From 2f03d61118ea563ab2ef7f6cd63b984ff3cc2596 Mon Sep 17 00:00:00 2001
From: scottmca <89857809+scottmca@users.noreply.github.com>
Date: Thu, 9 Mar 2023 15:14:52 -0500
Subject: [PATCH 01/22] Update provisioning-install-icd.md

Customer could not find this issue because of the lack of good description.  Added some additional keyboards/description to help customers find this issue better
---
 .../provisioning-packages/provisioning-install-icd.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 8796ceac18..9e11f2f5e5 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De
 
 - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens.  You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-).
  
-- Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
+- Windows Configuration Designer will not up to the standard size button with steps for the guided wizard.  Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
 
 - You can only run one instance of Windows Configuration Designer on your computer at a time.
 

From 1d3fed16a05067e7c84603175a1f341e33cc3f3f Mon Sep 17 00:00:00 2001
From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com>
Date: Thu, 9 Mar 2023 13:03:34 -0800
Subject: [PATCH 02/22] Update windows-11-se-overview.md

---
 education/windows/windows-11-se-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 47ef842ab2..1508376333 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -124,7 +124,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `MetaMoJi ClassRoom`                      | 3.12.4.0          | `Store`  | `MetaMoJi Corporation`                    |
 | `Microsoft Connect`                       | 10.0.22000.1      | `Store`  | `Microsoft`                               |
 | `Mozilla Firefox`                         | 105.0.0           | Win32    | `Mozilla`                                 |
-| `NAPLAN`                                  | 5.2.2             | Win32    | `NAP`                                     |
+| `NAPLAN`                                  | 2.5.0             | Win32    | `NAP`                                     |
 | `Netref Student`                          | 22.2.0            | Win32    | `NetRef`                                  |
 | `NetSupport Manager`                      | 12.01.0014        | Win32    | `NetSupport`                              |
 | `NetSupport Notify`                       | 5.10.1.215        | Win32    | `NetSupport`                              |

From b186f0d7cd7366a2ff7f6efcd24cac754d5d8d2f Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Thu, 9 Mar 2023 14:14:48 -0800
Subject: [PATCH 03/22] M365 Updates.

---
 ...autopatch-microsoft-365-apps-enterprise.md | 41 ++++++++-----------
 1 file changed, 18 insertions(+), 23 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index a196916be3..4ab698b3e2 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft 365 Apps for enterprise
 description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
-ms.date: 02/28/2023
+ms.date: 03/09/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
@@ -16,7 +16,12 @@ ms.reviewer: hathind
 
 ## Service level objective
 
-Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps) (Access, Excel, OneNote, Outlook, PowerPoint, and Word). Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) are supported for two months.
+Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for the:
+
+- [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps). The Enterprise Standard Suite includes Access, Excel, OneNote, Outlook, PowerPoint, and Word.
+- Subscription versions of Microsoft Project and Visio desktop apps, for example, Project Plan 3 or Visio Plan 2.
+
+Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) are supported for two months.
 
 > [!NOTE]
 > [Microsoft Teams](../operate/windows-autopatch-teams.md) uses a different update channel from the rest of Microsoft 365 Apps.
@@ -25,8 +30,11 @@ Windows Autopatch aims to keep at least 90% of eligible devices on a [supported
 
 For a device to be eligible for Microsoft 365 Apps for enterprise updates (both 32-bit and 64-bit versions), as a part of Windows Autopatch, they must meet the following criteria:  
 
+- The device must be turned on and have an internet connection.
+- The device must be able to access the [required network endpoints](../prepare/windows-autopatch-configure-network#required-microsoft-product-endpoints) to reach the Office Content Delivery Network (CDN).
 - There are no policy conflicts between Microsoft Autopatch policies and customer policies.
 - The device must have checked into the Intune service in the last five days.
+- If Microsoft 365 Apps are running, the apps must close for the update process to complete.
 
 ## Update release schedule
 
@@ -47,21 +55,13 @@ Windows Autopatch configures the following end user experiences:
 
 ### Behavior during updates
 
-Updates are only applied when Microsoft 365 Apps aren't running. Therefore, notifications usually appear because the user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days.
+> [!NOTE]
+> If Microsoft 365 Apps are running, the apps must close for the update process to complete.
 
-Once the device downloads the update, users are given notifications leading up to the deadline. They'll receive the following message in the notification area in Windows, reminding them to apply the updates.
+Updates are only applied when Microsoft 365 Apps aren't running. Therefore, [end user notifications for Microsoft 365 Apps](/deployoffice/updates/end-user-update-notifications-microsoft-365-apps) usually appear when:
 
-*Updates ready to be applied
-Updates are required by your system admin are blocked by one or more apps. Office will restart at mm/dd/yyyy h:mm AM/PM to apply updates.*
-
-Alternatively, users can select **Update now** to apply the updates. Users are prompted to close all open Office programs. After the updates are applied, the message disappears.
-
-When the deadline arrives and the updates still aren't applied, users will:
-
-1. See a dialog box that warns them that they have 15 minutes before the updates are applied.
-1. Have 15 minutes to save and close any work.
-
-When the countdown reaches 00∶00, any open Office programs are closed, and the updates are applied.
+- The user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days.
+- The update [deadline arrives](/deployoffice/updates/end-user-update-notifications-microsoft-365-apps#notifications-your-users-see-when-you-set-an-update-deadline-for-microsoft-365-apps) and the updates still aren't applied.
 
 ### Office client app configuration
 
@@ -69,17 +69,12 @@ To ensure that users are receiving automatic updates, Windows Autopatch prevents
 
 ## Microsoft 365 Apps for enterprise update controls
 
-If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might pause the update by forcing Microsoft 365 Apps to stay on a specific version.  
+Windows Autopatch doesn't allow you to pause or rollback an update in the Microsoft Intune admin center.  
 
-Windows Autopatch will either:
-
-- Choose to stay on the previous version for devices that haven't received the update yet.
-- Force all devices to roll back to the previous version.
+Please [submit a support request](../operate/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or rollback an update when needed.
 
 > [!NOTE]
-> Windows Autopatch doesn't allow you to:<ul><li>Pause or rollback an update in the Microsoft Intune admin center</li><li>Submit a request to the Windows Autopatch Service Engineering Team to pause or rollback an update</li>
-
-Updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.  
+> Updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.  
 
 ## Allow or block Microsoft 365 App updates
 

From 5922c4941bbb4ff157b2fc15817b606a73fa9606 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Thu, 9 Mar 2023 14:21:42 -0800
Subject: [PATCH 04/22] Fixed link

---
 .../operate/windows-autopatch-microsoft-365-apps-enterprise.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 4ab698b3e2..ba927a7467 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -31,7 +31,7 @@ Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/ov
 For a device to be eligible for Microsoft 365 Apps for enterprise updates (both 32-bit and 64-bit versions), as a part of Windows Autopatch, they must meet the following criteria:  
 
 - The device must be turned on and have an internet connection.
-- The device must be able to access the [required network endpoints](../prepare/windows-autopatch-configure-network#required-microsoft-product-endpoints) to reach the Office Content Delivery Network (CDN).
+- The device must be able to access the [required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) to reach the Office Content Delivery Network (CDN).
 - There are no policy conflicts between Microsoft Autopatch policies and customer policies.
 - The device must have checked into the Intune service in the last five days.
 - If Microsoft 365 Apps are running, the apps must close for the update process to complete.

From c1d7db8676b947b4121e6b20ca86e99e8b2ef91f Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Thu, 9 Mar 2023 14:25:18 -0800
Subject: [PATCH 05/22] Acrolinx score

---
 .../windows-autopatch-microsoft-365-apps-enterprise.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index ba927a7467..1f1c7f6b61 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -69,9 +69,9 @@ To ensure that users are receiving automatic updates, Windows Autopatch prevents
 
 ## Microsoft 365 Apps for enterprise update controls
 
-Windows Autopatch doesn't allow you to pause or rollback an update in the Microsoft Intune admin center.  
+Windows Autopatch doesn't allow you to pause or roll back an update in the Microsoft Intune admin center.  
 
-Please [submit a support request](../operate/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or rollback an update when needed.
+Please [submit a support request](../operate/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or roll back an update when needed.
 
 > [!NOTE]
 > Updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.  

From 37a57771cd3bf742b710c99065801d4ef4148e08 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Thu, 9 Mar 2023 16:12:33 -0700
Subject: [PATCH 06/22] Update windows/deployment/update/waas-wu-settings.md

Line 283: HTML might be allowed in situations for which no Markdown equivalent exists, but Markdown includes syntax to link to headings.
---
 windows/deployment/update/waas-wu-settings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 63f165899e..e98f58418b 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -280,7 +280,7 @@ if (!(Test-Path $registryPath))
 New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
 ```
 
-## <a name="allow-windows-update-before-initial-sign-in"> </a> Allow Windows updates to install before initial user sign-in
+##Allow Windows updates to install before initial user sign-in
 *(Starting in Windows 11, version 22H2)*
 
 On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later.  

From 9ef96aec65e804ffe862ee1f7d6e580b799505f5 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Thu, 9 Mar 2023 16:13:47 -0700
Subject: [PATCH 07/22] Update waas-wu-settings.md

Line 254: Delete HTML from heading.
---
 windows/deployment/update/waas-wu-settings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index e98f58418b..f1013144ef 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -251,7 +251,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
 
    This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
 
-## <a name="bkmk_display-name"> </a> Display organization name in Windows Update notifications
+##Display organization name in Windows Update notifications
 <!--6286260-->
 When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
   

From 3b34a4bf07719d15e4686fe8c12ff44d54145f7b Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Thu, 9 Mar 2023 16:29:43 -0700
Subject: [PATCH 08/22] Update waas-wu-settings.md

Lines35-36: Fix bookmark links.
---
 windows/deployment/update/waas-wu-settings.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index f1013144ef..bf33dd304a 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -32,8 +32,8 @@ You can use Group Policy settings or mobile device management (MDM) to configure
 | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
 | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
 | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-| |  [Windows Update notifications display organization name](#bkmk_display-name) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
-| | [Allow Windows updates to install before initial user sign-in](#allow-windows-update-before-initial-sign-in) | Windows 11 version 22H2 |
+| |  [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
+| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) | Windows 11 version 22H2 |
 
 >[!IMPORTANT]
 >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.

From 9a0efaeba7270d87f37a03f52ebe935ae647cac7 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Fri, 10 Mar 2023 07:25:57 -0800
Subject: [PATCH 09/22] Added What's new

---
 .../operate/windows-autopatch-microsoft-365-apps-enterprise.md | 2 +-
 .../whats-new/windows-autopatch-whats-new-2023.md              | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 1f1c7f6b61..f6f4977af8 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -71,7 +71,7 @@ To ensure that users are receiving automatic updates, Windows Autopatch prevents
 
 Windows Autopatch doesn't allow you to pause or roll back an update in the Microsoft Intune admin center.  
 
-Please [submit a support request](../operate/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or roll back an update when needed.
+[Submit a support request](../operate/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or roll back an update when needed.
 
 > [!NOTE]
 > Updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.  
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index ee5217f848..722b2d6052 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -24,7 +24,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Article | Description |
 | ----- | ----- |
-| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview. |
+| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated entire article |
+| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview |
 
 ### March service release
 

From 95645375832a06d0c150c32c99298415c98091a3 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Fri, 10 Mar 2023 07:34:58 -0800
Subject: [PATCH 10/22] Date

---
 .../operate/windows-autopatch-microsoft-365-apps-enterprise.md  | 2 +-
 .../whats-new/windows-autopatch-whats-new-2023.md               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index f6f4977af8..d66133408f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft 365 Apps for enterprise
 description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
-ms.date: 03/09/2023
+ms.date: 03/10/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 722b2d6052..e4085bea58 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 03/08/2023
+ms.date: 03/10/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new

From 36b060296db67f0e256401fdf4e3127fea9a12b6 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Fri, 10 Mar 2023 07:36:44 -0800
Subject: [PATCH 11/22] Date

---
 .../operate/windows-autopatch-microsoft-365-apps-enterprise.md  | 2 +-
 .../whats-new/windows-autopatch-whats-new-2023.md               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index d66133408f..43d2a3e596 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft 365 Apps for enterprise
 description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
-ms.date: 03/10/2023
+ms.date: 03/10/2023 
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: how-to
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index e4085bea58..b877deab2e 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -8,7 +8,7 @@ ms.topic: whats-new
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
-manager: dougeby
+manager: dougeby 
 ms.reviewer: hathind
 ---
 

From 509670a105a74049b570281127aab9e21e7b50e4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 10 Mar 2023 10:49:28 -0500
Subject: [PATCH 12/22] updates to WHFB articles

---
 .../hello-adequate-domain-controllers.md      | 26 +++++++-------
 .../hello-feature-dynamic-lock.md             | 36 ++++++++-----------
 .../hello-feature-pin-reset.md                | 15 +++-----
 3 files changed, 33 insertions(+), 44 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 32dc3ba63e..7a9614f71c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,23 +1,23 @@
 ---
 title: Having enough Domain Controllers for Windows Hello for Business deployments
-description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-ms.date: 08/20/2018
+description: Guide for planning to have an adequate number of Domain Controllers for Windows Hello for Business deployments
+ms.date: 03/10/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
-ms.topic: article
+ms.topic: conceptual
 ---
-# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
+# Plan an adequate number of Domain Controllers for Windows Hello for Business deployments
 
 > [!NOTE]
->There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044).
+>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044).
 
 ## How many is adequate
 
 How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic.  Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged.
 
 Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller.
-  
+
 Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario:
 
 Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
@@ -55,7 +55,7 @@ The preceding was an example to show why it's unrealistic to have a "one-size-fi
 ## Determining total AS Request load
 
 Each organization needs to have a baseline of the AS request load that occurs in their environment. Windows Server provides the KDC AS Requests performance counter that helps you determine this.
-  
+
 Pick a site where you plan to upgrade the clients to Windows Hello for Business public key trust.  Pick a time when authentication traffic is most significant--Monday morning is great time as everyone is returning to the office. Enable the performance counter on *all* the domain controllers in that site.  Collect KDC AS Requests performance counters for two hours:
 
 - A half-hour before you expect initial authentication (sign-ins and unlocks) to be significant
@@ -72,15 +72,15 @@ Aggregate the performance data of all domain controllers. Look for the maximum K
 Add the number of authentications for each domain controller for the median time. You now have the total authentication for the site during a peak time. Using this metric, you can determine the distribution of authentication across the domain controllers in the site by dividing the domain controller's authentication number for the median time by the total authentication. Multiply the quotient by 10 to convert the distribution to a percentage. To validate your math, all the distributions should equal 100 percent.
 
 Review the distribution of authentication. Hopefully, none of these are above 70 percent. It's always good to reserve some capacity for the unexpected. Also, the primary purposes of a domain controller are to provide authentication and handle Active Directory operations. Identify domain controllers with lower distributions of authentication as potential candidates for the initial domain controller upgrades in conjunction with a reasonable distribution of clients provisioned for Windows Hello for Business.
-  
+
 ## Monitoring Authentication
 
 Using the same methods described above, monitor the Kerberos authentication after upgrading a domain controller and your first phase of Windows Hello for Business deployments. Make note of the delta of authentication before and after upgrading the domain controller to Windows Server 2016 or newer. This delta is representative of authentication resulting from the first phase of your Windows Hello for Business clients. It gives you a baseline for your environment to where you can form a statement such as:
 
 ```"Every n Windows Hello for Business clients results in x percentage of key-trust authentication."```
 
-Where *n* equals the number of clients you switched to Windows Hello for Business and _x_ equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
-  
+Where *n* equals the number of clients you switched to Windows Hello for Business and *x* equals the increased percentage of authentication from the upgraded domain controller. Armed with this information, you can apply the observations of upgrading domain controllers and increasing Windows Hello for Business client count to appropriately phase your deployment.
+
 Remember, increasing the number of clients changes the volume of authentication distributed across the Windows Server 2016 or newer domain controllers. If there is only one Windows Server 2016 or newer domain controller, there's no distribution and you are simply increasing the volume of authentication for which THAT domain controller is responsible.
 
 Increasing the number of domain controllers distributes the volume of authentication, but doesn't change it.  Therefore, as you add more domain controllers, the burden of authentication, for which each domain controller is responsible, decreases. Upgrading two domain controller changes the distribution to 50 percent. Upgrading three domain controllers changes the distribution to 33 percent, and so on.
@@ -88,9 +88,9 @@ Increasing the number of domain controllers distributes the volume of authentica
 ## Strategy
 
 The simplest strategy you can employ is to upgrade one domain controller and monitor the single domain controller as you continue to phase in new Windows Hello for Business key-trust clients until it reaches a 70 or 80 percent threshold.
-  
+
 Then, upgrade a second domain controller. Monitor the authentication on both domain controllers to determine how the authentication distributes between the two domain controllers. Introduce more Windows Hello for Business clients while monitoring the authentication on the two upgraded domain controllers. Once those reach your environment's designated capacity, you can upgrade another domain controller.
-  
+
 Repeat until your deployment for that site is complete.  Now, monitor authentication across all your domain controllers like you did the very first time.  Determine the distribution of authentication for each domain controller.  Identify the percentage of distribution for which it is responsible. If a single domain controller is responsible for 70 percent of more of the authentication, you may want to consider adding a domain controller to reduce the distribution of authentication volume.
-  
+
 However, before considering this, ensure the high load of authentication is not a result of applications and services where their configuration has a statically-configured domain controller. Adding domain controllers will not resolve the additional authentication load problem in this scenario.  Instead, manually distribute the authentication to different domain controllers among all the services or applications.  Alternatively, try simply using the domain name rather than a specific domain controller.  Each domain controller has an A record registered in DNS for the domain name, which DNS will round robin with each DNS query. It's not the best load balancer, however, it is a better alternative to static domain controller configurations, provided the configuration is compatible with your service or application.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 9f461f9697..9268eb6f52 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,33 +1,38 @@
 ---
 title: Dynamic lock
-description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 07/12/2022
+description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
+ms.date: 03/10/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-ms.topic: article
+ms.topic: how-to
 ---
 
 # Dynamic lock
 
-Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
+Dynamic lock is a feature that automatically locks a Windows device when a Bluetooth paired phone signal falls below the maximum Received Signal Strength Indicator (RSSI) value. The feature makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
 
 > [!IMPORTANT]
-> This feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system isn't idle (for example, an intruder gets access _before_ the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it.
+> The dynamic lock feature only locks the device if the Bluetooth signal falls **and** the system is idle. If the system isn't idle (for example, an intruder gets access *before* the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it.
 
-You configure the dynamic lock policy using Group Policy.  You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.  The name of the policy is **Configure dynamic lock factors**.
+You can configure Windows devices to use the **dynamic lock** using a Group Policy Object (GPO).
+
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+1. Edit the Group Policy object from Step 1.
+1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+1. Close the Group Policy Management Editor to save the Group Policy object.
 
 The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
 
-```
+```xml
 <rule schemaVersion="1.0">
-	<signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+    <signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
 ```
 
 >[!IMPORTANT]
 >Microsoft recommends using the default values for this policy settings.  Measurements are relative based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
 
-For this policy setting, the **type** and **scenario** attribute values are static and cannot change.  The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phones and uses the values from the following table:
+For this policy setting, the **type** and **scenario** attribute values are static and can't change.  The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
 
 |Description|Value|
 |:-------------|:-------:|
@@ -43,17 +48,6 @@ For this policy setting, the **type** and **scenario** attribute values are stat
 |Health|2304|
 |Uncategorized|7936|
 
-The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.  
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered *in-range*.  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.  
 
 RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
-
-## Related topics
-
-* [Windows Hello for Business](hello-identity-verification.md)
-* [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-* [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-* [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-* [Windows Hello and password changes](hello-and-password-changes.md)
-* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 7b1fdf338f..ea7e72e5d4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -4,10 +4,10 @@ description: Learn how Microsoft PIN reset services enable you to help users rec
 ms.collection: 
   - highpri
   - tier1
-ms.date: 07/29/2022
+ms.date: 03/10/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-ms.topic: article
+ms.topic: how-to
 ---
 
 # PIN reset
@@ -20,12 +20,10 @@ There are two forms of PIN reset:
 - **Non-destructive PIN reset**: with this option, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For non-destructive PIN reset, you must deploy the **Microsoft PIN Reset Service** and configure your clients' policy to enable the **PIN Recovery** feature.
 ## Using PIN reset
 
-
 There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
 
 Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
 
-
 >[!IMPORTANT]
 >For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
 
@@ -35,7 +33,6 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI
 1. Open **Settings**, select **Accounts** > **Sign-in options**.
 1. Select **PIN (Windows Hello)** > **I forgot my PIN** and follow the instructions.
 
-
 ### Reset PIN above the Lock Screen
 
 For Azure AD-joined devices:
@@ -46,7 +43,6 @@ For Azure AD-joined devices:
 1. Follow the instructions provided by the provisioning process.
 1. When finished, unlock your desktop using your newly created PIN.
 
-
 For Hybrid Azure AD-joined devices:
 
 1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
@@ -58,14 +54,14 @@ For Hybrid Azure AD-joined devices:
 > [!NOTE]
 > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
 
-You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from settings only works post login. Also, the lock screen PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
 
 ## Non-Destructive PIN reset
 
 **Requirements:**
 
 - Azure Active Directory
-- Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903.
+- Windows Enterprise and Pro editions. There's no licensing requirement for this feature.
 - Hybrid Windows Hello for Business deployment
 - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
 
@@ -83,7 +79,7 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
 |Category|Destructive PIN Reset|Non-Destructive PIN Reset|
 |--- |--- |--- |
 |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
-|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
+|**Windows editions and versions**| Windows Enterprise and Pro editions.|
 |**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
 |**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
 |**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
@@ -94,7 +90,6 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
 
 > The **Microsoft PIN Reset Service** is not currently available in Azure Government.
 
-
 ### Enable the Microsoft PIN Reset Service in your Azure AD tenant
 
 Before you can remotely reset PINs, you must register two applications in your Azure Active Directory tenant:

From 06910d2a61c6c8c4712ddac7169a0a65e8badd9d Mon Sep 17 00:00:00 2001
From: scottmca <89857809+scottmca@users.noreply.github.com>
Date: Fri, 10 Mar 2023 10:50:28 -0500
Subject: [PATCH 13/22] Update provisioning-install-icd.md

fixing typo in original request
---
 .../provisioning-packages/provisioning-install-icd.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 9e11f2f5e5..c99c866a8c 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De
 
 - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens.  You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-).
  
-- Windows Configuration Designer will not up to the standard size button with steps for the guided wizard.  Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
+- Windows Configuration Designer will not display the the standard size buttons with steps for the guided wizard.  Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
 
 - You can only run one instance of Windows Configuration Designer on your computer at a time.
 

From d39bf963d04928f2a9df8a9bf720f88da124b9f4 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 10 Mar 2023 10:52:57 -0500
Subject: [PATCH 14/22] udpate

---
 .../hello-for-business/hello-adequate-domain-controllers.md   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 7a9614f71c..6607d17abb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,6 +1,6 @@
 ---
-title: Having enough Domain Controllers for Windows Hello for Business deployments
-description: Guide for planning to have an adequate number of Domain Controllers for Windows Hello for Business deployments
+title: Plan an adequate number of Domain Controllers for Windows Hello for Business deployments
+description: Learn how to plan for an adequate number of Domain Controllers to support Windows Hello for Business deployments.
 ms.date: 03/10/2023
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

From 41cca4f4c59ee157814dfdcdf58bcc76d6ffd69b Mon Sep 17 00:00:00 2001
From: Thomas Raya <v-thraya@microsoft.com>
Date: Fri, 10 Mar 2023 08:15:06 -0800
Subject: [PATCH 15/22] Update waas-wu-settings.md

---
 windows/deployment/update/waas-wu-settings.md | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index bf33dd304a..002382ce1f 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -33,7 +33,6 @@ You can use Group Policy settings or mobile device management (MDM) to configure
 | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
 | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
 | |  [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
-| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) | Windows 11 version 22H2 |
 
 >[!IMPORTANT]
 >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@@ -279,17 +278,3 @@ if (!(Test-Path $registryPath))
 
 New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
 ```
-
-##Allow Windows updates to install before initial user sign-in
-*(Starting in Windows 11, version 22H2)*
-
-On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later.  
-
-In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in:
-
-- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
-- **DWORD value name**: ScanBeforeInitialLogonAllowed
-- **Value data**: 1
-
-> [!Warning]
-> This value is designed to be used only for scenarios with a deferred initial user sign in. Setting this value on devices where initial user sign in isn't delayed could have a detrimental effect on performance since it may allow update work to occur as the user is signing in for the first time.

From a2d6ee55edaf418bbc8c202f1fbbb0a87a07359a Mon Sep 17 00:00:00 2001
From: Thomas Raya <v-thraya@microsoft.com>
Date: Fri, 10 Mar 2023 08:16:27 -0800
Subject: [PATCH 16/22] Update windows/deployment/update/waas-wu-settings.md

---
 windows/deployment/update/waas-wu-settings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 002382ce1f..19c313af57 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -250,7 +250,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
 
    This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
 
-##Display organization name in Windows Update notifications
+## Display organization name in Windows Update notifications
 <!--6286260-->
 When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
   

From d75fe7196f6a067f6bdbcf10e8493e7525743ea8 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 10 Mar 2023 12:20:23 -0500
Subject: [PATCH 17/22] Updating for style, clarity, and grammar

Updating for style, clarity, and grammar
---
 .../provisioning-packages/provisioning-install-icd.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index c99c866a8c..e92747be63 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -57,7 +57,7 @@ On devices running Windows client, you can install [the Windows Configuration De
 
 - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens.  You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-).
  
-- Windows Configuration Designer will not display the the standard size buttons with steps for the guided wizard.  Each step will be oversized button with no description to the left if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
+- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled.
 
 - You can only run one instance of Windows Configuration Designer on your computer at a time.
 

From 36d39dbfcea1289fd1fab4ece2fd9b24c3210e48 Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Fri, 10 Mar 2023 11:02:27 -0800
Subject: [PATCH 18/22] Added topic describing the inbox WDAC policies

---
 .../TOC.yml                                   |  6 ++-
 .../operations/inbox-wdac-policies.md         | 45 +++++++++++++++++++
 2 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md

diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index cacb1ef857..eda6b8332a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -107,10 +107,10 @@
 - name: WDAC operational guide
   href: windows-defender-application-control-operational-guide.md
   items:
-    - name: Understanding Application Control event tags
-      href: event-tag-explanations.md
     - name: Understanding Application Control event IDs
       href: event-id-explanations.md
+    - name: Understanding Application Control event tags
+      href: event-tag-explanations.md
     - name: Query WDAC events with Advanced hunting
       href: querying-application-control-events-centrally-using-advanced-hunting.md
     - name: Known Issues
@@ -119,6 +119,8 @@
       href: configure-wdac-managed-installer.md
     - name: CITool.exe technical reference
       href: operations/citool-commands.md
+    - name: Inbox WDAC policies
+      href: operations/inbox-wdac-policies.md
 - name: WDAC AppId Tagging guide
   href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
   items:
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md b/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md
new file mode 100644
index 0000000000..3ade157db4
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies.md
@@ -0,0 +1,45 @@
+---
+title: Inbox WDAC policies
+description: This article describes the inbox WDAC policies that may be active on a device.
+keywords: security, malware
+ms.prod: windows-client
+audience: ITPro
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.author: jogeurte
+ms.manager: jsuther
+manager: aaroncz
+ms.date: 03/10/2023
+ms.technology: itpro-security
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Inbox WDAC policies
+
+**Applies to:**
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+
+This article describes the Windows Defender Application Control (WDAC) policies that ship inbox with Windows and may be active on your devices. To see which policies are active on your device, use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) or check the *CodeIntegrity - Operational* event log for 3099 policy activation events.
+
+## Inbox WDAC Policies
+
+| **Policy Name** | **Policy ID** | **Policy Type** | **Description** |
+|-----------|-----------|-----------|-----------|
+| **Microsoft Windows Driver Policy** | {d2bda982-ccf6-4344-ac5b-0b44427b6816} | Kernel-only Base policy | This policy blocks known [vulnerable or malicious kernel drivers](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules). It's active by default on Windows 11 22H2, [Windows in S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85), [Windows 11 SE](/education/windows/windows-11-se-overview), and anywhere [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity (HVCI)) is on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\driversipolicy.p7b` and in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\driversipolicy.p7b`. |
+| **Windows10S_Lockdown_Policy_Supplementable** | {5951a96a-e0b5-4d3d-8fb8-3e5b61030784} | Base policy | This policy is active on devices running [Windows in S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\winsipolicy.p7b`. |
+| **WindowsE_Lockdown_Policy** | {82443e1e-8a39-4b4a-96a8-f40ddc00b9f3} | Base policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview). Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}.cip`. |
+| **WindowsE_Lockdown_Flight_Policy_Supplemental** | {5dac656c-21ad-4a02-ab49-649917162e70} | Supplemental policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview) that are enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{5dac656c-21ad-4a02-ab49-649917162e70}.cip`. |
+| **WindowsE_Lockdown_Test_Policy_Supplemental** | {CDD5CB55-DB68-4D71-AA38-3DF2B6473A52} | Supplemental policy | This policy is active on devices running [Windows 11 SE](/education/windows/windows-11-se-overview) with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found in the EFI system partition at `<EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{CDD5CB55-DB68-4D71-AA38-3DF2B6473A52}.cip`. |
+| **VerifiedAndReputableDesktop** | {0283ac0f-fff1-49ae-ada1-8a933130cad6} | Base policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{0283ac0f-fff1-49ae-ada1-8a933130cad6}.cip`. |
+| **VerifiedAndReputableDesktopFlightSupplemental** | {1678656c-05ef-481f-bc5b-ebd8c991502d} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on and enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1678656c-05ef-481f-bc5b-ebd8c991502d}.cip`. |
+| **VerifiedAndReputableDesktopTestSupplemental** | {0939ED82-BFD5-4D32-B58E-D31D3C49715A} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) turned on and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{0939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip`. |
+| **VerifiedAndReputableDesktopEvaluation** | {1283ac0f-fff1-49ae-ada1-8a933130cad6} | Base policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode*. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1283ac0f-fff1-49ae-ada1-8a933130cad6}.cip`. |
+| **VerifiedAndReputableDesktopEvaluationFlightSupplemental** | {2678656c-05ef-481f-bc5b-ebd8c991502d} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode* and enrolled in the [Windows Insider](https://insider.windows.com) program. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{2678656c-05ef-481f-bc5b-ebd8c991502d}.cip`. |
+| **VerifiedAndReputableDesktopEvaluationTestSupplemental** | {1939ED82-BFD5-4D32-B58E-D31D3C49715A} | Supplemental policy | This policy is active on devices running Windows 11 with [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) in *evaluation mode* and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at `%windir%\System32\CodeIntegrity\CIPolicies\Active\{1939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip`. |

From 3e2d0d266854819e50de4a9ae95fb61dcec9b9ff Mon Sep 17 00:00:00 2001
From: Angela Fleischmann <v-angelaf@microsoft.com>
Date: Fri, 10 Mar 2023 14:15:01 -0700
Subject: [PATCH 19/22] Apply suggestions from code review

Line 35: Delete extra space.
---
 .../hello-for-business/hello-feature-dynamic-lock.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 9268eb6f52..5fea59fc25 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -32,7 +32,7 @@ The Group Policy Editor, when the policy is enabled, creates a default signal ru
 >[!IMPORTANT]
 >Microsoft recommends using the default values for this policy settings.  Measurements are relative based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
 
-For this policy setting, the **type** and **scenario** attribute values are static and can't change.  The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
+For this policy setting, the **type** and **scenario** attribute values are static and can't change. The **classofDevice** is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
 
 |Description|Value|
 |:-------------|:-------:|

From c0b7abffb8c1c1b7ccf895ed8be2b47d50e18f2a Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Fri, 10 Mar 2023 14:59:01 -0800
Subject: [PATCH 20/22] Update delete-an-applocker-rule.md

---
 .../applocker/delete-an-applocker-rule.md     | 60 +++++++++----------
 1 file changed, 27 insertions(+), 33 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index ca59bdbda8..29e96b0c68 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -13,7 +13,7 @@ author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
 ms.topic: conceptual
-ms.date: 11/09/2020
+ms.date: 03/10/2023
 ms.technology: itpro-security
 ---
 
@@ -28,65 +28,59 @@ ms.technology: itpro-security
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This article for IT professionals describes the steps to delete an AppLocker rule. 
+This article for IT professionals describes the steps to delete an AppLocker rule.
 
-As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
+As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running.
 
 For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
-AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 
-These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy won't override those settings.
+These steps apply only for locally managed devices. Any AppLocker policies delivered through MDM or Group Policy must be removed using those tools.
 
 ## To delete a rule in an AppLocker policy
 
-1.  Open the AppLocker console.
-2.  Click the appropriate rule collection for which you want to delete the rule.
-3.  In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**.
+1. Open the AppLocker console.
+2. Select the appropriate rule collection for which you want to delete the rule.
+3. In the details pane, right-click the rule to delete, select **Delete**, and then select **Yes**.
 
-> [!Note]
+> [!NOTE]
+>
 > - When using Group Policy, the Group Policy Object must be distributed or refreshed for rule deletion to take effect on devices.
-> - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`. 
+> - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`.
 
 When the following procedure is performed on the local device, the AppLocker policy takes effect immediately.
 
 ## To clear AppLocker policies on a single system or remote systems
-Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents:
 
-```xml
-<AppLockerPolicy Version="1">
-    <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
-    <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
-    <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
-    <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
-    <RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
-    <RuleCollection Type="ManagedInstaller" EnforcementMode="NotConfigured" />
-</AppLockerPolicy>
-```
-
-To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules:
+First import the AppLocker modules for PowerShell:
 
 ```powershell
 PS C:\Users\Administrator> import-module AppLocker
 ```
 
-We'll create a file (for example, clear.xml), place it in the same directory where we're executing our cmdlet, and add the preceding XML contents. Then run the following command:
+Create a file called clear.xml with the following XML content and save it to your desktop.
 
-```powershell
-C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml
+```xml
+<AppLockerPolicy Version="1" />
 ```
 
-This command will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access.
+Then run the following command from an elevated PowerShell session to remove all local AppLocker policies from the device:
 
-The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy.
+```powershell
+C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy $env:USERPROFILE\Desktop\clear.xml
+```
+
+Run the following PowerShell commands to stop the AppLocker services and change their startup configuration.
 
 ```powershell
 appidtel.exe stop [-mionly]
 sc.exe config appid start=demand
 sc.exe config appidsvc start=demand
 sc.exe config applockerfltr start=demand
-sc stop applockerfltr
-sc stop appidsvc
-sc stop appid
-```
\ No newline at end of file
+sc.exe stop applockerfltr
+sc.exe stop appidsvc
+sc.exe stop appid
+```
+
+All of these steps can be run on a single machine or deployed as a script to multiple devices.

From 2292b0c7cf7f91caa96cc5d9b6c61cc57f1233b6 Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Fri, 10 Mar 2023 15:06:19 -0800
Subject: [PATCH 21/22] Update delete-an-applocker-rule.md

---
 .../applocker/delete-an-applocker-rule.md                       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index 29e96b0c68..3d51267223 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -28,7 +28,7 @@ ms.technology: itpro-security
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This article for IT professionals describes the steps to delete an AppLocker rule.
+This article for IT professionals describes the steps to delete AppLocker rules.
 
 As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running.
 

From 5850e7e9f3b0720d24509cf09d87bf846188c30f Mon Sep 17 00:00:00 2001
From: Office Content Publishing
 <34616516+officedocspr@users.noreply.github.com>
Date: Sat, 11 Mar 2023 23:31:43 -0800
Subject: [PATCH 22/22] Uploaded file: education-content-updates.md -
 2023-03-11 23:31:43.6235

---
 education/includes/education-content-updates.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index bcc60c501f..e9d3004423 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,6 +2,19 @@
 

 
 
+## Week of March 06, 2023
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 3/8/2023 | Change to Windows 10 Education from Windows 10 Pro | removed |
+| 3/8/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
+| 3/8/2023 | Enable S mode on Surface Go devices for Education | removed |
+| 3/8/2023 | Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode | removed |
+| 3/8/2023 | Test Windows 10 in S mode on existing Windows 10 education devices | removed |
+| 3/9/2023 | [Windows for Education documentation](/education/windows/index) | modified |
+
+
 ## Week of February 27, 2023