoft support professional
            url: https://support.microsoft.com/contactus
          - text: Support options for Microsoft Partners
            url: https://mspartner.microsoft.com/Pages/Support/get-support.aspx
          - text: Microsoft Services Premier Support
            url: https://www.microsoft.com/en-us/microsoftservices/support.aspx
          - text: Microsoft Small Business Support Center
            url: https://smallbusiness.support.microsoft.com/product/internet-explorer
          - text: General support
-            url: https://support.microsoft.com/products/internet-explorer
+            url: https://support.microsoft.com/windows/internet-explorer-help-23360e49-9cd3-4dda-ba52-705336cc0de2
  # Card 
  - title: Stay informed
@ -167,4 +147,4 @@ landingContent:
          - text: Microsoft Edge Dev blog
            url: https://blogs.windows.com/msedgedev
          - text: Microsoft Edge Dev on Twitter
-            url: https://twitter.com/MSEdgeDev
+            url: https://twitter.com/MSEdgeDev
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@ -2,6 +2,17 @@
 ## Week of July 25, 2022
 | Published On |Topic title | Change |
 |------|------------|--------|
 | 7/26/2022 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | added |
 | 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified |
 | 7/25/2022 | Edit an existing topic using the Edit link | removed |
 | 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified |
 ## Week of June 27, 2022
--- a/education/index.yml
+++ b/education/index.yml
@ -44,24 +44,24 @@ productDirectory:
      imageSrc: ./images/EDU-Lockbox.svg
      links:
        - url: /azure/active-directory/fundamentals/active-directory-deployment-checklist-p2
-          text: AAD feature deployment guide
+          text: Azure Active Directory feature deployment guide
-        - url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423
+        - url: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-information-protection-deployment-acceleration-guide/ba-p/334423
          text: Azure information protection deployment acceleration guide
-        - url: /cloud-app-security/getting-started-with-cloud-app-security
+        - url: /defender-cloud-apps/get-started
          text: Microsoft Defender for Cloud Apps
        - url: /microsoft-365/compliance/create-test-tune-dlp-policy
          text: Data loss prevention
        - url: /microsoft-365/compliance/
-          text: Microsoft 365 Compliance
+          text: Microsoft Purview compliance
        - url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx
          text: Deploying Lockbox
    # Card    
    - title: Analytics & insights
      imageSrc: ./images/EDU-Education.svg
      links:
-        - url: /power-bi/service-admin-administering-power-bi-in-your-organization
+        - url: /power-bi/admin/service-admin-administering-power-bi-in-your-organization
          text: Power BI for IT admins
-        - url: /dynamics365/#pivot=get-started
+        - url: /dynamics365/
          text: Dynamics 365
    # Card    
    - title: Find deployment help and other support resources
@ -69,11 +69,9 @@ productDirectory:
      links:
        - url: /microsoft-365/education/deploy/find-deployment-help
          text: IT admin help
-        - url: https://social.technet.microsoft.com/forums/en-us/home
+        - url: https://support.office.com/education
          text: TechNet
        - url: https://support.office.com/en-us/education
          text: Education help center
-        - url: https://support.office.com/en-us/article/teacher-training-packs-7a9ee74a-8fe5-43d3-bc23-a55185896921
+        - url: /learn/educator-center/
          text: Teacher training packs
    # Card    
    - title: Check out our education journey
@ -98,9 +96,9 @@ additionalContent:
          summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
          url: /windows/uwp/apps-for-education/take-a-test-api
        # Card
-        - title: Office Education Dev center
+        - title: Office dev center
-          summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app
+          summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app.
-          url: https://developer.microsoft.com/office/edu
+          url: https://developer.microsoft.com/office/
        # Card
        - title: Data Streamer
          summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
@ -111,15 +109,7 @@ additionalContent:
        # Card
        - title: Microsoft Partner Network
          summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness.
-          url: https://partner.microsoft.com/solutions/education
+          url: https://partner.microsoft.com/explore/education
        # Card
        - title: Authorized Education Partner (AEP) program
          summary: Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEUs).
          url: https://www.mepn.com/
        # Card
        - title: Authorized Education Partner Directory
          summary: Search through the list of Authorized Education Partners worldwide who can deliver on customer licensing requirements, and provide solutions and services to current and future school needs.
          url: https://www.mepn.com/MEPN/AEPSearch.aspx
        # Card
        - title: Education Partner community Yammer group
          summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@ -1,11 +1,7 @@
 ---
 title: Provision student PCs with apps
 description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
 keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
 ms.prod: w10
 ms.pagetype: edu
 ms.mktglfcycl: plan
 ms.sitesec: library
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@ -15,17 +11,19 @@ manager: dansimp
 ---
 # Provision student PCs with apps
 **Applies to:**
-   Windows 10  
+- Windows 10
-
+To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
 To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
 Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
-You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. 
+You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps). 
+
 - If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
 - If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
 <!--
@ -46,7 +44,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
 ## Create a provisioning package to add apps after initial setup
-Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
 1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
@ -124,7 +122,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
 10. Set a value for **Package Version**.
-    **Tip**  
+    **Tip**  
    You can make changes to existing packages and change the version number to update previously applied packages.
 11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
@ -133,8 +131,8 @@ Universal apps that you can distribute in the provisioning package can be line-o
    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
-        **Important**  
+        **Important**  
-        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
+        We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
 12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
 Optionally, you can click **Browse** to change the default output location.
@ -217,11 +215,6 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
 ## Learn more
-  [Develop Universal Windows Education apps](/windows/uwp/apps-for-education/)
+-[Develop Universal Windows Education apps](/windows/uwp/apps-for-education/)
-   [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651)
+- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
 -   Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
 -   Watch the video: [Windows 10 for Mobile Devices: Provisioning Isn't Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@ -1,11 +1,7 @@
 ---
 title: Test Windows 10 in S mode on existing Windows 10 education devices
 description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices.
 keywords: Windows 10 in S mode, try, download, school, education, Windows 10 in S mode installer, existing Windows 10 education devices
 ms.mktglfcycl: deploy
 ms.prod: w10
 ms.pagetype: edu
 ms.sitesec: library
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@ -23,53 +19,56 @@ The Windows 10 in S mode self-installer will allow you to test Windows 10 in S m
 Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education<sup>[2](#footnote2)</sup>.
-Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps can't be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted and you'll only be able to install apps from the Microsoft Store.
+Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps can't be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted, and you'll only be able to install apps from the Microsoft Store.
-**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these configurations, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). 
+**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these configurations, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
-**Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store. 
+**Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Setup School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store.
-As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they're installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 in S mode](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
+As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they're installed. For more information about Office 365 for Education plans, see [Office on Windows 10 in S mode](https://support.microsoft.com/office/office-on-windows-10-in-s-mode-717193b5-ff9f-4388-84c0-277ddf07fe3f?ui=en-us&rs=en-us&ad=us).
 ## Before you install Windows 10 in S mode
 ### Important information
-Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps won't work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode:
+Before you install Windows 10 in S mode, understand that non-Microsoft Store apps won't work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode:
-* Is intended for education customers to test compatibility with existing hardware
+
-* May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality
+- Is intended for education customers to test compatibility with existing hardware
-* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
+- May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality
-* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 in S mode is limited to Store apps only
+- May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
 - Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 in S mode is limited to Store apps only
    > [!WARNING]
    > You can install Windows 10 in S mode on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 in S mode on Windows 10 Home devices as you won't be able to activate it.
-* Won't run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
+- Won't run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
 Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
 Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
 * Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
-    See [Download Windows 10](https://www.microsoft.com/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
+- Make sure that you updated your existing device to Windows 10, version 1703.
-* Install the latest Windows Update.
+    To update your device to Windows 10, version 1703, see [Download Windows 10](https://www.microsoft.com/software-download/windows10). You can verify your current version in **Settings > System > About**.
 - Install the latest Windows Update.
    To do this task, go to **Settings > Update & security > Windows Update**.
-* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode.
+- Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode.
  For more information on how to create the system backup, see [Create a recovery drive](#create-a-recovery-drive).
 ## Supported devices
 The Windows 10 in S mode install will install and activate on the following editions of Windows 10 in use by schools:
 * Windows 10 Pro
 * Windows 10 Pro Education
 * Windows 10 Education
 * Windows 10 Enterprise
-Other Windows 10 editions can't be activated and aren't supported. If your device isn't running one of these supported Windows 10 editions, don't proceed with using the Windows 10 in S mode installer. Windows 10-N editions and running in virtual machines aren't supported by the Windows 10 in S mode installer. 
+- Windows 10 Pro
 - Windows 10 Pro Education
 - Windows 10 Education
 - Windows 10 Enterprise
 Other Windows 10 editions can't be activated and aren't supported. If your device isn't running one of these supported Windows 10 editions, don't proceed with using the Windows 10 in S mode installer. Windows 10-N editions and running in virtual machines aren't supported by the Windows 10 in S mode installer.
 ### Preparing your device to install drivers
@ -77,28 +76,7 @@ Make sure all drivers are installed and working properly on your device running
 ### Supported devices and drivers
-Check with your device manufacturer before trying Windows 10 in S mode on your device to see if the drivers are available and supported by the device manufacturer. 
+Check with your device manufacturer before trying Windows 10 in S mode on your device to see if the drivers are available and supported by the device manufacturer.
 | &nbsp;  | &nbsp;  | &nbsp;  |
 | - | - | - |
 | <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.51cube.com/ch/win10s-help.php" target="_blank">Alldocube</a> | <a href="https://www.ibuypower.com/site/computer/windows-10-s" target="_blank">American Future Tech</a> | 
 | <a href="https://www.prestigio.com/support/compatibility-with-windows-10-s/" target="_blank">ASBISC</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> | <a href="https://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | 
 | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="https://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> | <a href="https://www.cyberpowerpc.com/page/Windows-10-S/" target="_blank">Cyberpower</a> | 
 | <a href="https://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="https://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> | <a href="https://www.dell.com/support/article/us/en/19/sln307174/dell-computers-tested-for-windows-10-s?lang=en" target="_blank">Dell</a> | 
 | <a href="https://www.epson.jp/support/misc/windows10s.htm" target="_blank">Epson</a> | <a href="https://exo.com.ar/actualizaciones-de-windows-10" target="_blank">EXO</a> | <a href="https://www.fujitsu.com/au/products/computing/pc/microsoft/s-compatible/" target="_blank">Fujitsu</a> |
 | <a href="https://apac.getac.com/support/windows10s.html" target="_blank">Getac</a> | <a href="https://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://www.onda.cn/SearchDetails.aspx?id=1654" target="_blank">Guangzhou</a> |
 | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | <a href="https://consumer.huawei.com/cn/support/notice/detail/index.htm?id=1541" target="_blank">Huawei</a> | <a href="https://www.i-life.us/not-available/" target="_blank">I Life</a> |
 | <a href="https://www.inet-tek.com/en/product-qadetail-86.html" target="_blank">iNET</a> | <a href="https://www.intel.com/content/www/us/en/support/boards-and-kits/000025096.html" target="_blank">Intel</a> | <a href="https://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> |
 | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="https://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | 
 | <a href="https://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://support.microsoft.com/help/4094045/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | 
 | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="https://www.bangho.com.ar/windows10s" target="_blank">PC Arts</a> | <a href="https://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> | 
 | <a href="https://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="https://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="https://www.teclast.com/zt/aboutwin10s/" target="_blank">Teclast</a> | 
 | <a href="https://www.dospara.co.jp/support/share.php?contents=about_windows10s" target="_blank">Thirdwave</a> | <a href="https://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> | <a href="https://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | 
 | <a href="https://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="https://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | <a href="https://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | 
 | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> | <a href="https://www.yifangdigital.com/Customerservice/win10s.aspx" target="_blank">Yifang</a> |  | 
 > [!NOTE]
 > If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
 ## Kept files
@ -110,12 +88,13 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
 ## Domain join
 Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
 - Local administrator
 - Microsoft account administrator
- Azure Active Directory administrator 
+- Azure Active Directory administrator
 > [!WARNING]
-> If you don't have one of these administrator accounts accessible before migration, you'll not be able to log in to your device after migrating to Windows 10 in S mode. 
+> If you don't have one of these administrator accounts accessible before migration, you'll not be able to sign in to your device after migrating to Windows 10 in S mode.
 We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 in S mode in case you run into this issue.
@ -126,35 +105,39 @@ After installing Windows 10 in S mode, use the free [Set up School PCs app](use-
 ## Switch to previously installed Windows 10 editions
 If Windows 10 in S mode isn't right for you, you can switch to the Windows 10 edition previously installed on your device(s).
-* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md).
+
-* If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
+- Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md).
 - If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
 ## Device recovery
 Before installing Windows 10 in S mode, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 in S mode.
-### Create a recovery drive 
+### Create a recovery drive
 To create a recovery drive, follow these steps.
 1. From the taskbar, search for **Create a recovery drive** and then select it. You might be asked to enter an admin password or confirm your choice.
-2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**.
+2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then select **Next**.
-3. Connect a USB drive to your PC, select it, and then select **Next > Create**. 
+3. Connect a USB drive to your PC, select it, and then select **Next > Create**.
    Many files need to be copied to the recovery drive; so this process might take a while.
-4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**.
+4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link, and then select **Delete**. If not, select **Finish**.
 ### Go back to your previous edition of Windows 10
-Alternatively, for 10 days after you install Windows 10 in S mode, you've the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This revert operation will keep your personal files, but it will remove installed apps and any changes you made to **Settings**.
+Alternatively, for 10 days after you install Windows 10 in S mode, you can go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This revert operation will keep your personal files, but it will remove installed apps and any changes you made to **Settings**.
 To go back, you need to:
-* Keep everything in the windows.old and $windows.~bt folders after the upgrade.
+
-* Remove any user accounts you added after the upgrade.
+- Keep everything in the `windows.old` and `$windows.~bt` folders after the upgrade.
 - Remove any user accounts you added after the upgrade.
 If going back isn't available:
-* Check if you can restore your PC to factory settings. This restoration will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
+
-* If you've a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
+- Check if you can restore your PC to factory settings. This restoration will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
 - If you've a product key for your previous version of Windows, use the media creation tool. It can create installation media of your previous Windows 10 edition, and do a clean install.
 After going back to your previous edition of Windows 10, you may receive the following message when launching Win32 apps:
@ -168,14 +151,14 @@ If you see this message, follow these steps to stop receiving the message:
 4. After restarting, in the **Choose an option** page, select **Troubleshoot**.
 5. In the **Troubleshoot** page, select **Advanced options**, and in the **Advanced options** page select **UEFI Firmware Settings**.
 6. In the **UEFI Firmware Settings** page, select **Restart** to get to the device-specific UEFI/BIOS menu.
-7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings** and navigate to it.
+7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings**, and navigate to it.
 8. Look for an option called **Secure boot configuration**, **Secure boot**, or **UEFI Boot**. If you can't find one of these options, check the **Boot** menu.
 9. Disable the secure boot/UEFI boot option.
 10. Save your settings and then exit UEFI. This exit action will restart your PC.
-11. After Windows is done booting up, confirm that you no longer see the message. 
+11. After Windows is done booting up, confirm that you no longer see the message.
    > [!NOTE]
-    > We recommend following these steps again to re-enable the **Secure boot configuration**, **Secure boot**, or **UEFI Boot** option, which you disabled in step 9, and then subsequently re-enable BitLocker (if you previously had this enabled). 
+    > We recommend following these steps again to re-enable the **Secure boot configuration**, **Secure boot**, or **UEFI Boot** option, which you disabled in step 9, and then subsequently re-enable BitLocker (if you previously had this enabled).
 ### Use installation media to reinstall Windows 10
@ -195,7 +178,7 @@ To use an installation media to reinstall Windows 10, follow these steps.
    If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
 8. Select **Install now**.
-9. On the **Enter the product key to active Windows** page, enter a product key if you've one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/help/12440/windows-10-activation).
+9. On the **Enter the product key to active Windows** page, enter a product key if you've one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227).
 10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
 11. On the **Which type of installation do you want?** page, select **Custom**.
 12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
@ -203,45 +186,49 @@ To use an installation media to reinstall Windows 10, follow these steps.
 14. Follow the rest of the setup instructions to finish installing Windows 10.
 ## Download Windows 10 in S mode
-Ready to test Windows 10 in S mode on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information. 
+
 Ready to test Windows 10 in S mode on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
 When you're ready, you can download the Windows 10 in S mode installer by clicking the **Download installer** button below:
 > [!div class="nextstepaction" style="center"]
 > [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
-After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default.
+After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages**, select **Add a language** to add a new language or select an existing language, and set it as the default.
 ## Terms and Conditions
 Because you’re installing Windows 10 in S mode on a running version of Windows 10, you've already accepted the Windows 10 Terms and Conditions. you'ren't required to accept it again and the Windows 10 installer doesn’t show a Terms and Conditions page during installation.
-## Support 
+Because you're installing Windows 10 in S mode on a running version of Windows 10, you've already accepted the Windows 10 Terms and Conditions. you'ren't required to accept it again and the Windows 10 installer doesn't show a Terms and Conditions page during installation.
-Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you're having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This feedback is the best way to help improve Windows 10 in S mode with your feedback. 
+
 ## Support
 Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you're having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This feedback is the best way to help improve Windows 10 in S mode with your feedback.
 Common support questions for the Windows 10 in S mode test program:
-* **How do I activate if I don't have a Windows 10 in S mode product key?**
+### How do I activate if I don't have a Windows 10 in S mode product key?
-    As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home isn't recommended and supported at this time.
+As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home isn't recommended and supported at this time.
-* **Will my OEM help me run Windows 10 in S mode?**
+### Will my OEM help me run Windows 10 in S mode?
-    OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 in S mode. When testing Windows 10 in S mode, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
+OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 in S mode. When testing Windows 10 in S mode, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
-* **What happens when I run Reset or Fresh Start on Windows 10 in S mode?**
+### What happens when I run Reset or Fresh Start on Windows 10 in S mode?
-    **Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 in S mode. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 in S mode.
+**Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 in S mode. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 in S mode.
-* **What if I want to move from Windows 10 in S mode to Windows 10 Pro?**
+### What if I want to move from Windows 10 in S mode to Windows 10 Pro?
-    If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you're testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
+If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you're testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
-For help with activation issues, click on the appropriate link below for support options.
+For help with activation issues, select the appropriate link below for support options.
-* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you're seeking commercial support to contact our commercial support team.
+
-* If you don't have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.
+- For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you're seeking commercial support to contact our commercial support team.
 - If you don't have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.
 <p>
 <a name="footnote1"></a><sup>1</sup> <small>Internet access fees may apply.</small><br/>
-<a name="footnote2"></a><sup>2</sup> <small>Devices must be configured for educational use by applying <strong><a href="/education/windows/configure-windows-for-education#setedupolicies" data-raw-source="[SetEduPolicies](./configure-windows-for-education.md#setedupolicies)">SetEduPolicies</a></strong> using the Set up School PCs app.</small><br/>
+<a name="footnote2"></a><sup>2</sup> <small>Devices must be configured for educational use by applying <strong><a href="/education/windows/configure-windows-for-education#setedupolicies" data-raw-source="[SetEduPolicies](./configure-windows-for-education.md#setedupolicies)">SetEduPolicies</a></strong> using the Setup School PCs app.</small><br/>
 </p>
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@ -33,7 +33,7 @@ Provisioning your new VM includes creating a VHD file, setting up a user account
 #### Create a VHD file
-For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f) command-line tool.
+For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0) command-line tool.
 #### Create a VHD file with the Convert-WindowsImage command-line tool
@ -122,6 +122,6 @@ After you sequence your packages, you can automatically clean up any unpublished
 ### Related articles
 - [Download the **Convert-WindowsImage** tool](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0)
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
+- [Download the Windows ADK](/windows-hardware/get-started/adk-install)
 - [How to install the App-V Sequencer](appv-install-the-sequencer.md)
 - [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server)
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@ -1,5 +1,5 @@
 ---
-title: Deploying Microsoft Office 2010 by Using App-V (Windows 10/11)
+title: Deploying Microsoft Office 2010 by Using App-V
 description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
 author: aczechowski
 ms.prod: w10
@ -33,15 +33,6 @@ The following table shows the App-V versions, methods of Office package creation
 Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. For more information, see [How to Sequence a New Application with App-V 5.0](/microsoft-desktop-optimization-pack/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030).
 ## Creating Office 2010 App-V packages using package accelerators
 Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10/11, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows:
 * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 8](https://gallery.technet.microsoft.com/App-V-50-Package-a29410db)
 * [App-V 5.0 Package Accelerator for Office Professional Plus 2010 – Windows 7](https://gallery.technet.microsoft.com/App-V-50-Package-e7ef536b)
 For detailed instructions on how to create virtual application packages using App-V package accelerators, see [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md).
 ## Deploying the Microsoft Office package for App-V
 You can deploy Office 2010 packages by using any of the following App-V deployment methods:
@ -73,7 +64,7 @@ The following table provides a full list of supported integration points for Off
 |Primary Interop Assemblies|Support managed add-ins||
 |Office Document Cache Handler|Allows Document Cache for Office applications||
 |Outlook Protocol Search handler|User can search in Outlook|Yes|
-|Active X Controls:<br>- Groove.SiteClient<br>- PortalConnect.PersonalSite<br>- SharePoint.openDocuments<br>-  SharePoint.ExportDatabase<br>- SharePoint.SpreadSheetLauncher<br>- SharePoint.StssyncHander<br>- SharePoint.DragUploadCtl<br>- SharePoint.DragDownloadCtl<br>- Sharpoint.OpenXMLDocuments<br> - Sharepoint.ClipboardCtl<br>- WinProj.Activator<br>- Name.NameCtrl<br>- STSUPld.CopyCtl<br>- CommunicatorMeetingJoinAx.JoinManager<br>- LISTNET.Listnet<br>- OneDrive Pro Browser Helper|Active X Control. <br><br>For more information about ActiveX controls, see the [ActiveX Control API Reference](<https://msdn.microsoft.com/library/office/ms440037(v=office.14).aspx>).||
+|Active X Controls:<br>- Groove.SiteClient<br>- PortalConnect.PersonalSite<br>- SharePoint.openDocuments<br>-  SharePoint.ExportDatabase<br>- SharePoint.SpreadSheetLauncher<br>- SharePoint.StssyncHander<br>- SharePoint.DragUploadCtl<br>- SharePoint.DragDownloadCtl<br>- Sharpoint.OpenXMLDocuments<br> - Sharepoint.ClipboardCtl<br>- WinProj.Activator<br>- Name.NameCtrl<br>- STSUPld.CopyCtl<br>- CommunicatorMeetingJoinAx.JoinManager<br>- LISTNET.Listnet<br>- OneDrive Pro Browser Helper|Active X Control. <br><br>For more information about ActiveX controls, see the [ActiveX Control API Reference](/previous-versions/office/developer/sharepoint-2010/ms440037(v=office.14)).||
 |OneDrive Pro Icon Overlays|Windows explorer shell icon overlays when users look at folders OneDrive Pro folders||
 ### Connection Groups
@ -82,4 +73,4 @@ The following table provides a full list of supported integration points for Off
 ### Dynamic Configuration
-* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
+* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@ -1,5 +1,5 @@
 ---
-title: Performance Guidance for Application Virtualization (Windows 10/11)
+title: Performance Guidance for Application Virtualization
 description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
 author: aczechowski
 ms.prod: w10
@ -36,11 +36,11 @@ You should read and understand the following information before reading this doc
 Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
-To help determine what information is relevant to your environment, you should review each section’s brief overview and applicability checklist.
+To help determine what information is relevant to your environment, you should review each section's brief overview and applicability checklist.
 ## <a href="" id="---------app-v-5-1-in-stateful--non-persistent-deployments"></a> App-V in stateful\* non-persistent deployments
-This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This access is achieved by uniquely addressing the often long-running App-V publishing refresh. As you'll discover the basis of the approach, the fastest publishing refresh, is one that doesn’t have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
+This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This access is achieved by uniquely addressing the often long-running App-V publishing refresh. As you'll discover the basis of the approach, the fastest publishing refresh, is one that doesn't have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
 Use the information in the following section for more information:
@ -54,7 +54,7 @@ Use the information in the following section for more information:
 -   Steps to Prepare the Base Image – Whether in a non-persistent VDI or RDSH environment, only a few steps must be completed in the base image to enable this approach.
-   Use UE-V as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
+-   Use UE-V as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
 [User Experience Walk-through](#bkmk-uewt)
@ -122,8 +122,7 @@ The following information displays the required steps to prepare the base image
  - Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
  - Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
-  - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the
+  - Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
  App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
  - Configure Preserve User Integrations on Login Registry DWORD.
  - Pre-configure all global-targeted packages, for example, **Add-AppvClientPackage**.
  - Pre-configure all global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
@ -144,7 +143,7 @@ For critical App-V Client configurations and for a little more context and how-t
  For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
-  If you don’t plan to pre-configure every available user package in the base image, use this setting.
+  If you don't plan to pre-configure every available user package in the base image, use this setting.
  - Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`.
  - Create the DWORD value **PreserveUserIntegrationsOnLogin** with a value of 1.
@ -170,12 +169,10 @@ For more information, see:
 - [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
 In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows).
 > [!Note]
 > Without performing an additional configuration step, User Environment Virtualization (UE-V) won't be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
-UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
+UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user's device will have the same set of applications installed to the same location and every .lnk file is valid for all the users' devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
 -   If a user has an application installed on one device with .lnk files enabled and the same native application installed on another device to a different installation root with .lnk files enabled.
@ -306,7 +303,7 @@ This following process is a step-by-step walk-through of the App-V and UPM opera
 Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (unpublished) virtual application packages, it's recommended you update the base image to reflect these changes. To understand why review the following section:
-App-V 5.0 SP2 introduced the concept of pending states. In the past,
+App-V 5.0 SP2 introduced the concept of pending states. In the past,
 -   If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the unpublish or publish operation, respectively, would fail.
@ -318,37 +315,23 @@ In a non-persistent environment, it's unlikely these pended operations will be p
 The following section contains lists with information about Microsoft documentation and downloads that may be useful when optimizing your environment for performance.
-<!-- Following bold text used to say **.NET NGEN Blog and Script (Highly Recommended)**  but the script doesn't seem to exist any more. The link to the script was [Script](https://aka.ms/DrainNGenQueue)  -->
+#### Windows Server
-**.NET NGEN Blog (Highly Recommended)**
+Server performance tuning guidelines for [Microsoft Windows Server 2012 R2](/previous-versions/dn529133(v=vs.85))
-   [How to speed up NGEN optimization](https://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
+#### Server roles
-**Windows Server and Server Roles**
+-   [Remote Desktop Virtualization Host](/previous-versions/dn567643(v=vs.85))
-Server Performance Tuning Guidelines for
+-   [Remote Desktop Session Host](/previous-versions/dn567648(v=vs.85))
-   [Microsoft Windows Server 2012 R2](/previous-versions//dn529133(v=vs.85))
+-   [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions/dn567678(v=vs.85))
 -   [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
 -   [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx)
 **Server Roles**
 -   [Remote Desktop Virtualization Host](/previous-versions//dn567643(v=vs.85))
 -   [Remote Desktop Session Host](/previous-versions//dn567648(v=vs.85))
 -   [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions//dn567678(v=vs.85))
 -   [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134210(v=ws.11))
-**Windows Client (Guest OS) Performance Tuning Guidance**
+#### Windows Client (guest OS) performance tuning guidance
-   [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density)
+-   [The Microsoft Premier Field Engineer (PFE) view on Virtual Desktop (VDI) Density](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density)
 -   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
 -   [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe)
@ -404,7 +387,7 @@ Removing FB1 doesn't require the original application installer. After completin
 ### Creating a new virtual application package on the sequencer
-If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an application’s installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly.
+If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an application's installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly.
 **Client Side**:
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -3253,10 +3253,7 @@ The table below shows the applicability of Windows:
 <!--/Scope-->
 <!--Description-->
-> [!NOTE]
+Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation.
 > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
 Enables the IT admin to schedule the time of the update installation.
 The supported data type is an integer.
--- a/windows/client-management/mdm/universalprint-csp.md
+++ b/windows/client-management/mdm/universalprint-csp.md
@ -15,18 +15,18 @@ manager: dougeby
 The table below shows the applicability of Windows:
-|Edition|Windows 11|
+|Edition|Windows 11|Windows 10|
-|--- |--- |
+|--- |--- |--- |
-|Home|No|
+|Home|No|No|
-|Pro|Yes|
+|Pro|Yes|Yes|
-|Windows SE|Yes|
+|Windows SE|Yes|Yes|
-|Business|Yes|
+|Business|Yes|Yes|
-|Enterprise|Yes|
+|Enterprise|Yes|Yes|
-|Education|Yes|
+|Education|Yes|Yes|
 The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, go to [What is Universal Print](/universal-print/fundamentals/universal-print-whatis).
-This CSP was added in Windows 11.
+This CSP was added in Windows 11 and in Windows 10 21H2 July 2022 update [KB5015807](https://support.microsoft.com/topic/july-12-2022-kb5015807-os-builds-19042-1826-19043-1826-and-19044-1826-8c8ea8fe-ec83-467d-86fb-a2f48a85eb41).
 The following example shows the UniversalPrint configuration service provider in tree format.
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@ -66,9 +66,11 @@ The XML declaration must specify the XML version 1.0 attribute (&lt;?xml version
 **Type: String**
-UE-V uses the ```https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate``` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
+UE-V uses the `https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
-`<SettingsLocationTemplate xmlns='https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
+```xml
 <SettingsLocationTemplate xmlns='https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>
 ```
 ### <a href="" id="data21"></a>Data types
@ -102,7 +104,7 @@ ProcessVersion defines a type with four child elements: **Major**, **Minor**, **
 Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture.
 <a href="" id="process"></a>**Process**
-The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element’s respective data type:
+The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element's respective data type:
 |Element|Data Type|Mandatory|
 |--- |--- |--- |
@ -117,11 +119,11 @@ The Process data type is a container used to describe processes to be monitored
 The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence.
 <a href="" id="path"></a>**Path**
-Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default=”False”.
+Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default="False".
 Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items.
-The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server.
+The DeleteIfNotFound attribute removes the setting from the user's settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server.
 <a href="" id="filemask"></a>**FileMask**
 FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files.
@ -138,7 +140,7 @@ Settings is a container for all the settings that apply to a particular template
 |Element|Description|
 |--- |--- |
 |Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This is useful for settings that can be applied asynchronously, such as those get/set through an API, like SystemParameterSetting.|
-|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates – those that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.|
+|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to 'false', UE-V exports the settings even if other instances of an application are running. Suited templates - those that include a Common element section- that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.|
 |AlwaysApplySettings|This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import.|
 ### <a href="" id="name21"></a>Name Element
@ -208,7 +210,7 @@ Version identifies the version of the settings location template for administrat
 **Type: String**
-Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V).
+Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly.
 ### <a href="" id="processes21"></a>Processes and Process Element
@ -250,7 +252,7 @@ Filename refers to the actual file name of the executable as it appears in the f
 Valid filenames must not match the regular expression \[^\\\\\\?\\\*\\|&lt;&gt;/:\]+, that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon (the \\ ? \* | &lt; &gt; / or : characters.).
 > [!TIP]
-> To test a string against this regex, use a PowerShell command window and substitute your executable’s name for **YourFileName**:
+> To test a string against this regex, use a PowerShell command window and substitute your executable's name for **YourFileName**:
 `"YourFileName.exe" -match  "[\\\?\*\|<>/:]+"`
@ -269,7 +271,7 @@ A value of **True** indicates that the string contains illegal characters. Here
-In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `<Filename>MyApplication.exe</Filename>` should be specified instead of `<Filename>MyApplication</Filename>`. The second example will not apply the template to the process if the actual name of the executable file is “MyApplication.exe”.
+In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `<Filename>MyApplication.exe</Filename>` should be specified instead of `<Filename>MyApplication</Filename>`. The second example will not apply the template to the process if the actual name of the executable file is "MyApplication.exe".
 ### Architecture
@ -279,7 +281,7 @@ In rare circumstances, the FileName value will not necessarily include the .exe
 Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another.
-If this element is absent, the settings location template ignores the process’ architecture and applies to both 32 and 64-bit processes if the file name and other attributes apply.
+If this element is absent, the settings location template ignores the process' architecture and applies to both 32 and 64-bit processes if the file name and other attributes apply.
 > [!NOTE]
 > UE-V does not support ARM processors in this version.
@ -342,7 +344,7 @@ For example, in a suited application, it might be useful to provide reminders ab
 ProductVersion refers to the major and minor product versions of a file, as well as a build and patch level. ProductVersion is an optional element, but if specified, it must contain at least the Major child element. The value must express a range in the form Minimum="X" Maximum="Y" where X and Y are integers. The Minimum and Maximum values can be identical.
-The product and file version elements may be left unspecified. Doing so makes the template “version agnostic”, meaning that the template will apply to all versions of the specified executable.
+The product and file version elements may be left unspecified. Doing so makes the template "version agnostic", meaning that the template will apply to all versions of the specified executable.
 **Example 1:**
@ -368,7 +370,7 @@ File version: 5.0.2.1000 specified in the UE-V template generator produces the f
 </FileVersion>
 ```
-**Incorrect Example 1 – incomplete range:**
+**Incorrect Example 1 - incomplete range:**
 Only the Minimum attribute is present. Maximum must be included in a range as well.
@ -378,7 +380,7 @@ Only the Minimum attribute is present. Maximum must be included in a range as we
 </ProductVersion>
 ```
-**Incorrect Example 2 – Minor specified without Major element:**
+**Incorrect Example 2 - Minor specified without Major element:**
 Only the Minor element is present. Major must be included as well.
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@ -15,13 +15,13 @@ ms.topic: article
 **Applies to**
 -   Windows 10, version 1607
-Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment you’re planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic.
+Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment you're planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic.
 ## Plan your UE-V deployment
 With UE-V, you can synchronize user-defined application and operating system settings across all the devices that a user works from. Use UE-V to synchronize settings for Windows applications and custom applications, such as third-party and line-of-business applications. 
-Whether you want to synchronize settings for only default Windows applications or for both Windows and custom applications, you’ll need to first deploy the features required to use UE-V.  
+Whether you want to synchronize settings for only default Windows applications or for both Windows and custom applications, you'll need to first deploy the features required to use UE-V.  
 [Deploy required UE-V features](uev-deploy-required-features.md)
@ -29,7 +29,7 @@ Whether you want to synchronize settings for only default Windows applications o
 -   [Enable the UE-V service](uev-deploy-required-features.md#enable-the-ue-v-service) on user computers
-If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you’ll need to install and configure these optional additional UE-V features:
+If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you'll need to install and configure these optional additional UE-V features:
 [Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md)
@ -49,11 +49,11 @@ The workflow diagram below illustrates a typical UE-V deployment and the decisio
 ### Planning a UE-V deployment 
-Review the following topics to determine which UE-V components you’ll be deploying.
+Review the following topics to determine which UE-V components you'll be deploying.
 -   [Decide whether to synchronize settings for custom applications](#decide-whether-to-synchronize-settings-for-custom-applications)
-    If you want to synchronize settings for custom applications, you’ll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks:
+    If you want to synchronize settings for custom applications, you'll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks:
    -   Review the [settings that are synchronized automatically in a UE-V deployment](#settings-automatically-synchronized-in-a-ue-v-deployment).
@ -79,11 +79,7 @@ This section explains which settings are synchronized by default in UE-V, includ
 -   A statement of support for Windows applications setting synchronization
-For downloadable UE-V templates, see:
+For downloadable UE-V templates, see: [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367)
 - [Microsoft Authored Office 2016 UE-V Templates](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8)
 - [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367) (for Office 2013 and Office 2010) 
 ### Desktop applications synchronized by default in UE-V
@ -91,7 +87,7 @@ When you enable the UE-V service on user devices, it registers a default group o
 | Application category | Description |
 |-----------------------------|-------------------|
-| Microsoft Office 2016 applications<br>[Download a list of all settings synced](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8) | Microsoft Access 2016<br>Microsoft Lync 2016<br>Microsoft Excel 2016<br>Microsoft OneNote 2016<br>Microsoft Outlook 2016<br>Microsoft PowerPoint 2016<br>Microsoft Project 2016<br>Microsoft Publisher 2016<br>Microsoft SharePoint Designer 2013 (not updated for 2016)<br>Microsoft Visio 2016<br>Microsoft Word 2016<br>Microsoft Office Upload Manager<br>Microsoft Infopath has been removed (deprecated) from the Office 2016 suite |
+| Microsoft Office 2016 applications | Microsoft Access 2016<br>Microsoft Lync 2016<br>Microsoft Excel 2016<br>Microsoft OneNote 2016<br>Microsoft Outlook 2016<br>Microsoft PowerPoint 2016<br>Microsoft Project 2016<br>Microsoft Publisher 2016<br>Microsoft SharePoint Designer 2013 (not updated for 2016)<br>Microsoft Visio 2016<br>Microsoft Word 2016<br>Microsoft Office Upload Manager<br>Microsoft Infopath has been removed (deprecated) from the Office 2016 suite |
 | Microsoft Office 2013 applications<br>[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013<br>Microsoft Excel 2013<br>Microsoft Outlook 2013<br>Microsoft Access 2013<br>Microsoft Project 2013<br>Microsoft PowerPoint 2013<br>Microsoft Publisher 2013<br>Microsoft Visio 2013<br>Microsoft InfoPath 2013<br>Microsoft Lync 2013<br>Microsoft OneNote 2013<br>Microsoft SharePoint Designer 2013<br>Microsoft Office 2013 Upload Center<br>Microsoft OneDrive for Business 2013
 | Microsoft Office 2010 applications<br>[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010<br>Microsoft Excel 2010<br>Microsoft Outlook 2010<br>Microsoft Access 2010<br>Microsoft Project 2010<br>Microsoft PowerPoint 2010<br>Microsoft Publisher 2010<br>Microsoft Visio 2010<br>Microsoft SharePoint Workspace 2010<br>Microsoft InfoPath 2010<br>Microsoft Lync 2010<br>Microsoft OneNote 2010<br>Microsoft SharePoint Designer 2010  |
 | Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.<br>**Note**<br>UE-V does not roam settings for Internet Explorer cookies. |
@ -120,7 +116,7 @@ UE-V includes settings location templates that capture settings values for these
 | **Application Settings** | Windows applications   | Close application<br>Windows application settings change event | Start the UE-V App Monitor at startup<br>Open app<br>Windows application settings change event<br>Arrival of a settings package     |
 |           | Desktop applications   | Application closes | Application opens and closes        |
 | **Desktop settings**     | Desktop background     | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
-|           | Ease of Access (Common – Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on        |
+|           | Ease of Access (Common - Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on        |
 |           | Ease of Access (Shell - Audio, Accessibility, Keyboard, Mouse)    | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs  |
 |           | Desktop settings       | Lock or log off | Log on        |
@ -150,7 +146,7 @@ Printer roaming in UE-V requires one of these scenarios:
 ### Determine whether you need settings synchronized for other applications
-After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
+After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you'll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
 As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments.
@ -164,7 +160,7 @@ In general, you can synchronize settings that meet the following criteria:
 ### Checklist for evaluating custom applications
-If you’ve decided that you need to synchronize settings for custom applications, use this checklist to determine which applications you’ll include.
+If you've decided that you need to synchronize settings for custom applications, use this checklist to determine which applications you'll include.
 | &nbsp;   | Description |
 |-------|--------------------------|
@ -266,7 +262,7 @@ For more information, see the [Windows Application List](uev-managing-settings-l
 ### Custom UE-V settings location templates
-If you are deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
+If you are deploying UE-V to synchronize settings for custom applications, you'll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
 Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
@ -298,7 +294,7 @@ Specify your requirements for UE-V with standard disk capacity and network healt
 UE-V uses a Server Message Block (SMB) share for the storage of settings packages. The size of settings packages varies depending on the settings information for each application. While most settings packages are small, the synchronization of potentially large files, such as desktop images, can result in poor performance, particularly on slower networks.
-To reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location.
+To reduce problems with network latency, create settings storage locations on the same local networks where the users' computers reside. We recommend 20 MB of disk space per user for the settings storage location.
 By default, UE-V synchronization times out after 2 seconds to prevent excessive lag due to a large settings package. You can configure the SyncMethod=SyncProvider setting by using [Group Policy objects](uev-configuring-uev-with-group-policy-objects.md).
@ -339,7 +335,7 @@ Before you proceed, ensure that your environment meets these requirements for us
 > [!NOTE]
 > - Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
 > 
-> - The “Delete Roaming Cache” policy for mandatory profiles is not supported with UE-V and should not be used.
+> - The "Delete Roaming Cache" policy for mandatory profiles is not supported with UE-V and should not be used.
 There are no special random access memory (RAM) requirements specific to UE-V.
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@ -17,14 +17,11 @@ ms.topic: article
 Microsoft User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. The combination of UE-V and App-V  support for Office enables the same experience on virtualized instances of Office from any UE-V-enabled device or virtualized desktop.
 To synchronize Office applications settings, you can download Office templates from the [User Experience Virtualization (UE-V) Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V). This resource provides Microsoft-authored UE-V settings location templates as well as community-developed settings location templates.
 ## Microsoft Office support in UE-V
 UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.  
-These templates help synchronize users’ Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
+These templates help synchronize users' Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
 ## Synchronized Office Settings
@ -56,6 +53,6 @@ You can deploy UE-V settings location template with the following methods:
    For more information about using UE-V and Windows PowerShell, see [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
-   **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md).
+-   **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users' computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md).
-   **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices.
+-   **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices.
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@ -10,22 +10,22 @@ ms.author: aaroncz
 ms.topic: article
 ---
-# What's New in UE-V 
+# What's new in UE-V
 **Applies to**
 -   Windows 10, version 1607
-User Experience Virtualization (UE-V) for Windows 10, version 1607, includes these new features and capabilities compared to UE-V 2.1. See [UE-V Release notes](uev-release-notes-1607.md) for more information about the UE-V for Windows 10, version 1607 release.
+User Experience Virtualization (UE-V) for Windows 10, version 1607, includes these new features and capabilities compared to UE-V 2.1. For more information about the UE-V for Windows 10, version 1607 release, see [UE-V Release notes](uev-release-notes-1607.md).
-## UE-V is now a feature in Windows 10
+## UE-V is a feature in Windows 10
-With Windows 10, version 1607 and later releases, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack. 
+With Windows 10, version 1607 and later releases, UE-V is included with Windows Enterprise. It's no longer part of the Microsoft Desktop Optimization Pack.
 The changes in UE-V for Windows 10, version 1607 impact already existing implementations of UE-V in the following ways:
- The UE-V Agent is replaced by the UE-V service. The UE-V service is installed with Windows 10, version 1607 and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the UE-V service, migrates users’ UE-V configurations, and updates the settings storage path.
+- The UE-V Agent is replaced by the UE-V service. The UE-V service is installed with Windows 10, version 1607 and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the UE-V service, migrates users' UE-V configurations, and updates the settings storage path.
- The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work. 
+- The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although you'll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work. 
 - The Company Settings Center was removed and is no longer available on user devices. Users can no longer manage their synchronized settings. 
@ -33,11 +33,11 @@ The changes in UE-V for Windows 10, version 1607 impact already existing impleme
 For more information about how to configure an existing UE-V installation after upgrading user devices to Windows 10, see [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md).
-> **Important**&nbsp;&nbsp;You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10.
+> **Important**&nbsp;&nbsp;You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you'll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10.
 ## New UE-V template generator is available from the Windows 10 ADK
-UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
+UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK).
 ## Company Settings Center removed in UE-V for Windows 10, version 1607
@ -57,21 +57,21 @@ Administrators can still define which user-customized application settings can s
 With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined devices only.
-In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation.
+In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-enable) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation.
 To configure UE-V to roam Windows desktop and application data only, change the following group policies:
-   Disable “Roam Windows settings” group policy
+-   Disable "Roam Windows settings" group policy
-   Enable “Do not synchronize Windows Apps” group policy
+-   Enable "Do not synchronize Windows Apps" group policy
-For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs#what-are-the-options-for-roaming-settings-for-existing-windows-desktop-applications).
+For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs#what-are-the-roaming-settings-options-for-existing-windows-desktop-applications-).
 Additionally, to enable Windows 10 and UE-V to work together, configure these policy settings in the Microsoft User Experience Virtualization node:
-   Enable “Do Not Synchronize Windows Apps”
+-   Enable "Do Not Synchronize Windows Apps"
-   Disable “Sync Windows Settings”
+-   Disable "Sync Windows Settings"
 ## Settings Synchronization Behavior Changed in UE-V for Windows 10
@ -100,7 +100,7 @@ Printer roaming in UE-V requires one of these scenarios:
 ## Office 2016 Settings Location Template
-UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings location template with improved Outlook signature support. We’ve added synchronization of default signature settings for new, reply, and forwarded emails. Users no longer have to choose the default signature settings.
+UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings location template with improved Outlook signature support. We've added synchronization of default signature settings for new, reply, and forwarded emails. Users no longer have to choose the default signature settings.
 > **Note**&nbsp;&nbsp;An Outlook profile must be created on any device on which a user wants to synchronize their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
@ -112,11 +112,7 @@ To enable settings synchronization using UE-V, do one of the following:
 -   Do not enable the Office 365 synchronization experience during Office 2013 installation
-UE-V includes Office 2016, Office 2013, and Office 2010 templates. Office 2007 templates are no longer supported. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get templates from the [User Experience Virtualization Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V).
+UE-V includes Office 2016, Office 2013, and Office 2010 templates.
 ## Related topics
--- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
@ -1,6 +1,6 @@
 ---
 title: Working with Custom UE-V Templates and the UE-V Template Generator
-description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
+description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
 author: aczechowski
 ms.prod: w10
 ms.date: 04/19/2017
@ -14,7 +14,7 @@ ms.topic: article
 # Working with custom UE-V templates and the UE-V template generator
 **Applies to**
-   Windows 10, version 1607
+-   Windows 10
 User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those included in the default templates, you can create your own custom settings location templates with the UE-V template generator. You can also edit or validate custom settings location templates with the UE-V template generator.
@ -33,9 +33,9 @@ Discovered settings are grouped into two categories: **Standard** and **Non-stan
 The UE-V template generator opens the application as part of the discovery process. The generator can capture settings in the following locations:
-   **Registry Settings** – Registry locations under **HKEY\_CURRENT\_USER**
+-   **Registry Settings** - Registry locations under **HKEY\_CURRENT\_USER**
-   **Application Settings Files** – Files that are stored under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**
+-   **Application Settings Files** - Files that are stored under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**
 The UE-V template generator excludes locations, which commonly store application software files, but do not synchronize well between user computers or environments. The UE-V template generator excludes these locations. Excluded locations are as follows:
@ -57,7 +57,7 @@ If registry keys and files that are stored in these locations are required to sy
 Use the UE-V template generator to edit settings location templates. When the revised settings are added to the templates with the UE-V template generator, the version information within the template is automatically updated to ensure that any existing templates that are deployed in the enterprise are updated correctly.
-**To edit a UE-V settings location template with the UE-V template generator**
+### To edit a UE-V settings location template with the UE-V template generator
 1.  Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator.
@ -91,7 +91,7 @@ Use the UE-V template generator to edit settings location templates. When the re
    After you edit the settings location template for an application, you should test the template. Deploy the revised settings location template in a lab environment before you put it into production in the enterprise.
-**How to manually edit a settings location template**
+### How to manually edit a settings location template
 1.  Create a local copy of the settings location template .xml file. UE-V settings location templates are .xml files that identify the locations where application store settings values.
@ -108,14 +108,14 @@ Use the UE-V template generator to edit settings location templates. When the re
 6.  Validate the modified settings location template file by using the UE-V template generator.
-7.  You must register the edited UE-V settings location template before it can synchronize settings between client computers. To register a template, open Windows PowerShell, and then run the following cmdlet: `update-uevtemplate [templatefilename]`. You can then copy the file to the settings storage catalog. The UE-V Agent on users’ computers should then update as scheduled in the scheduled task.
+7.  You must register the edited UE-V settings location template before it can synchronize settings between client computers. To register a template, open Windows PowerShell, and then run the following cmdlet: `update-uevtemplate [templatefilename]`. You can then copy the file to the settings storage catalog. The UE-V Agent on users' computers should then update as scheduled in the scheduled task.
 ## <a href="" id="validate"></a>Validate settings location templates with the UE-V template generator
 It is possible to create or edit settings location templates in an XML editor without using the UE-V template generator. If you do, you can use the UE-V template generator to validate that the new or revised XML matches the schema that has been defined for the template.
-**To validate a UE-V settings location template with the UE-V template generator**
+To validate a UE-V settings location template with the UE-V template generator:
 1.  Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator.
@ -129,35 +129,8 @@ It is possible to create or edit settings location templates in an XML editor wi
    After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise.
-## <a href="" id="share"></a>Share settings location templates with the Template Gallery
+## Next steps
 The [User Experience Virtualization Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V) enables administrators to share their UE-V settings location templates. Upload your settings location templates to the gallery for other users to use, and download templates that other users have created.
 Before you share a settings location template on the UE-V template gallery, ensure it does not contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company.
 -   Template Author Name – Specify a general, non-identifying name for the template author name or exclude this data from the template.
 -   Template Author Email – Specify a general, non-identifying template author email or exclude this data from the template.
 Before you deploy any settings location template that you have downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment.
 ## Related topics
 [Administering UE-V](uev-administering-uev.md)
 [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md)
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@ -1,5 +1,5 @@
 ---
-title: FirstExperience (Windows 10)
+title: FirstExperience
 description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
 ms.prod: w10
 author: aczechowski
@ -13,18 +13,18 @@ manager: dougeby
 # FirstExperience (Windows Configuration Designer reference)
-Use these settings to configure the out-of-box experience (OOBE) to set up HoloLens. 
+Use these settings to configure the out-of-box experience (OOBE) to set up HoloLens.
 ## Applies to
-| Setting   | Windows client | Surface Hub | HoloLens | IoT Core |
+| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
 | --- | :---: | :---: | :---: | :---: |
-| All settings |   |  | ✔️ |  |
+| All settings |   |  | X |  |
-Setting | Description
+| Setting | Description |
--- | ---
+| --- | --- |
-PreferredRegion | Enter the [geographical location identifier](/windows/win32/intl/table-of-geographical-locations) for the region.
+| PreferredRegion | Enter the [geographical location identifier](/windows/win32/intl/table-of-geographical-locations) for the region. |
-PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](/previous-versions/windows/embedded/ms912391(v=winembedded.11))
+| PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](/previous-versions/windows/embedded/ms912391(v=winembedded.11)) |
-SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration.
+| SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. |
-SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. 
+| SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. |
-SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.<br><br>**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md).
+| SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.<br><br>**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](/hololens/hololens2-start). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). |
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@ -7,49 +7,52 @@ ms.author: aaroncz
 ms.prod: w10
 ms.localizationpriority: medium
 author: aczechowski
-ms.topic: article
+ms.topic: how-to
 ms.custom: seo-marvel-apr2020
 ---
 # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
 **Applies to**
-   Windows 10
+- Windows 10
-This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). 
+This article walks you through the Zero Touch Installation (ZTI) process of Windows 10 OS deployment using Microsoft Endpoint Configuration Manager [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
 ## Prerequisites
-In this topic, you will use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
+In this article, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
 - Configuration Manager current branch + all security and critical updates are installed.
-  - Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](/configmgr/core/plan-design/configs/support-for-windows-10).
+
- The [Active Directory Schema has been extended](/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
+    > [!NOTE]
- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/configmgr/core/servers/deploy/configure/configure-discovery-methods).
+    > Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by  Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
- IP range [boundaries and a boundary group](/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
+- The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
- The Configuration Manager [reporting services](/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
+- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods).
 - IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
 - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
 - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
 - The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
+- The [CMTrace tool](/mem/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
  - Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed.  Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
-For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01. 
+    > [!NOTE]
    > CMTrace is automatically installed with the current branch of Configuration Manager.
 For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. 
 - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer does not need to be a domain member.
+- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member.
 All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
-All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This configuration isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
 ### Domain credentials
 The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
-**Active Directory domain name**: contoso.com<br>
+- **Active Directory domain name**: `contoso.com`
-**Domain administrator username**: administrator<br>
+- **Domain administrator username**: `administrator`
-**Domain administrator password**: pass@word1
+-**Domain administrator password**: `pass@word1`
 ## Create the OU structure
@ -60,7 +63,7 @@ On **DC01**:
 To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell.
-To use Windows PowerShell, copy the following commands into a text file and save it as <b>C:\Setup\Scripts\ou.ps1</b>. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+To use Windows PowerShell, copy the following commands into a text file and save it as **C:\Setup\Scripts\ou.ps1**. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension.
 ```powershell
 $oulist = Import-csv -Path c:\oulist.txt
@ -106,10 +109,10 @@ On **DC01**:
 2.  Select the Service Accounts OU and create the CM\_JD account using the following settings:
    * Name: CM\_JD
-    * User logon name: CM\_JD
+    * User sign-in name: CM\_JD
-    * Password: pass@word1
+    * Password: `pass@word1`
    * User must change password at next logon: Clear
-    * User cannot change password: Selected
+    * User can't change password: Selected
    * Password never expires: Selected
 3.  Repeat the step, but for the CM\_NAA account.
@ -120,13 +123,13 @@ On **DC01**:
 ## Configure Active Directory permissions
-In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
+In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://github.com/DeploymentArtist/SWP1/tree/master/Scripts) and copied it to C:\\Setup\\Scripts on DC01.
 On **DC01**:
 1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt:
-   ``` 
+   ```powershell
   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
   Set-Location C:\Setup\Scripts
   .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
@ -199,7 +202,7 @@ On **CM01**:
 1. Sign in as contoso\administrator.
 2. Ensure the Configuration Manager Console is closed before continuing.
-5. Click Start, type **Configure ConfigManager Integration**, and run the application the following settings:
+5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings:
   * Site Server Name: CM01.contoso.com
   * Site code: PS1
@ -214,9 +217,9 @@ Most organizations want to display their name during deployment. In this section
 On **CM01**:
-1.  Open the Configuration Manager Console, select the Administration workspace, then click **Client Settings**.
+1.  Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**.
-2.  In the right pane, right-click **Default Client Settings** and then click **Properties**.
+2.  In the right pane, right-click **Default Client Settings** and then select **Properties**.
-3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
+3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**.
 ![figure 9.](../images/mdt-06-fig10.png)
@ -261,7 +264,7 @@ On **CM01**:
    Configure the CM01 distribution point for PXE.
    >[!NOTE]
-    >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
+    >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
 4.  Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
@ -275,13 +278,13 @@ On **CM01**:
    The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
-    **Note**: These files are used by WDS. They are not used by the ConfigMgr PXE Responder. This article does not use the ConfigMgr PXE Responder.
+    **Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder.
 Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md).
 ## Components of Configuration Manager operating system deployment
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are other components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
 -   **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
 -   **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
@ -291,26 +294,22 @@ Operating system deployment with Configuration Manager is part of the normal sof
 -   **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
 -   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
 -   **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-   **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+-   **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides extra task sequence templates to Configuration Manager.
-    **Note**  The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
+    > [!NOTE]
    > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
 ## Why integrate MDT with Configuration Manager
-As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
+As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
 >[!NOTE]
 >MDT installation requires the following:
 >-   The Windows ADK for Windows 10 (installed in the previous procedure)
 >-   Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
 >-   Microsoft .NET Framework
 ### MDT enables dynamic deployment
-When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+When MDT is integrated with Configuration Manager, the task sequence takes other instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have a script or web services provide the settings used.
 The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
-   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
+
 -   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence.
    ``` syntax
    [Settings] 
@ -342,7 +341,7 @@ The Gather action in the task sequence is reading the rules.
 ### MDT adds an operating system deployment simulation environment
-When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+When testing a deployment, it's important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
 ![figure 3.](../images/mdt-06-fig03.png)
@ -362,26 +361,34 @@ For some deployment scenarios, you may need to prompt the user for information d
 ![figure 5.](../images/mdt-06-fig05.png)
-The optional UDI wizard open in the UDI Wizard Designer.
+The optional UDI wizard opens in the UDI Wizard Designer.
 MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
 ### Why use MDT Lite Touch to create reference images
 You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
 -   You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
-   Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+-   Configuration Manager performs deployment in the LocalSystem context. This means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
-   The Configuration Manager task sequence does not suppress user interface interaction.
+-   The Configuration Manager task sequence doesn't suppress user interface interaction.
-   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
+-   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured.
-   MDT Lite Touch does not require any infrastructure and is easy to delegate.
+-   MDT Lite Touch doesn't require any infrastructure and is easy to delegate.
-## Related topics
+## Related articles
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
 [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
 [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
 [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
 [Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
 [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
 [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
 [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
 [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
 [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
 [Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
 [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
 [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
 [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@ -39,12 +39,8 @@ sections:
      - question: |
          Can I evaluate Windows 10 Enterprise?
        answer: |
-          Yes, a 90-day evaluation of Windows 10 Enterprise is available. The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
+          Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
          > [!NOTE]
          > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
  - name: Drivers and compatibility
    questions:
      - question: |
@ -74,12 +70,9 @@ sections:
      - question: |
          Which deployment tools support Windows 10?
        answer: |
-          Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
+          Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) support Windows 10.
-          - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using Configuration Manager, download a free 180-day trial.
+          - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using it, download a free 180-day trial of [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager).
              > [!NOTE]
              > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
          - [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment.
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@ -98,9 +98,9 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
 ### Do not connect to any Windows Update Internet locations
-Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
+Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update, the Microsoft Store, or the Microsoft Store for Business.
-Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
+Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Microsoft Store for Business, Windows Update for Business, and Delivery Optimization to stop working.
 >[!NOTE]
 >This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@ -7,7 +7,6 @@ ms.author: aaroncz
 manager: dougeby
 ms.reviewer: kaushika
 ms.topic: troubleshooting
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
 ---
@ -42,7 +41,7 @@ The following table provides information about common errors you might run into
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.<br><br>If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).|
+| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.|
 ## 0x80072EFD or 0x80072EFE or 0x80D02002
@ -84,7 +83,7 @@ The following table provides information about common errors you might run into
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. |
+| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. |
 ## 0x8024000E
@ -96,19 +95,19 @@ The following table provides information about common errors you might run into
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.<br><br>Review [KB920659](/troubleshoot/windows-server/deployment/wsus-selfupdate-not-send-automatic-updates) for instructions to resolve the issue. |
+| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.<br><br>For more information to resolve the issue, review [KB920659](/troubleshoot/windows-server/deployment/wsus-selfupdate-not-send-automatic-updates). |
 ## 0x80244007
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.  <br><br>Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. |
+| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.  <br><br>For more information to resolve the issue, see [0x80244007 error when Windows tries to scan for updates on a WSUS server](https://support.microsoft.com/topic/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-server-6af342d9-9af6-f3bb-b6ad-2be56bf7826e). |
 ## 0x80070422
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.<br> |
+| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running. |
 ## 0x800f0821
@ -145,7 +144,7 @@ The following table provides information about common errors you might run into
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.<br> Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. |
+| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.<br> Go to %Windir%\logs\CBS, open the last CBS.log and search for ", error" and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. |
 ## 0x80070570
@ -158,14 +157,14 @@ The following table provides information about common errors you might run into
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. |
+| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for `, error`. Then match the results with the timestamp. |
 ## 0x80070020
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus. <br> 1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)  <br> 2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon). <br> 3. Run Procmon.exe. It will start data capture automatically. <br> 4. Install the update package again <br> 5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture. <br> 6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file <br> 7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error <br> 8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”). <br> 9. Try to stop it or uninstall the process causing the error. |
+| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus. <br> 1. [Perform a clean boot and retry the installation](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd)  <br> 2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon). <br> 3. Run Procmon.exe. It will start data capture automatically. <br> 4. Install the update package again <br> 5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture. <br> 6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file <br> 7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error <br> 8. In Process Monitor, filter for path and insert the file name (it should be something like "path" "contains" "filename from CBS"). <br> 9. Try to stop it or uninstall the process causing the error. |
 ## 0x80073701
@ -183,19 +182,19 @@ The following table provides information about common errors you might run into
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.<br> From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE* <br> Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you’re using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. |
+| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.<br> From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE* <br> Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you're using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. |
 ## 0x80072F8F
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/). 
+| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392).
 ## 0x80072EE2
 | Message | Description | Mitigation |
 |---------|-------------|------------|
-| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> `https://*.windowsupdate.microsoft.com` <br> `https://update.microsoft.com` <br> `https://*.update.microsoft.com` <br> `https://windowsupdate.com` <br> `https://*.windowsupdate.com` <br> `https://download.windowsupdate.com` <br> `https://*.download.windowsupdate.com` <br> `https://download.microsoft.com` <br> `https://*.download.windowsupdate.com` <br> `https://wustat.windows.com` <br> `https://*.wustat.windows.com` <br> `https://ntservicepack.microsoft.com` |
+| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If you're using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> `https://*.windowsupdate.microsoft.com` <br> `https://update.microsoft.com` <br> `https://*.update.microsoft.com` <br> `https://windowsupdate.com` <br> `https://*.windowsupdate.com` <br> `https://download.windowsupdate.com` <br> `https://*.download.windowsupdate.com` <br> `https://download.microsoft.com` <br> `https://*.download.windowsupdate.com` <br> `https://wustat.windows.com` <br> `https://*.wustat.windows.com` <br> `https://ntservicepack.microsoft.com` |
 ## 0x80240022
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@ -1,7 +1,6 @@
 ---
 title: Step by step - Deploy Windows 10 in a test lab using MDT
 description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
 ms.custom: seo-marvel-apr2020
 ms.prod: w10
 ms.localizationpriority: medium
 ms.date: 10/11/2017
@ -9,15 +8,14 @@ ms.reviewer:
 manager: dougeby
 ms.author: aaroncz
 author: aczechowski
-ms.topic: article
+ms.topic: how-to
 ---
 # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
 **Applies to**
-   Windows 10
+-   Windows 10
 > [!IMPORTANT]
 > This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: 
@ -62,18 +60,18 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
    ```powershell
    $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
-    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
+    Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
    Stop-Process -Name Explorer
    ```
-2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
+1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options.
-3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
+1. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. Installation might require several minutes to acquire all components.
-3. If desired, re-enable IE Enhanced Security Configuration:
+1. If desired, re-enable IE Enhanced Security Configuration:
    ```powershell
-    Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
+    Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
    Stop-Process -Name Explorer
    ```
@ -345,7 +343,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
    In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
    If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
-    
+
    ```console
    ScanStateArgs=/ue:*\* /ui:CONTOSO\*
    ```
@ -354,9 +352,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
    ```console
    ScanStateArgs=/all
-    ```   
+    ```
-    For more information, see [ScanState Syntax](/previous-versions/windows/it-pro/windows-vista/cc749015(v=ws.10)).
+    For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax).
 4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
@ -641,12 +639,10 @@ Deployment logs are available on the client computer in the following locations:
 You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
 Tools for viewing log files, and to assist with troubleshooting are available in the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012)
 Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
 ## Related Topics
-[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)<BR>
+[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
 [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
 [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@ -123,10 +123,7 @@ The procedures in this guide are summarized in the following table. An estimate
    Stop-Process -Name Explorer
    ```
-1. Download **Microsoft Endpoint Configuration Manager** on SRV1.
+1. Download [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
    > [!NOTE]
    > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
 1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@ -180,11 +180,9 @@ Starting with Windows 8, the host computer's microprocessor must support second
 When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab.
-1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for **Windows Server** to the **C:\VHD** directory.
+1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for [Windows Server](https://www.microsoft.com/evalcenter/evaluate-windows-server-2022) to the **C:\VHD** directory.
    > [!NOTE]
    > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
    >
    > The currently available downloads are Windows Server 2019 or Windows Server 2022. The rest of this article refers to "Windows Server 2012 R2" and similar variations.
    > [!IMPORTANT]
@ -194,10 +192,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-4. Download the **Windows 10 Enterprise** ISO file to the **C:\VHD** directory on your Hyper-V host.
+4. Download the [Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) ISO file to the **C:\VHD** directory on your Hyper-V host.
    > [!NOTE]
    > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
   You can select the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version.
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@ -25,8 +25,13 @@
      items:
        - name: Add and verify admin contacts
          href: deploy/windows-autopatch-admin-contacts.md
-        - name: Register your devices
+        - name: Device registration
-          href: deploy/windows-autopatch-register-devices.md
+          href:
          items:
            - name: Device registration overview
              href: deploy/windows-autopatch-device-registration-overview.md
            - name: Register your devices
              href: deploy/windows-autopatch-register-devices.md
    - name: Operate
      href: operate/index.md
      items:
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@ -0,0 +1,59 @@
 ---
 title: Device registration overview
 description:  This article provides and overview on how to register devices in Autopatch
 ms.date: 07/28/2022
 ms.prod: w11
 ms.technology: windows
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 msreviewer: andredm7
 ---
 # Device registration overview
 Windows Autopatch must [register your existing devices](windows-autopatch-register-devices.md) into its service to manage update deployments on your behalf.
 The Windows Autopatch device registration process is transparent for end-users because it doesn’t require devices to be reset.
 The overall device registration process is:
 :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
 1. IT admin identifies devices to be managed by Windows Autopatch and adds them into the **Windows Autopatch Device Registration** Azure Active Directory (AD) group.
 1. Windows Autopatch then:
    1. Performs device readiness prior registration (prerequisite checks).
    1. Calculates the deployment ring distribution.
    1. Assigns devices to one of the deployment rings based on the previous calculation.
    1. Assigns devices to other Azure AD groups required for management.
    1. Marks devices as active for management so it can apply its update deployment policies.
 1. IT admin then monitors the device registration trends and the update deployment reports.
 For more information about the device registration workflow, see the [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram) section for more technical details behind the Windows Autopatch device registration process.
 ## Detailed device registration workflow diagram
 See the following detailed workflow diagram. The diagram covers the Windows Autopatch device registration process:
 :::image type="content" source="../media/windows-autopatch-device-registration-workflow-diagram.png" alt-text="Detailed device registration workflow diagram" lightbox="../media/windows-autopatch-device-registration-workflow-diagram.png":::
 | Step | Description |
 | ----- | ----- |
 | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
 | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. |
 | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
 | **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.</li><ol><li>**If yes**, it means this device is enrolled into Intune.</li><li>**If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.</li></ol></ol></ol>|
 | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
 | **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li></ol> |
 | **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**</li><ol><li>This group has all devices managed by Windows Autopatch and that have Windows 10 installed.</li></ol><li>When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**</li><ol><li>This group has all devices managed by Windows Autopatch and that have Windows 11 installed.</li></ol><li>When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all virtual devices managed by Windows Autopatch.</li></ol> |
 | **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Ready** tab.</li><li>The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
 | **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Ready** tab.</li><li>If **not**, the device shows up in the **Not ready** tab.</li></ol> |
 | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
 ## Detailed prerequisite check workflow diagram
 As described in **step #4** in the previous [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram), the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed.
 :::image type="content" source="../media/windows-autopatch-prerequisite-check-workflow-diagram.png" alt-text="Detailed prerequisite check workflow diagram" lightbox="../media/windows-autopatch-prerequisite-check-workflow-diagram.png":::
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@ -65,7 +65,7 @@ It's recommended to detect and clean up stale devices in Azure AD before registe
 To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
+- Windows 10 (1809+)/11 Enterprise and Professional edition versions (only x64 architecture).
 - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
 - Managed by Microsoft Endpoint Manager.
    - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
--- a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png
+++ b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png
--- a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png
+++ b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png
--- a/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png
+++ b/windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@ -1,7 +1,7 @@
 ---
 title: Unenroll your tenant
 description:  This article explains what unenrollment means for your organization and what actions you must take. 
-ms.date: 07/11/2022
+ms.date: 07/27/2022
 ms.prod: w11
 ms.technology: windows
 ms.topic: how-to
@ -22,7 +22,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d
 Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:  
 - Remove Windows Autopatch access to your tenant.
- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in Deregister a device.
+- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices).
 - Delete all data that we've stored in the Windows Autopatch data storage.
 > [!NOTE]
@ -33,9 +33,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
 | Responsibility | Description |
 | ----- | ----- |
 | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). |
-| Windows Autopatch cloud service accounts | Windows Autopatch will remove the cloud service accounts created during the enrollment process. The accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> |
+| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We will not delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). |
 | Conditional access policy | Windows Autopatch will remove the Modern Workplace – Secure Workstation conditional access policy. |
 | Microsoft Endpoint Manager roles | Windows Autopatch will remove the Modern Workplace Intune Admin role. |
 ## Your responsibilities after unenrolling your tenant
@ -43,6 +41,9 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
 | ----- | ----- |
 | Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices.  You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
 | Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. |
 | Windows Autopatch cloud service accounts | After unenrollment, you may safely remove the cloud service accounts created during the enrollment process. The accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> |
 | Conditional access policy | After unenrollment, you may safely remove the **Modern Workplace – Secure Workstation** conditional access policy. |
 | Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. |
 ## Unenroll from Windows Autopatch
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@ -25,7 +25,7 @@ For each check, the tool will report one of four possible results:
 | Ready | No action is required before completing enrollment. |
 | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
 | Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them.  |
-| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
+| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant is not properly licensed for Microsoft Intune. |
 > [!NOTE]
 > The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@ -39,11 +39,12 @@ Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The fol
 | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
 | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
-The following Windows 64-bit editions are required for Windows Autopatch:
+The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch:
- Windows 10/11 Pro
+- x64 architecture
- Windows 10/11 Enterprise
+- Windows 10 (1809+)/11 Pro
- Windows 10/11 Pro for Workstations
+- Windows 10 (1809+)/11 Enterprise
 - Windows 10 (1809+)/11 Pro for Workstations
 ## Configuration Manager Co-management requirements
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@ -45,7 +45,7 @@ items:
                topicHref: /windows/security/threat-protection/auditing/security-auditing-overview
              - name: Microsoft Defender Application Guard
                tocHref: /windows/security/threat-protection/microsoft-defender-application-guard/
-                topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/
+                topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
              - name: Security policy settings
                tocHref: /windows/security/threat-protection/security-policy-settings/
                topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
@ -54,4 +54,4 @@ items:
                topicHref: /windows/security/threat-protection/windows-defender-application-control/
              - name: Windows Defender Firewall
                tocHref: /windows/security/threat-protection/windows-firewall/
-                topicHref: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security
+                topicHref: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security              
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@ -316,6 +316,8 @@
          href: identity-protection/credential-guard/credential-guard-known-issues.md
    - name: Protect Remote Desktop credentials with Remote Credential Guard
      href: identity-protection/remote-credential-guard.md
    - name: Configuring LSA Protection
      href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
    - name: Technical support policy for lost or forgotten passwords
      href: identity-protection/password-support-policy.md
    - name: Access Control Overview
--- a/windows/security/breadcrumb/toc.yml
+++ b/windows/security/breadcrumb/toc.yml
@ -0,0 +1,12 @@
 items:
 - name: Docs
  tocHref: /
  topicHref: /
  items:
  - name: Windows
    tocHref: /windows/
    topicHref: /windows/resources/
    items:
    - name: Security
      tocHref: /windows/security/
      topicHref: /windows/security/      
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@ -12,46 +12,56 @@ ms.date: 01/26/2022
 ms.reviewer: 
 ---
-# Windows Defender Credential Guard: Known issues 
+# Windows Defender Credential Guard: Known issues
 **Applies to**
 - Windows 10
 - Windows 11
 - Windows Server 2016
 - Windows Server 2019
 Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
-The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033):
+Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
-  Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: <br>
+The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
-   "Task Scheduler failed to log on ‘\Test’. <br>
+
-   Failure occurred in ‘LogonUserExEx’. <br>
+- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
-   User Action: Ensure the credentials for the task are correctly specified. <br>
+
-   Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
+    ```console
-  When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
+    Task Scheduler failed to log on '\Test'.
-   > Log Name: Microsoft-Windows-NTLM/Operational  
+    Failure occurred in 'LogonUserExEx'.
-    Source: Microsoft-Windows-Security-Netlogon  
+    User Action: Ensure the credentials for the task are correctly specified.
-    Event ID: 8004  
+    Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
-    Task Category: Auditing NTLM  
+    ```
-    Level:         Information  
+
-    Description:  
+- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
-    Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.  
+
-    Secure Channel name: \<Secure Channel Name>  
+    ```console
-    User name:  
+    Log Name: Microsoft-Windows-NTLM/Operational
-    @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA  
+    Source: Microsoft-Windows-Security-Netlogon
    Event ID: 8004
    Task Category: Auditing NTLM
    Level: Information
    Description:
    Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
    Secure Channel name: <Secure Channel Name>
    User name:
    @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
    Domain name: NULL
-    
+    ```
-    - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
+
-    - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
+  - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
-    - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
+  - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
  - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
 The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
+- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
-     This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
+    This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
  - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
  - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)
 ## Known issues involving third-party applications
@ -59,61 +69,47 @@ The following issue affects MSCHAPv2:
 - [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
-The following issue affects the Java GSS API. See the following Oracle bug database article: 
+The following issue affects the Java GSS API. See the following Oracle bug database article:
 - [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
-When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
 The following issue affects Cisco AnyConnect Secure Mobility Client:
- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
+- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)
 *Registration required to access this article. 
 The following issue affects McAfee Application and Change Control (MACC):
 - [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
-The following issue affects AppSense Environment Manager.
+- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) <sup>[Note 1](#bkmk_note1)</sup>
  For more information, see the following Knowledge Base article:
 - [Installing AppSense Environment Manager on Windows machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
 The following issue affects Citrix applications:
 - Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
-<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
+- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[Note 1](#bkmk_note1)</sup>
- [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage)
+<a name="bkmk_note1"></a>
 For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes)
  \** Registration is required to access this article.
 > [!NOTE]
 > **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage).
 >
 > For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes).
 ## Vendor support
-See the following article on Citrix support for Secure Boot:
+For more information on Citrix support for Secure Boot, see [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
 - [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
-Windows Defender Credential Guard isn't supported by either these products, products versions, computer systems, or Windows 10 versions:
+Windows Defender Credential Guard isn't supported by the following products, products versions, computer systems, or Windows 10 versions:
- For Windows Defender Credential Guard on Windows with McAfee Encryption products, see:
+- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009)
  [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Windows Defender Credential Guard on Windows with Check Point Endpoint Security Client, see:
+- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
  [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Windows Defender Credential Guard on Windows with VMWare Workstation
+- ["VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361)
  [Windows host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Windows Defender Credential Guard on Windows with specific versions of the Lenovo ThinkPad
+- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039)
  [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Windows Defender Credential Guard on Windows with Symantec Endpoint Protection
+- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
  [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
-  This isn't a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
+This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard.
-  Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
+Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@ -1,5 +1,5 @@
 ---
-title: How Windows Hello for Business works - Technology and Terms
+title: How Windows Hello for Business works - technology and terms
 description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
 ms.prod: m365-security
 author: GitPrakhar13
@ -11,275 +11,340 @@ localizationpriority: medium
 ms.date: 10/08/2018
 ms.reviewer: 
 ---
-# Technology and Terms
+
 # Technology and terms
 **Applies to:**
 - Windows 10
 - Windows 11
- [Attestation Identity Keys](#attestation-identity-keys)
+## Attestation identity keys
 - [Azure AD Joined](#azure-ad-joined)
 - [Azure AD Registered](#azure-ad-registered)
 - [Certificate Trust](#certificate-trust)
 - [Cloud Deployment](#cloud-deployment)
 - [Cloud Experience Host](#cloud-experience-host)
 - [Deployment Type](#deployment-type)
 - [Endorsement Key](#endorsement-key)
 - [Federated Environment](#federated-environment)
 - [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
 - [Hybrid Deployment](#hybrid-deployment)
 - [Join Type](#join-type)
 - [Key Trust](#key-trust)
 - [Managed Environment](#managed-environment)
 - [On-premises Deployment](#on-premises-deployment)
 - [Pass-through Authentication](#pass-through-authentication)
 - [Password Hash Synchronization](#password-hash-sync)
 - [Primary Refresh Token](#primary-refresh-token) 
 - [Storage Root Key](#storage-root-key)
 - [Trust Type](#trust-type)
 - [Trusted Platform Module](#trusted-platform-module)
  <hr>
-## Attestation Identity Keys
+Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
 Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
 > [!NOTE]
 > The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
 > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
-Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
+Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
-Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
-In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
+In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate.
-### Related topics
+### Related to attestation identity keys
 [Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
-### More information
+- [Endorsement key](#endorsement-key)
- [Windows Client Certificate Enrollment Protocol: Glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
+- [Storage root key](#storage-root-key)
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+- [Trusted platform module](#trusted-platform-module)
 ### More information about attestation identity keys
-[Return to Top](hello-how-it-works-technology.md)
+- [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
-## Azure AD Joined
+- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
 Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources.
 ### Related topics
 [Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
-### More information
+## Azure Active Directory join
 - [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction).
-[Return to Top](hello-how-it-works-technology.md)
+Azure Active Directory (Azure AD) join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Azure AD join. Azure AD join also works in a hybrid environment and can enable access to on-premises applications and resources.
 ## Azure AD Registered
 The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device. 
 ### Related topics
 [Azure AD Joined](#azure-ad-joined), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Join Type](#join-type)
-### More information
+### Related to Azure AD join
 - [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
 - [Join type](#join-type)
 - [Hybrid Azure AD join](#hybrid-azure-ad-join)
-[Return to Top](hello-how-it-works-technology.md)
+### More information about Azure AD join
 ## Certificate Trust
 The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
-### Related topics
+[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
 [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)
-### More information 
+## Azure AD registration
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)
-[Return to Top](hello-how-it-works-technology.md)
+The goal of Azure AD-registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Azure AD-controlled resources using a personal device.
 ## Cloud Deployment
 The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources.  Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types.
-### Related topics
+### Related to Azure AD registration
 [Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type)
-[Return to Top](hello-how-it-works-technology.md)
+- [Azure AD join](#azure-active-directory-join)
-## Cloud Experience Host
+- [Hybrid Azure AD join](#hybrid-azure-ad-join)
-In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. 
+- [Join type](#join-type)
-### Related topics
+### More information about Azure AD registration
 [Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md)
-### More information
+[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
 - [Windows Hello for Business and Device Registration](./hello-how-it-works-device-registration.md)
-[Return to Top](hello-how-it-works-technology.md)
+## Certificate trust
 The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
 ### Related to certificate trust
 - [Deployment type](#deployment-type)
 - [Hybrid Azure AD join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [Key trust](#key-trust)
 - [On-premises deployment](#on-premises-deployment)
 - [Trust type](#trust-type)
 ### More information about certificate trust
 [Windows Hello for Business planning guide](hello-planning-guide.md)
 ## Cloud deployment
 The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD-joined or Azure AD-registered devices.
 ### Related to cloud deployment
 - [Azure AD join](#azure-active-directory-join)
 - [Azure AD registration](#azure-ad-registration)
 - [Deployment type](#deployment-type)
 - [Join type](#join-type)
 ## Cloud experience host
 In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
 ### Related to cloud experience host
 - [Windows Hello for Business](./hello-identity-verification.md)
 - [Managed Windows Hello in organization](./hello-manage-in-organization.md)
 ### More information on cloud experience host
 [Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md)
 ## Deployment type
 Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
 ## Deployment Type
 Windows Hello for Business has three deployment models to accommodate the needs of different organizations.  The three deployment models include:
 - Cloud
 - Hybrid
- On-Premises
+- On-premises
-### Related topics
+### Related to deployment type
 [Cloud Deployment](#cloud-deployment), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment)
-### More information
+- [Cloud deployment](#cloud-deployment)
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+- [Hybrid deployment](#hybrid-deployment)
 - [On-premises deployment](#on-premises-deployment)
-[Return to Top](hello-how-it-works-technology.md)
+### More information about deployment type
-## Endorsement Key
+
 [Windows Hello for Business planning guide](hello-planning-guide.md)
 ## Endorsement key
 The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
-The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
 The endorsement key acts as an identity card for the TPM.
 The endorsement key is often accompanied by one or two digital certificates:
-   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
-   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+
 - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
 For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
-### Related topics
+### Related to endorsement key
 [Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
-### More information
+- [Attestation identity keys](#attestation-identity-keys)
- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)).
+- [Storage root key](#storage-root-key)
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+- [Trusted platform module](#trusted-platform-module)
-[Return to Top](hello-how-it-works-technology.md)
+### More information about endorsement key
 ## Federated Environment
 Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
-### Related topics
+- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11))
-[Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync)
+- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-### More information
+## Federated environment
- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
+
 Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
 ### Related to federated environment
 - [Hybrid deployment](#hybrid-deployment)
 - [Managed environment](#managed-environment)
 - [Pass-through authentication](#pass-through-authentication)
 - [Password hash sync](#password-hash-sync)
 ### More information about federated environment
 [Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 ## Hybrid Azure AD join
 [Return to Top](hello-how-it-works-technology.md)
 ## Hybrid Azure AD Joined
 For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
 - IT departments to manage work-owned devices from a central location.
- Users to sign in to their devices with their Active Directory work or school accounts. 
+- Users to sign in to their devices with their Active Directory work or school accounts.
 Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them.
-If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD-joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
+Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them.
-### Related topics
+If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure AD, you can implement hybrid Azure AD-joined devices. These devices are joined to both your on-premises Active Directory and your Azure AD.
 [Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment)
-### More information
+### Related to hybrid Azure AD join
 - [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
-[Return to Top](hello-how-it-works-technology.md)
+- [Azure AD join](#azure-active-directory-join)
-## Hybrid Deployment
+- [Azure AD registration](#azure-ad-registration)
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory.  Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined.  The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+- [Hybrid deployment](#hybrid-deployment)
-### Related topics
+### More information about hybrid Azure AD join
 [Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), 
-### More information
+[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
 ## Hybrid deployment
 The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
 ### Related to hybrid deployment
 - [Azure AD join](#azure-active-directory-join)
 - [Azure AD registration](#azure-ad-registration)
 - [Hybrid Azure AD join](#hybrid-azure-ad-join)
 ### More information about hybrid deployment
 [Windows Hello for Business planning guide](hello-planning-guide.md)
 [Return to Top](hello-how-it-works-technology.md)
 ## Join type
-Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined.
+
 Join type is how devices are associated with Azure AD. For a device to authenticate to Azure AD it must be registered or joined.
 Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device.
-When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune .
+When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
-Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
+Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
-### Related topics
+### Related to join type
 [Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
-### More information
+- [Azure AD join](#azure-active-directory-join)
- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
+- [Azure AD registration](#azure-ad-registration)
 - [Hybrid Azure AD join](#hybrid-azure-ad-join)
-[Return to Top](hello-how-it-works-technology.md)
+### More information about join type
 ## Key Trust
 The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
-### Related topics
+[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
 [Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)
-### More information
+## Key trust
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)
-[Return to Top](hello-how-it-works-technology.md)
+The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
 ## Managed Environment
 Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. 
-### Related topics
+### Related to key trust
 [Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-sync)
-[Return to Top](#technology-and-terms)
+- [Certificate trust](#certificate-trust)
-## On-premises Deployment 
+- [Deployment type](#deployment-type)
-The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities.  On-premises deployments support domain joined devices.  The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
+- [Hybrid Azure AD join](#hybrid-azure-ad-join)
 - [Hybrid deployment](#hybrid-deployment)
 - [On-premises deployment](#on-premises-deployment)
 - [Trust type](#trust-type)
-### Related topics
+### More information about key trust
 [Cloud Deployment](#cloud-deployment), [Deployment Type](#deployment-type), [Hybrid Deployment](#hybrid-deployment)
-### More information
+[Windows Hello for Business planning guide](hello-planning-guide.md)
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
 ## Managed environment
 Managed environments are for non-federated environments where Azure AD manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
 ### Related to managed environment
 - [Federated environment](#federated-environment)
 - [Pass-through authentication](#pass-through-authentication)
 - [Password hash synchronization](#password-hash-sync)
 ## On-premises deployment
 The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
 ### Related to on-premises deployment
 - [Cloud deployment](#cloud-deployment)
 - [Deployment type](#deployment-type)
 - [Hybrid deployment](#hybrid-deployment)
 ### More information about on-premises deployment
 [Windows Hello for Business planning guide](hello-planning-guide.md)
 [Return to Top](hello-how-it-works-technology.md)
 ## Pass-through authentication
 Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
-### Related topics
+Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
 [Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-sync)
 ### Related to pass-through authentication
-### More information
+- [Federated environment](#federated-environment)
- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
+- [Managed environment](#managed-environment)
 - [Password hash synchronization](#password-hash-sync)
-[Return to Top](hello-how-it-works-technology.md)
+### More information about pass-through authentication
 ## Password Hash Sync
 The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
-### Related topics
+[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 [Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication)
-### More information
+## Password hash sync
 - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
-[Return to Top](hello-how-it-works-technology.md)
+Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
 ## Primary Refresh Token
 SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device.
-The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD-joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
+### Related to password hash sync
-The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
+- [Federated environment](#federated-environment)
 - [Managed environment](#managed-environment)
 - [Pass-through authentication](#pass-through-authentication)
-[Return to Top](#technology-and-terms)
+### More information about password hash sync
 ## Storage Root Key
 The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
-### Related topics
+[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
 [Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Trusted Platform Module](#trusted-platform-module)
-### More information
+## Primary refresh token
-[TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
 Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
 The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Azure AD joined and hybrid Azure AD-joined devices. For personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
 The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
 ## Storage root key
 The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
 ### Related to storage root key
 - [Attestation identity keys](#attestation-identity-keys)
 - [Endorsement key](#endorsement-key)
 - [Trusted platform module](#trusted-platform-module)
 ### More information about storage root key
 [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
 [Return to Top](hello-how-it-works-technology.md)
 ## Trust type
 The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust.  The hybrid and on-premises deployment models support both trust types.  The trust type does not affect authentication to Azure Active Directory.  Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment). 
-### Related topics
+The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Azure AD. Windows Hello for Business authentication to Azure AD always uses the key, not a certificate (excluding smart card authentication in a federated environment).
 [Certificate Trust](#certificate-trust), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment)
-### More information
+### Related to trust type
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)
-[Return to Top](hello-how-it-works-technology.md)
+- [Certificate trust](#certificate-trust)
-## Trusted Platform Module
+- [Hybrid deployment](#hybrid-deployment)
 - [Key trust](#key-trust)
 - [On-premises deployment](#on-premises-deployment)
-A Trusted Platform Module (TPM) is a hardware component that provides unique security features.<br>
+### More information about trust type
-Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+[Windows Hello for Business planning guide](hello-planning-guide.md)
 ## Trusted platform module
 A trusted platform module (TPM) is a hardware component that provides unique security features.
 Windows uses security characteristics of a TPM for the following functions:
 - Measuring boot integrity sequence. Based on that sequence, it automatically unlocks BitLocker-protected drives
 - Protecting credentials
 - Health attestation
 A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). There are currently two versions of the TPM specification produced by TCG that aren't compatible with each other:
 A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
 - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
 - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
@ -290,27 +355,29 @@ Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG.
 TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
 - Update cryptography strength to meet modern security needs
-    - Support for SHA-256 for PCRs
+  - Support for SHA-256 for PCRs
-    - Support for HMAC command
+  - Support for HMAC command
 - Cryptographic algorithms flexibility to support government needs
-    - TPM 1.2 is severely restricted in terms of what algorithms it can support
+  - TPM 1.2 is severely restricted in terms of what algorithms it can support
-    - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+  - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
 - Consistency across implementations
-    - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+  - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
-    - TPM 2.0 standardizes much of this behavior
+  - TPM 2.0 standardizes much of this behavior
-In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.  A TPM incorporates in a single component:
+In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component:
- A RSA 2048-bit key generator
+
 - An RSA 2048-bit key generator
 - A random number generator
 - Nonvolatile memory for storing EK, SRK, and AIK keys
 - A cryptographic engine to encrypt, decrypt, and sign
 - Volatile memory for storing the PCRs and RSA keys
 ### Related to trusted platform module
-### Related topics
+- [Attestation identity keys](#attestation-identity-keys)
-[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key)
+- [Endorsement key](#endorsement-key)
 - [Storage root key](#storage-root-key)
-### More information
+### More information about trusted platform module
 - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-[Return to Top](hello-how-it-works-technology.md)
+[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@ -288,11 +288,13 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 7. On the **Security** tab, click **Add**.
-8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+8. Select **Object Types**, then, in the window that appears, choose **Computers** and click **OK**.
-9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+9. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
-10. Click on the **Apply** to save changes and close the console.
+10. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
 11. Click on the **Apply** to save changes and close the console.
 ### Create an Azure AD joined Windows Hello for Business authentication certificate template
@ -334,7 +336,7 @@ The certificate authority may only issue certificates for certificate templates
 > [!Important]
 > Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates.  You need to publish that certificate templates to that issuing certificate authority.  The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+Sign in to the certificate authority or management workstations with an _enterprise admin_ -equivalent credential.
 1. Open the **Certificate Authority** management console.
@ -849,7 +851,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
   ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
-8. Click **Members**.  Use the  **Select members** pane to add members to this group. When finished click **Select**.
+8. Click **Members**.  Use the  **Select members** pane to add members to this group. When finished, click **Select**.
 9. Click **Create**.
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@ -37,37 +37,37 @@ Windows Hello lets users authenticate to:
 - A Microsoft account.
 - An Active Directory account.
 - A Microsoft Azure Active Directory (Azure AD) account.
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication.
+- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.
 After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
-As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
+As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
 ## Biometric sign-in
 Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
 - **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11.
+- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards.
 Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
 ## The difference between Windows Hello and Windows Hello for Business
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it is not backed by asymmetric (public/private key) or certificate-based authentication.
+- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it's not backed by asymmetric (public/private key) or certificate-based authentication.
- **Windows Hello for Business**, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than **Windows Hello convenience PIN**.
+- **Windows Hello for Business**, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than **Windows Hello convenience PIN**.
 ## Benefits of Windows Hello
 Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
-You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they're entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
-In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows to access resources and services.
+In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services.
->[!NOTE]
+> [!NOTE]
->Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password.
+> Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password.
 :::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png":::
@ -79,15 +79,15 @@ Windows Hello helps protect user identities and user credentials. Because the us
 - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
+- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Azure AD, or a Microsoft account.
 - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy.
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
+- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
 - The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
+- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
 - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
@ -97,25 +97,21 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
 ## Comparing key-based and certificate-based authentication
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 21H2, there is a feature called cloud trust for hybrid deployments which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but does not require certificates on the domain controller.
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
-Windows Hello for Business with a key, including cloud trust, does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
 ## Learn more
-[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business)
+[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/insidetrack/implementing-strong-user-authentication-with-windows-hello-for-business)
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/insidetrack/implementing-windows-hello-for-business-at-microsoft)
-[Introduction to Windows Hello](/learn/?l=eH7yoY2BC_9106218949), video presentation on Microsoft Virtual Academy
+[Windows Hello for Business: Authentication](https://youtu.be/WPmzoP_vMek): In this video, learn about Windows Hello for Business and how it's used to sign-in and access resources.
 [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication)
-[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
+## Related articles
 [Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
 ## Related topics
 - [How Windows Hello for Business works](hello-how-it-works.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@ -156,7 +156,7 @@ landingContent:
          - text: Microsoft Security Development Lifecycle
            url: threat-protection/msft-security-dev-lifecycle.md
          - text: Microsoft Bug Bounty
-            url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program.md
+            url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program
          - text: Common Criteria Certifications
            url: threat-protection/windows-platform-common-criteria.md
          - text: Federal Information Processing Standard (FIPS) 140 Validation
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@ -1,9 +1,7 @@
 ---
-title: Windows Defender Application Control and virtualization-based code integrity (Windows 10)
+title: Windows Defender Application Control and virtualization-based code integrity
 description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
 keywords: virtualization, security, malware, device guard
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
@ -28,12 +26,12 @@ Using Windows Defender Application Control to restrict devices to only authorize
 1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
 2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of Windows.
-3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization’s digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
+3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization's digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
 4. You can protect the entire WDAC enforcement mechanism with HVCI. Even if a vulnerability exists in kernel mode code, HVCI greatly reduces the likelihood that an attacker could successfully exploit it. This is important because an attacker that compromises the kernel could normally disable most system defenses, including those enforced by WDAC or any other application control solution.
 ## Why we no longer use the Device Guard brand
-When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. This misled many people to assume that if systems couldn't use HVCI, they couldn’t use WDAC either.
+When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. This misled many people to assume that if systems couldn't use HVCI, they couldn't use WDAC either.
 WDAC has no specific hardware or software requirements other than running Windows 10, which means customers were denied the benefits of this powerful application control capability due to Device Guard confusion.
@ -43,6 +41,5 @@ We hope this change will help us better communicate options for adopting applica
 ## Related articles
 - [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
- [Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
+- [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)
 - [Driver compatibility with Windows Defender in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
 - [Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10))
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@ -1,6 +1,6 @@
 ---
 title: Get support
-description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization.
+description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT).
 ms.prod: m365-security
 ms.localizationpriority: medium
 ms.author: dansimp
@ -15,87 +15,69 @@ ms.technology: windows-sec
 # Get Support for Windows baselines
-**What is the Microsoft Security Compliance Manager (SCM)?**
+## Frequently asked questions
-The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
+### What is the Microsoft Security Compliance Manager (SCM)?
-More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
+The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
-**Where can I get an older version of a Windows baseline?**
+For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
+### Where can I get an older version of a Windows baseline?
-   [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
+Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix).
 -   [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
 -   [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
 -   [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-**What file formats are supported by the new SCT?**
+- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353)
 - [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
 - [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
 - [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported.
+### What file formats are supported by the new SCT?
-**Does SCT support Desired State Configuration (DSC) file format?**
+The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported.
-Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
+### Does SCT support the Desired State Configuration (DSC) file format?
-**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?**
+Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features.
-No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
+### Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?
-**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
+No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement).
-No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
+### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?
-<br />
+No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support.
-## Version Matrix
+## Version matrix
-**Client Versions**
+### Client versions
-| Name | Build | Baseline Release Date | Security Tools |
+| Name | Build | Baseline release date | Security tools |
 |---|---|---|---|
-|Windows 10 | [1709 (RS3)](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft) <p> [1703 (RS2)](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final) <p>[1607 (RS1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <p>[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final) <p>[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft) <p> [Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final) <p>[Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <p>[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final) <p>[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
 Windows 8 |[9200](/previous-versions/tn-archive/jj916413(v=technet.10)) |October 2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
 Windows 7 |[7601 (SP1)](/previous-versions/tn-archive/ee712767(v=technet.10))| October 2009| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 | Vista |[6002 (SP2)](/previous-versions/tn-archive/dd450978(v=technet.10))| January 2007| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 | Windows XP |[2600 (SP3)](/previous-versions/tn-archive/cc163061(v=technet.10))| October 2001| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
-<br />
+### Server versions
-**Server Versions**
+| Name | Build | Baseline release date | Security tools |
 | Name | Build | Baseline Release Date | Security Tools |
 |---|---|---|---|
 |Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
 |Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
-|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
 Windows Server 2008 R2 |[SP1](/previous-versions/tn-archive/gg236605(v=technet.10))|2009 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 | Windows Server 2008 |[SP2](/previous-versions/tn-archive/cc514539(v=technet.10))| 2008 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 |Windows Server 2003 R2|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))| 2003 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
 |Windows Server 2003|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))|2003|[SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
-<br />
+### Microsoft products
-**Microsoft Products**
+| Name | Details | Security tools |
-
+|--|--|--|
-
+| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|           Name            |                                                                            Details                                                                            |                               Security Tools                                |
+| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
+| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-|   Internet Explorer 11    | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) |     [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)     |
+| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-|   Internet Explorer 10    |                                                [Technet](/previous-versions/tn-archive/jj898540(v=technet.10))                                                 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
 |    Internet Explorer 9    |                                                [Technet](/previous-versions/tn-archive/hh539027(v=technet.10))                                                 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 |    Internet Explorer 8    |                                                [Technet](/previous-versions/tn-archive/ee712766(v=technet.10))                                                 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 |   Exchange Server 2010    |                                                [Technet](/previous-versions/tn-archive/hh913521(v=technet.10))                                                 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 |   Exchange Server 2007    |                                                [Technet](/previous-versions/tn-archive/hh913520(v=technet.10))                                                 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 |   Microsoft Office 2010   |                                                [Technet](/previous-versions/tn-archive/gg288965(v=technet.10))                                                 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 | Microsoft Office 2007 SP2 |                                                [Technet](/previous-versions/tn-archive/cc500475(v=technet.10))                                                 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
 <br />
 > [!NOTE]
-> Browser baselines are built-in to new OS versions starting with Windows 10
+> Browser baselines are built-in to new OS versions starting with Windows 10.
 ## See also
-[Windows security baselines](windows-security-baselines.md)
+[Windows security baselines](windows-security-baselines.md)
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@ -169,9 +169,9 @@ sections:
          10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
      - question: |
-          How can I disable portions of ICS without breaking Application Guard?
+          How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
        answer: |
-          ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
+          ICS is enabled by default in Windows, and ICS must be enabled for Application Guard to function correctly. We do not recommend disabling ICS, this will stop Application Guard from working; however, you can disable ICS in part by using a Group Policy and editing registry keys.
          1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@ -1,13 +1,9 @@
 ---
-title: Microsoft Defender SmartScreen overview (Windows)
+title: Microsoft Defender SmartScreen overview
 description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
 ms.prod: m365-security
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.author: macapara
 audience: ITPro
 ms.localizationpriority: high
 ms.reviewer: 
 manager: dansimp
@ -19,7 +15,7 @@ adobe-target: true
 **Applies to:**
- Windows 10
+- Windows 10
 - Windows 11
 - Microsoft Edge
@ -41,15 +37,15 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
 Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
+- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/).
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
+- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
 - **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
 - **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
- **Management through Group Policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
+- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
 - **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
@ -58,7 +54,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites
 ## Submit files to Microsoft Defender SmartScreen for review
-If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](../intelligence/submission-guide.md). 
+If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide).
 When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
@ -72,6 +68,7 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M
 When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).
 ## Viewing Windows event logs for Microsoft Defender SmartScreen
 Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer.
 Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
@ -83,15 +80,14 @@ wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
 > [!NOTE]
 > For information on how to use the Event Viewer, see [Windows Event Viewer](/host-integration-server/core/windows-event-viewer1).
 | EventID | Description |
 |---|---|
 | 1000 | Application Windows Defender SmartScreen Event |
 | 1001 | Uri Windows Defender SmartScreen Event |
 | 1002 | User Decision Windows Defender SmartScreen Event |
-## Related topics
+## Related articles
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+
- [Threat protection](../index.md)
+- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
+- [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@ -58,7 +58,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
 | **Credential Guard**<br> helps keep attackers<br>from gaining access through<br>Pass-the-Hash or<br>Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
 | **Enterprise certificate pinning**<br> helps prevent <br>man-in-the-middle attacks<br>that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf. <br><br>**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
 | **Device Guard**<br> helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
-| **Microsoft Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved to a considerable extent since it was introduced in Windows 8.<br><br>**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
+| **Microsoft Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved significantly since it was introduced in Windows 8.<br><br>**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
 | **Blocking of untrusted fonts**<br> helps prevent fonts<br>from being used in<br>elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
 | **Memory protections**<br> help prevent malware<br>from using memory manipulation<br>techniques such as buffer<br>overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:<br>A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.<br><br>**More information**: [Table 2](#table-2), later in this topic |
 | **UEFI Secure Boot**<br> helps protect<br>the platform from<br>boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.<br><br>**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot)</a> |
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@ -2,63 +2,55 @@
 title: Network access - Restrict clients allowed to make remote calls to SAM
 description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database.
 ms.prod: m365-security
-ms.mktglfcycl: explore
+ms.technology: windows-sec
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.date: 09/17/2018
 author: dansimp
 ms.author: dansimp
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
 ms.technology: windows-sec
 ---
 # Network access: Restrict clients allowed to make remote calls to SAM
 **Applies to**
 -   Windows 10, version 1607 and later
 -   Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/help/4013198) installed
 -   Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/help/4012606) installed 
 -   Windows 8.1 with [KB 4102219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed 
 -   Windows 7 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed 
 -   Windows Server 2019
 -   Windows Server 2016
 -   Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed
 -   Windows Server 2012 with [KB 4012220](https://support.microsoft.com/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed 
 -   Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed
 - Windows 10
 - Windows 8.1
 - Windows Server 2019
 - Windows Server 2016
 - Windows Server 2012 R2
-The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. 
+The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory.
-The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the KB articles listed in **Applies to** section of this topic. 
+The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems.
-This topic describes the default values for this security policy setting in different versions of Windows.
+This article describes the default values for this security policy setting in different versions of Windows.
-By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows. 
+By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows.
 This restrictive characteristic means that if you have a mix of computers, such as member servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed.
-This topic also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility. 
+This article also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility.
 > [!NOTE]
 > Implementation of this policy [could affect offline address book generation](/troubleshoot/windows-server/group-policy/authz-fails-access-denied-error-application-access-check) on servers running Microsoft Exchange 2016 or Microsoft Exchange 2013.
 ## Reference
-The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. 
+The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data.
-For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. 
+For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory.
-This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment. 
+This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment.
-To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. 
+To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls.
-The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define. 
+The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define.
-By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting isn't defined. 
+By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting isn't defined.
-If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. 
+If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM.
-If the policy setting is left blank after the policy is defined, the policy isn't enforced.   
+If the policy setting is left blank after the policy is defined, the policy isn't enforced.
-The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. 
+The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers.
 You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators.
-The default security descriptor on computers that run earlier versions of Windows doesn't restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. 
+The default security descriptor on computers that run earlier versions of Windows doesn't restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions.
-This less restrictive default allows for testing the impact of enabling restrictions on existing applications.
+This less restrictive default allows for testing the affect of enabling restrictions on existing applications.
 ## Policy and Registry Names
@ -71,29 +63,30 @@ This less restrictive default allows for testing the impact of enabling restrict
 | **Registry type** | REG_SZ |
 | **Registry value** | A string that will contain the SDDL of the security descriptor to be deployed. |
-The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later. 
+The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later.
 These computers are the only option to configure this setting by using a user interface (UI).
-On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. 
+On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences.
-To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed. 
+To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed.
 > [!NOTE]
-> This policy is implemented similarly to other "Network access" policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. 
+> This policy is implemented similarly to other "Network access" policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins.
-> 
+>
-> For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. 
+> For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path.
 ## Default values
-Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. 
+
-The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. 
+Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows.
-Administrators can test whether applying the same restriction earlier versions of Windows will cause compatibility problems for existing applications before implementing this security policy setting in a production environment. 
+The different default values help strike a balance where recent Windows versions are more secure by default and older versions don't undergo any disruptive behavior changes.
 Administrators can test whether applying the same restriction earlier versions of Windows will cause compatibility problems for existing applications before implementing this security policy setting in a production environment.
 In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows.
-| |Default SDDL	|Translated SDDL| Comments |
+| |Default SDDL |Translated SDDL| Comments |
 |---|---|---|---|
-|**Windows Server 2016 (or later) domain controller (reading Active Directory)**|“”|-|Everyone has read permissions to preserve compatibility.|
+|**Windows Server 2016 (or later) domain controller (reading Active Directory)**|""|-|Everyone has read permissions to preserve compatibility.|
 |**Earlier domain controller** |-|-|No access check is performed by default.|
-|**Windows 10, version 1607 (or later) non-domain controller**|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>•	Revision: 0x02 <br>•	Size: 0x0020 <br>•	Ace Count: 0x001 <br>•	Ace[00]------------------------- <br> &nbsp;&nbsp;AceType:0x00 <br> &nbsp;&nbsp;(ACCESS\_ALLOWED_ACE_TYPE)<br> &nbsp;&nbsp;AceSize:0x0018 <br> &nbsp;&nbsp;InheritFlags:0x00 <br> &nbsp;&nbsp;Access Mask:0x00020000 <br> &nbsp;&nbsp;AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> &nbsp;&nbsp;SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
+|**Windows 10, version 1607 (or later) non-domain controller**|`O:SYG:SYD:(A;;RC;;;BA)`| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br> - Revision: 0x02 <br> - Size: 0x0020 <br> - Ace Count: 0x001 <br> - Ace[00]------------------------- <br> &nbsp;&nbsp;AceType:0x00 <br> &nbsp;&nbsp;(ACCESS\_ALLOWED_ACE_TYPE)<br> &nbsp;&nbsp;AceSize:0x0018 <br> &nbsp;&nbsp;InheritFlags:0x00 <br> &nbsp;&nbsp;Access Mask:0x00020000 <br> &nbsp;&nbsp;AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> &nbsp;&nbsp;SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
 |**Earlier non-domain controller** |-|-|No access check is performed by default.|
 ## Policy management
@ -110,16 +103,17 @@ Audit-only mode configures the SAMRPC protocol to do the access check against th
 |Setting|RestrictRemoteSamAuditOnlyMode|
 |Data Type|REG_DWORD|
 |Value|1|
-|Notes|This setting can't be added or removed by using predefined Group Policy settings. <br> Administrators may create a custom policy to set the registry value if needed. <br>                               SAM responds dynamically to changes in this registry value without a reboot. <br> You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.|
+|Notes|This setting can't be added or removed by using predefined Group Policy settings. Administrators may create a custom policy to set the registry value if needed. SAM responds dynamically to changes in this registry value without a reboot. |
 ### Related events
 There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM:
-1. Dump event logs to a common share. 
+
-2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script. 
+1. Dump event logs to a common share.
-3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM.
+1. Right click the System log, select **Filter Current Log**, and specify `16962-16969` in the Event IDs field.
-4. Identify which security contexts are enumerating users or groups in the SAM database. 
+1. Review Event IDs 16962 to 16969, as listed in the following table, with event source **Directory-Service-SAM**.
-5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
+1. Identify which security contexts are enumerating users or groups in the SAM database.
 1. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string.
 |Event ID|Event Message Text|Explanation |
 |---|---|---|
@ -127,14 +121,15 @@ There are corresponding events that indicate when remote calls to the SAM are re
 |16963|Message Text: "Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%n" <br><br> %1 - "Registry SD String:" |Emit event when a new SDDL is read from the registry (either on startup or change) and is considered valid. The event includes the source and a copy of the queried SDDL.
 |16964|"The registry security descriptor is malformed: %1.%n Remote calls to the SAM database are being restricted using the default security descriptor: %2.%n" <br><br>%1- "Malformed SD String:"<br> %2- "Default SD String:"|Emit event when registry SDDL is mal-formed, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).
 |16965|Message Text: "A remote call to the SAM database has been denied.%nClient SID: %1%n Network address: %2%n"<br><br> %1- "Client SID:" %2- "Client Network Address | Emit event when access is denied to a remote client. Event should include identity and network address of the client.
-|16966|Audit Mode is enabled- <br><br>Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled. 
+|16966|Audit Mode is enabled- <br><br>Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled.
 |16967|Audit Mode is disabled- <br><br>Message Text: "Audit only mode is now disabled for remote calls to the SAM database.%n For more information"|Emit event whenever training mode (see 16968) is enabled or disabled.
 |16968| Message Text: "Audit only mode is currently enabled for remote calls to the SAM database.%n The following client would have been normally denied access:%nClient SID: %1 from network address: %2. %n" <br>%1- "Client SID:" <br>%2- "Client Network Address:"|Emit event when access would have been denied to a remote client, but was allowed through due to training mode being enabled. Event should include identity and network address of the client.|
 |16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1-seconds throttling window.%n <br>"%1- "Throttle window:" <br>%2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap. <br><br>Note: There's no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section.
-Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access. 
+Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access.
 ### Event throttling
 ### Event Throttling
 A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value.
 |Registry Path|HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ |
@ -143,7 +138,7 @@ Setting |RestrictRemoteSamEventThrottlingWindow|
 Data Type |DWORD|
 |Value|seconds|
 |Reboot Required?|No|
-|Notes|**Default** is 900 seconds – 15 mins. <br>The throttling uses a suppressed events counter that starts at 0 and gets incremented during the throttling window. <br> For example, X events were suppressed in the last 15 minutes. <br>The counter is restarted after the event 16969 is logged.
+|Notes|**Default** is 900 seconds (15 minutes). <br>The throttling uses a suppressed events counter that starts at 0 and gets incremented during the throttling window. <br> For example, X events were suppressed in the last 15 minutes. <br>The counter is restarted after the event 16969 is logged.
 ### Restart requirement
@ -153,22 +148,24 @@ Restarts aren't required to enable, disable or modify the **Network access: Rest
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-### Vulnerability	
+### Vulnerability
-The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans. <br><br>
+
 The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans.
 The following example illustrates how an attacker might exploit remote SAM enumeration:
 1. A low-privileged attacker gains a foothold on a network.
-2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine. 
+2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine.
 3. If the attacker can, then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to sign in and then steal or impersonate those credentials.
 ### Countermeasure
 You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access.
-### Potential impact
+### Potential affect
-If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode).  
+
 If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode).
 ## Next steps
 ## Related Topics
 [Security Options](./security-options.md)
 [SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
 <br>
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@ -1,14 +1,8 @@
 ---
-title: Deploying Windows Defender Application Control AppId Tagging policies (Windows)
+title: Deploying Windows Defender Application Control AppId tagging policies
-description: How to deploy your WDAC AppId Tagging policies locally and globally within your managed environment
+description: How to deploy your WDAC AppId tagging policies locally and globally within your managed environment.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jgeurten
 ms.reviewer: jsuther1974
@ -18,35 +12,35 @@ ms.date: 04/29/2022
 ms.technology: windows-sec
 ---
-# Deploying Windows Defender Application Control AppId Tagging policies (Windows)
+# Deploying Windows Defender Application Control AppId tagging policies
 **Applies to:**
-   Windows 10
+- Windows 10
-   Windows 11
+- Windows 11
-   Windows Server 2016 and above
+- Windows Server 2016 and later
 > [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](../feature-availability.md).
-Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
+Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId tagging policy, use one of the following methods to deploy:
-1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
+1. [Deploy AppId tagging policies with MDM](#deploy-appid-tagging-policies-with-mdm)
 1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager)
 1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
 1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
-## Deploy AppId Tagging Policies with MDM
+## Deploy AppId tagging policies with MDM
-Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). 
+Custom AppId tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
-## Deploy AppId Tagging Policies with Configuration Manager
+## Deploy AppId tagging policies with Configuration Manager
-Custom AppId Tagging policies can deployed via Configuration Manager using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users. 
+Custom AppId tagging policies can be deployed via Configuration Manager using the [deployment task sequences](../deployment/deploy-wdac-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
-### Deploy AppId Tagging Policies via Scripting
+### Deploy AppId tagging Policies via Scripting
-Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy Windows Defender Application Control policies using script article](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Only the method for deploying to version 1903 and above is applicable for AppId Tagging policies. 
+Scripting hosts can be used to deploy AppId tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. For more information on how to deploy WDAC AppId tagging policies via scripting, see [Deploy WDAC policies using script](../deployment/deploy-wdac-policies-with-script.md). For AppId tagging policies, the only applicable method is deploying to version 1903 or later.
 ### Deploying policies via the ApplicationControl CSP
@ -57,4 +51,4 @@ However, when policies are unenrolled from an MDM server, the CSP will attempt t
 For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Endpoint Manager Intune's Custom OMA-URI capability.
 > [!NOTE]
-> WMI and GP do not currently support multiple policies. Instead, customers who can't directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
+> WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies.
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@ -1,5 +1,5 @@
 ---
-title: Understanding Application Control event IDs (Windows)
+title: Understanding Application Control event IDs
 description: Learn what different Windows Defender Application Control event IDs signify.
 ms.prod: m365-security
 ms.technology: windows-sec
@ -47,7 +47,7 @@ A Windows Defender Application Control policy logs events locally in Windows Eve
 | Event ID | Explanation |
 |--------|-----------|
 | 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. |
-| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes.md). |
+| 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). |
 | 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). |
 | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. |
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@ -1,11 +1,8 @@
 ---
 title: The Windows Security app
-description: The Windows Security app brings together common Windows security features into one place
+description: The Windows Security app brings together common Windows security features into one place.
 keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@ -35,15 +32,15 @@ In Windows 10, version 1803, the app has two new areas: **Account protection** a
 ![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
 > [!NOTE]
-> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
-You can't uninstall the Windows Security app, but you can do one of the following:
+You can't uninstall the Windows Security app, but you can do one of the following actions:
- Disable the interface on Windows Server 2016. See [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server).
+- Disable the interface on Windows Server 2016.
- Hide all of the sections on client computers (see below).
+- Hide all of the sections on client computers.
- Disable Microsoft Defender Antivirus, if needed. See [Enable and configure Microsoft Defender AV always-on protection and monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
+- Disable Microsoft Defender Antivirus, if needed. For more information, see [Enable and configure Microsoft Defender Antivirus always-on protection in group policy](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
-You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics:
+For more information about each section, options for configuring the sections, and how to hide each of them, see the following articles:
 - [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
 - [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
@ -51,16 +48,16 @@ You can find more information about each section, including options for configur
 - [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
 - [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
 - [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.  
- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online.
+- [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Windows Security app with all sections hidden by group policy.](images/wdsc-all-hide.png)
 ## Open the Windows Security app
- Click the icon in the notification area on the taskbar.
+- Select the icon in the notification area on the taskbar.
    ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
 - Search the Start menu for **Windows Security**.
@ -71,23 +68,23 @@ You can find more information about each section, including options for configur
    ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)
 > [!NOTE]
-> Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
+> Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security.
 ## How the Windows Security app works with Windows security features
 > [!IMPORTANT]
 > Microsoft Defender Antivirus  and the Windows Security app use similarly named services for specific purposes.  
 >
-> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service ([*wscsvc*](/previous-versions/windows/it-pro/windows-xp/bb457154(v=technet.10)#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
 >
->These services do not affect the state of Microsoft Defender Antivirus. Disabling or modifying these services will not disable Microsoft Defender Antivirus, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.  
+> These services don't affect the state of Microsoft Defender Antivirus. Disabling or modifying these services won't disable Microsoft Defender Antivirus. It will lead to a lowered protection state on the endpoint, even if you're using a third-party antivirus product.
 >
->Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
+> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
 >
-> Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
 > [!WARNING]
-> If you disable the Windows Security Center Service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
 >
 > It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
 >
@ -97,9 +94,9 @@ The Windows Security app operates as a separate app or process from each of the
 It acts as a collector or single place to see the status and perform some configuration for each of the features.
-Disabling any of the individual features (through Group Policy or other management tools, such as Microsoft Endpoint Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features.
+If you disable any of the individual features, it will prevent that feature from reporting its status in the Windows Security app. For example, if you disable a feature through group policy or other management tools, such as Microsoft Endpoint Configuration Manager. The Windows Security app itself will still run and show status for the other security features.
 > [!IMPORTANT]
-> Individually disabling any of the services will not disable the other services or the Windows Security app.
+> If you individually disable any of the services, it won't disable the other services or the Windows Security app.
 For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@ -15,68 +15,66 @@ ms.technology: windows-sec
 # Security baselines
 ## Using security baselines in your organization
-## Using security baselines in your organization 
+Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft 365 apps for enterprise and Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities.
 Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft 365 apps for enterprise and Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. 
 Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
-We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This industry-standard configuration helps increase flexibility and reduce costs. 
+We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This industry-standard configuration helps increase flexibility and reduce costs.
-Here's a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions).
+For more information, see the following blog post: [Sticking with well-known and proven solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions).
-## What are security baselines? 
+## What are security baselines?
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. 
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
-A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. 
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security implication. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
-## Why are security baselines needed? 
+## Why are security baselines needed?
-Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers. 
+Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers.
-For example, there are over 3,000 Group Policy settings for Windows 10, which doesn't include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine  the appropriate value for each setting. 
+For example, there are over 3,000 group policy settings for Windows 10, which doesn't include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security implication of each setting on your own. Then, you would still need to determine  the appropriate value for each setting.
-In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups.
+In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as group policy object backups.
 ## Baseline principles
 Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially:
 -   The baselines are designed for well-managed, security-conscious organizations in which standard end users don't have administrative rights.
 -   A baseline enforces a setting only if it mitigates a contemporary security threat and doesn't cause operational issues that are worse than the risks they mitigate.
 -   A baseline enforces a default only if it's otherwise likely to be set to an insecure state by an authorized user:
    -   If a non-administrator can set an insecure state, enforce the default.
    -   If setting an insecure state requires administrative rights, enforce the default only if it's likely that a misinformed administrator will otherwise choose poorly.
-## How can you use security baselines? 
+- The baselines are designed for well-managed, security-conscious organizations in which standard end users don't have administrative rights.
 - A baseline enforces a setting only if it mitigates a contemporary security threat and doesn't cause operational issues that are worse than the risks they mitigate.
 - A baseline enforces a default only if it's otherwise likely to be set to an insecure state by an authorized user:
  - If a non-administrator can set an insecure state, enforce the default.
  - If setting an insecure state requires administrative rights, enforce the default only if it's likely that a misinformed administrator will otherwise choose poorly.
-You can use security baselines to: 
+## How can you use security baselines?
 -   Ensure that user and device configuration settings are compliant with the baseline. 
 -   Set configuration settings. For example, you can use Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. 
-## Where can I get the security baselines? 
+You can use security baselines to:
 - Ensure that user and device configuration settings are compliant with the baseline.
 - Set configuration settings. For example, you can use group policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
 ## Where can I get the security baselines?
 There are several ways to get and use security baselines:
-1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing  baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md) 
+1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The SCT also includes tools to help you manage the security baselines. You can also [get support for the security baselines](get-support-for-security-baselines.md)
-2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool. 
+2. [Mobile device management (MDM) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool.
-3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all).
+3. MDM security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
 ## Community
 [![Microsoft Security Guidance Blog.](./../images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
-## Related Videos
+## Related videos
-You may also be interested in this msdn channel 9 video: 
+> [!VIDEO https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo]
 -   [Defrag Tools](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-174-Security-Baseline-Policy-Analyzer-and-LGPO)
-## See Also
+## See also
-   [Microsoft Endpoint Configuration Manager](/configmgr/)
+- [Microsoft Security Guidance Blog](/archive/blogs/secguide/)
-   [Azure Monitor](/azure/azure-monitor/)
+- [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319)
 -   [Microsoft Security Guidance Blog](/archive/blogs/secguide/)
 -   [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
 -   [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)