From ded9d2b99a009a8ff0754fc894ab7b816366d694 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Mon, 11 Oct 2021 14:45:25 +0100 Subject: [PATCH 001/104] 21H2 updates --- ...-diagnostic-data-events-and-fields-2004.md | 144 +++++++++++++++++- windows/privacy/toc.yml | 2 +- 2 files changed, 141 insertions(+), 5 deletions(-) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 535d41535f..b217232fd4 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,6 +1,6 @@ --- description: Use this article to learn more about what required Windows diagnostic data is gathered. -title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) +title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 ms.mktglfcycl: manage @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 10/04/2021 +ms.date: --- -# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields +# Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields > [!IMPORTANT] @@ -26,10 +26,12 @@ ms.date: 10/04/2021 **Applies to** +- Windows 10, version 21H2 - Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 + Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -63,6 +65,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -76,6 +80,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -91,6 +97,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -106,6 +114,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -119,6 +129,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -132,6 +144,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -145,6 +159,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -160,6 +176,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -173,6 +191,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -188,6 +208,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -203,6 +225,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -216,6 +240,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -229,6 +255,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -242,6 +270,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -254,6 +284,8 @@ The following fields are available: - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. - **DecisionSModeState_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. - **DecisionSModeState_RS1** The total number of objects of this type present on this device. - **DecisionSModeState_RS2** The total number of objects of this type present on this device. - **DecisionSModeState_RS3** The total number of objects of this type present on this device. @@ -267,6 +299,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -281,6 +315,8 @@ The following fields are available: - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. @@ -293,6 +329,8 @@ The following fields are available: - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. @@ -305,6 +343,8 @@ The following fields are available: - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. @@ -317,6 +357,7 @@ The following fields are available: - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. @@ -329,6 +370,8 @@ The following fields are available: - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. @@ -341,6 +384,8 @@ The following fields are available: - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -353,6 +398,8 @@ The following fields are available: - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. @@ -365,6 +412,8 @@ The following fields are available: - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. @@ -395,6 +444,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -2446,6 +2497,7 @@ The following fields are available: - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -2978,6 +3030,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4375,7 +4428,7 @@ The following fields are available: - **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4665,6 +4718,38 @@ The following fields are available: - **Ver** Schema version. +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + ### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. @@ -4767,6 +4852,28 @@ The following fields are available: - **SamResetCause** SAM reset cause. +### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation + +This event tracks protocol launching for Setting's URIs. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **activationSource** Where activation is initiated. +- **uriString** URI of the launching protocol. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + ### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. @@ -4786,11 +4893,25 @@ The following fields are available: - **UpdateAssistantPartnerId** Partner Id for Assistant application. - **UpdateAssistantReportPath** Path to report for Update Assistant. - **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. - **UpdateAssistantUiType** The type of UI whether default or OOBE. - **UpdateAssistantVersion** Current package version of UpdateAssistant. - **UpdateAssistantVersionInfo** Information about Update Assistant application. +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + ### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. @@ -4806,6 +4927,21 @@ The following fields are available: - **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. - **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. - **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. - **UpdateAssistantVersion** Current package version of UpdateAssistant. diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 96516c4786..3d5cadea67 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -17,7 +17,7 @@ items: - name: Required Windows 11 diagnostic data events and fields href: required-windows-11-diagnostic-events-and-fields.md - - name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields + - name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields href: required-windows-diagnostic-data-events-and-fields-2004.md - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields href: basic-level-windows-diagnostic-events-and-fields-1903.md From dfa807acf55e39c2f03d4a93616ed6ccb4fa4c41 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 12 Oct 2021 10:29:14 +0100 Subject: [PATCH 002/104] Update basic-level-windows-diagnostic-events-and-fields-1903.md --- ...ndows-diagnostic-events-and-fields-1903.md | 205 +++++++++++------- 1 file changed, 128 insertions(+), 77 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index d9cf6ceee1..38e89bc8e6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: --- @@ -277,6 +277,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -290,6 +292,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -306,6 +310,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -322,6 +328,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -335,6 +343,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -348,6 +358,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -362,6 +374,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -378,6 +392,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -391,6 +407,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -407,6 +425,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -423,6 +443,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -436,6 +458,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -449,6 +473,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -462,6 +488,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -469,17 +497,19 @@ The following fields are available: - **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. -- **DecisionSModeState_19H1** The total number of objects of this type present on this device. +- **DecisionSModeState_19H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS2** The total number of objects of this type present on this device. -- **DecisionSModeState_RS3** The total number of objects of this type present on this device. -- **DecisionSModeState_RS4** The total number of objects of this type present on this device. -- **DecisionSModeState_RS5** The total number of objects of this type present on this device. -- **DecisionSModeState_TH1** The total number of objects of this type present on this device. -- **DecisionSModeState_TH2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_RS1** The total number of objects of this type present on this device. +- **DecisionSModeState_RS2** The total number of objects of this type present on this device. +- **DecisionSModeState_RS3** The total number of objects of this type present on this device. +- **DecisionSModeState_RS4** The total number of objects of this type present on this device. +- **DecisionSModeState_RS5** The total number of objects of this type present on this device. +- **DecisionSModeState_TH1** The total number of objects of this type present on this device. +- **DecisionSModeState_TH2** The total number of objects of this type present on this device. - **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. @@ -487,6 +517,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -497,67 +529,79 @@ The following fields are available: - **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_TH1** The total number of objects of this type present on this device. - **DecisionSystemBios_TH2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. - **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. - **DecisionTest_19H1** The total number of objects of this type present on this device. - **DecisionTest_20H1** The total number of objects of this type present on this device. - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -565,28 +609,32 @@ The following fields are available: - **DecisionTest_RS5** The total number of objects of this type present on this device. - **DecisionTest_TH1** The total number of objects of this type present on this device. - **DecisionTest_TH2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. - **InventoryDeviceContainer** The total number of objects of this type present on this device. - **InventoryDevicePnp** The total number of objects of this type present on this device. @@ -616,6 +664,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -4237,6 +4287,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4614,13 +4665,13 @@ The following fields are available: - **Generic** A count of generic objects in cache. - **HwItem** A count of hwitem objects in cache. - **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health records in cache. -- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationDriver** A count of application driver objects in cache. - **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryApplicationFramework** A count of application framework objects in cache. +- **InventoryApplicationShortcut** A count of application shortcut objects in cache. - **InventoryDeviceContainer** A count of device container objects in cache. - **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. - **InventoryDeviceMediaClass** A count of device media objects in cache. @@ -4631,14 +4682,14 @@ The following fields are available: - **InventoryDriverPackage** A count of device objects in cache. - **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache - **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache. +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache. +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache. +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache. +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache. +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache. +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache. +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache. - **InventoryVersion** The version of the inventory binary generating the events. - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. From ed60c2e7926d9d4789679767120a114ed17dc882 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 12 Oct 2021 11:15:57 +0100 Subject: [PATCH 003/104] 21H2 updates --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 3 +-- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 16e94c4bd9..ef66a270df 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index fe2e57d529..02eadda8ef 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 27ad38b904..ff6bf7d93d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -44,7 +44,6 @@ You can learn more about Windows functional and diagnostic data through these ar - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e45351e107..ba9fcdb1ad 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -24,7 +24,6 @@ ms.reviewer: - Windows 10, version 1809 - The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. From 0159d84c56b236f6515b3e823e5532cfbaf6e1ae Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 12 Oct 2021 11:23:11 +0100 Subject: [PATCH 004/104] version update --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1809.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- .../privacy/required-windows-11-diagnostic-events-and-fields.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index ef66a270df..a2c09c70c3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 02eadda8ef..234c81b398 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index ff6bf7d93d..c1edecf7c1 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index ba9fcdb1ad..c3d759b73a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 38e89bc8e6..2448fdc4f6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -39,7 +39,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 246577e395..728704a57e 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -36,7 +36,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) From aa9335cefcc47a7a1a192779cbbf1aa34a630a71 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 14 Oct 2021 11:54:04 +0100 Subject: [PATCH 005/104] Update windows-diagnostic-data.md --- windows/privacy/windows-diagnostic-data.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 11c346e2e5..32e8f6917f 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -19,6 +19,8 @@ ms.reviewer: Applies to: - Windows 11 +- Windows 10, version 21H2 +- Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 - Windows 10, version 1909 From 8908e3730d4699ab7dfce7727789f368831fbefd Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 19 Oct 2021 13:06:18 -0700 Subject: [PATCH 006/104] found homes for the other events --- ...ndows-diagnostic-events-and-fields-1709.md | 16 - ...ndows-diagnostic-events-and-fields-1803.md | 19 +- ...ndows-diagnostic-events-and-fields-1809.md | 46 +- ...ndows-diagnostic-events-and-fields-1903.md | 114 ++-- ...-diagnostic-data-events-and-fields-2004.md | 521 +++++++++--------- 5 files changed, 338 insertions(+), 378 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 234c81b398..2c105c0127 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3029,22 +3029,6 @@ The following fields are available: - **winInetError** The HResult of the operation. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - ## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index c1edecf7c1..89feae1164 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4369,14 +4369,6 @@ The following fields are available: ## Other events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. ## Privacy consent logging events @@ -5472,6 +5464,17 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + ## Update Assistant events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index c3d759b73a..e170e13dbe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -5789,36 +5789,6 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -7028,6 +6998,22 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## System Resource Usage Monitor events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 2448fdc4f6..7cd176eb53 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -5947,27 +5947,6 @@ The following fields are available: - **ModelName** Windows Mixed Reality device model name. - **SerialNumber** Windows Mixed Reality device serial number. - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -## Other events - ### Microsoft.ML.ONNXRuntime.ProcessInfo This event collects information when an application loads ONNXRuntime.dll. The data collected with this event is used to keep Windows product and service performing properly. @@ -5992,21 +5971,52 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. +## OneDrive events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. +This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. The following fields are available: -- **batteryData** Hardware level data about battery performance. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +## Update Assistant events ### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked @@ -6387,37 +6397,6 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -## Quality Update Assistant events - ### Microsoft.Windows.QualityUpdateAssistant.Applicability This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure. @@ -7088,6 +7067,19 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. ## System reset events diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index b217232fd4..962dca9a2d 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -4671,186 +4671,7 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - -## Other events - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData** Battery Performance data. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. -- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? -- **BPMHvtCountA** Current HVT count for BPM counter A. -- **BPMHvtCountB** Current HVT count for BPM counter B. -- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. -- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMTotalEngagedMinutes** Total time that BPM was engaged. -- **BPMTotalEntryEvents** Total number of times entering BPM. -- **ComponentId** Component ID. -- **FwVersion** FW version that created this log. -- **LogClass** Log Class. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** Log MGR version. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **ProductId** Product ID. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. -- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). -- **ComponentId** Component ID. -- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. -- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. -- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. -- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. -- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. -- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. -- **CTTStartDateInSeconds** Start date from when device was starting to be used. -- **currentAuthenticationState** Current Authentication State. -- **FwVersion** FW version that created this log. -- **LogClass** Log Class. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** Log MGR version. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **newSnFruUpdateCount** New Sn FRU Update Count. -- **newSnUpdateCount** New Sn Update Count. -- **ProductId** Product ID. -- **ProtectionPolicy** Battery limit engaged. True (0 False). -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. -- **VoltageOptimization** Current CTT reduction in mV. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **cbTimeCell_Values** cb time for different cells. -- **ComponentId** Component ID. -- **cycleCount** Cycle Count. -- **deltaVoltage** Delta voltage. -- **eocChargeVoltage_Values** EOC Charge voltage values. -- **fullChargeCapacity** Full Charge Capacity. -- **FwVersion** FW version that created this log. -- **lastCovEvent** Last Cov event. -- **lastCuvEvent** Last Cuv event. -- **LogClass** LOG_CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG_MGR_VERSION. -- **manufacturerName** Manufacturer name. -- **maxChargeCurrent** Max charge current. -- **maxDeltaCellVoltage** Max delta cell voltage. -- **maxDischargeCurrent** Max discharge current. -- **maxTempCell** Max temp cell. -- **maxVoltage_Values** Max voltage values. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **minTempCell** Min temp cell. -- **minVoltage_Values** Min voltage values. -- **numberOfCovEvents** Number of Cov events. -- **numberOfCuvEvents** Number of Cuv events. -- **numberOfOCD1Events** Number of OCD1 events. -- **numberOfOCD2Events** Number of OCD2 events. -- **numberOfQmaxUpdates** Number of Qmax updates. -- **numberOfRaUpdates** Number of Ra updates. -- **numberOfShutdowns** Number of shutdowns. -- **pfStatus_Values** pf status values. -- **ProductId** Product ID. -- **qmax_Values** Qmax values for different cells. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **avgCurrLastRun** Average current last run. -- **avgPowLastRun** Average power last run. -- **batteryMSPN** BatteryMSPN -- **batteryMSSN** BatteryMSSN. -- **cell0Ra3** Cell0Ra3. -- **cell1Ra3** Cell1Ra3. -- **cell2Ra3** Cell2Ra3. -- **cell3Ra3** Cell3Ra3. -- **ComponentId** Component ID. -- **currentAtEoc** Current at Eoc. -- **firstPFstatusA** First PF status-A. -- **firstPFstatusB** First PF status-B. -- **firstPFstatusC** First PF status-C. -- **firstPFstatusD** First PF status-D. -- **FwVersion** FW version that created this log. -- **lastQmaxUpdate** Last Qmax update. -- **lastRaDisable** Last Ra disable. -- **lastRaUpdate** Last Ra update. -- **lastValidChargeTerm** Last valid charge term. -- **LogClass** LOG CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG MGR VERSION. -- **maxAvgCurrLastRun** Max average current last run. -- **maxAvgPowLastRun** Max average power last run. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **mfgInfoBlockB01** MFG info Block B01. -- **mfgInfoBlockB02** MFG info Block B02. -- **mfgInfoBlockB03** MFG info Block B03. -- **mfgInfoBlockB04** MFG info Block B04. -- **numOfRaDisable** Number of Ra disable. -- **numOfValidChargeTerm** Number of valid charge term. -- **ProductId** Product ID. -- **qmaxCycleCount** Qmax cycle count. -- **SeqNum** Sequence Number. -- **stateOfHealthEnergy** State of health energy. -- **stateOfHealthFcc** State of health Fcc. -- **stateOfHealthPercent** State of health percent. -- **TimeStamp** UTC seconds when log was created. -- **totalFwRuntime** Total FW runtime. -- **updateStatus** Update status. -- **Ver** Schema version. - - -### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 - -This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **HostResetCause** Host reset cause. -- **PchResetCause** PCH reset cause. -- **SamResetCause** SAM reset cause. - +## Settings events ### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation @@ -4862,89 +4683,6 @@ The following fields are available: - **uriString** URI of the launching protocol. -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult - -This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation - -This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantAppFilePath** Path to Update Assistant app. -- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. -- **UpdateAssistantExeName** Exe name running as Update Assistant. -- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. -- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. -- **UpdateAssistantIsPushing** True if the update is pushing to the device. -- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. -- **UpdateAssistantOsVersion** Update Assistant OS Version. -- **UpdateAssistantPartnerId** Partner Id for Assistant application. -- **UpdateAssistantReportPath** Path to report for Update Assistant. -- **UpdateAssistantStartTime** Start time for UpdateAssistant. -- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. -- **UpdateAssistantUiType** The type of UI whether default or OOBE. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. -- **UpdateAssistantVersionInfo** Information about Update Assistant application. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty - -This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. -- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState - -This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. -- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat -- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. -- **UpdateAssistantStateDownloading** True at the start Downloading. -- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. -- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. -- **UpdateAssistantStateInstalling** True at the start of Installing. -- **UpdateAssistantStatePostInstall** True at the start of PostInstall. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails - -This event provides details about user action. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. -- **UpdateAssistantUserActionHResult** HRESULT of user action. -- **UpdateAssistantUserActionState** State name user performed action on. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -5547,6 +5285,182 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Battery Performance data. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **avgCurrLastRun** Average current last run. +- **avgPowLastRun** Average power last run. +- **batteryMSPN** BatteryMSPN +- **batteryMSSN** BatteryMSSN. +- **cell0Ra3** Cell0Ra3. +- **cell1Ra3** Cell1Ra3. +- **cell2Ra3** Cell2Ra3. +- **cell3Ra3** Cell3Ra3. +- **ComponentId** Component ID. +- **currentAtEoc** Current at Eoc. +- **firstPFstatusA** First PF status-A. +- **firstPFstatusB** First PF status-B. +- **firstPFstatusC** First PF status-C. +- **firstPFstatusD** First PF status-D. +- **FwVersion** FW version that created this log. +- **lastQmaxUpdate** Last Qmax update. +- **lastRaDisable** Last Ra disable. +- **lastRaUpdate** Last Ra update. +- **lastValidChargeTerm** Last valid charge term. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **maxAvgCurrLastRun** Max average current last run. +- **maxAvgPowLastRun** Max average power last run. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **mfgInfoBlockB01** MFG info Block B01. +- **mfgInfoBlockB02** MFG info Block B02. +- **mfgInfoBlockB03** MFG info Block B03. +- **mfgInfoBlockB04** MFG info Block B04. +- **numOfRaDisable** Number of Ra disable. +- **numOfValidChargeTerm** Number of valid charge term. +- **ProductId** Product ID. +- **qmaxCycleCount** Qmax cycle count. +- **SeqNum** Sequence Number. +- **stateOfHealthEnergy** State of health energy. +- **stateOfHealthFcc** State of health Fcc. +- **stateOfHealthPercent** State of health percent. +- **TimeStamp** UTC seconds when log was created. +- **totalFwRuntime** Total FW runtime. +- **updateStatus** Update status. +- **Ver** Schema version. + + +### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 + +This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HostResetCause** Host reset cause. +- **PchResetCause** PCH reset cause. +- **SamResetCause** SAM reset cause. ## Update Assistant events @@ -6024,6 +5938,87 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. ## Update events From 78602e2c884e4b411b70f24808f7be3369f9d805 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 20 Oct 2021 13:52:42 +0100 Subject: [PATCH 007/104] Update required-windows-diagnostic-data-events-and-fields-2004.md --- .../required-windows-diagnostic-data-events-and-fields-2004.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 962dca9a2d..5c6f22d52c 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -6003,7 +6003,10 @@ The following fields are available: - **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. - **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. - **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. - **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update. +- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS. - **UpdateAssistantVersion** Current package version of UpdateAssistant. From f1b45c2c6a2498f3290cbcd4ce136150521db082 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Mon, 8 Nov 2021 12:54:21 +0530 Subject: [PATCH 008/104] part1 5548257 changes --- .gitignore | 1 + .../wcd/wcd-accountmanagement.md | 14 +++---- windows/configuration/wcd/wcd-accounts.md | 10 ++--- .../configuration/wcd/wcd-admxingestion.md | 8 ++-- .../configuration/wcd/wcd-assignedaccess.md | 8 ++-- .../configuration/wcd/wcd-automatictime.md | 18 ++++----- windows/configuration/wcd/wcd-browser.md | 14 +++---- .../wcd/wcd-callandmessagingenhancement.md | 8 ++-- windows/configuration/wcd/wcd-calling.md | 6 +-- windows/configuration/wcd/wcd-cellcore.md | 40 +++++++++---------- windows/configuration/wcd/wcd-cellular.md | 6 +-- windows/configuration/wcd/wcd-certificates.md | 6 +-- windows/configuration/wcd/wcd-cleanpc.md | 8 ++-- windows/configuration/wcd/wcd-connections.md | 6 +-- .../wcd/wcd-connectivityprofiles.md | 16 ++++---- 15 files changed, 85 insertions(+), 84 deletions(-) diff --git a/.gitignore b/.gitignore index 9841e0daea..537edb091d 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ packages.config wdav-pm-sln.csproj wdav-pm-sln.csproj.user wdav-pm-sln.sln +windows/client-management/mdm/bitlocker-csp.md diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md index 3ac49ccd7e..62c0c24b82 100644 --- a/windows/configuration/wcd/wcd-accountmanagement.md +++ b/windows/configuration/wcd/wcd-accountmanagement.md @@ -19,13 +19,13 @@ Use these settings to configure the Account Manager service. ## Applies to -| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [DeletionPolicy](#deletionpolicy) | | | | X | | -| [EnableProfileManager](#enableprofilemanager) | | | | X | | -| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | | X | | -| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | | X | | -| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | | X | | +| Settings | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [DeletionPolicy](#deletionpolicy) | | | X | | +| [EnableProfileManager](#enableprofilemanager) | | | X | | +| [ProfileInactivityThreshold](#profileinactivitythreshold) | | | X | | +| [StorageCapacityStartDeletion](#storagecapacitystartdeletion) | | | X | | +| [StorageCapacityStopDeletion](#storagecapacitystopdeletion) | | | X | | >[!NOTE] >Although the AccountManagement settings are available in advanced provisioning for other editions, you should only use them for HoloLens devices. diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index 2e172a122e..892f956783 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -19,11 +19,11 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Azure](#azure) | X | X | X | X | | -| [ComputerAccount](#computeraccount) | X | | X | | X | -| [Users](#users) | X | | X | X | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Azure](#azure) | X | X | X | | +| [ComputerAccount](#computeraccount) | X | X | | X | +| [Users](#users) | X | X | X | | ## Azure diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md index 9a474ff6c8..9ed3605d2c 100644 --- a/windows/configuration/wcd/wcd-admxingestion.md +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -26,10 +26,10 @@ Starting in Windows 10, version 1703, you can import (*ingest*) select Group Pol ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | X | | | | | -| [ConfigOperations](#configoperations) | X | | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | X | | | | +| [ConfigOperations](#configoperations) | X | | | | ## ConfigADMXInstalledPolicy diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index a891fbcb93..70ce50cc85 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -19,10 +19,10 @@ Use this setting to configure single use (kiosk) devices. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | | -| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | X | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [AssignedAccessSettings](#assignedaccesssettings) | X | | X | | +| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | X | | ## AssignedAccessSettings diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md index 53200de533..b01b86ddb6 100644 --- a/windows/configuration/wcd/wcd-automatictime.md +++ b/windows/configuration/wcd/wcd-automatictime.md @@ -21,15 +21,15 @@ The OS includes support for Network Time Protocol (NTP), which enables devices t ## Applies to -| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [EnableAutomaticTime](#enableautomatictime) | | X | | | | -| [NetworkTimeUpdateThreshold](#networktimeupdatethreshold) | | X | | | | -| [NTPEnabled](#ntpenabled) | | X | | | | -| [NTPRegularSyncInterval](#ntpregularsyncinterval) | | X | | | | -| [NTPRetryInterval](#ntpretryinterval) | | X | | | | -| [NTPServer](#ntpserver) | | X | | | | -| [PreferredSlot](#preferredslot) | | X | | | | +| Settings | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [EnableAutomaticTime](#enableautomatictime) | | | | | +| [NetworkTimeUpdateThreshold](#networktimeupdatethreshold) | | | | | +| [NTPEnabled](#ntpenabled) | | | | | +| [NTPRegularSyncInterval](#ntpregularsyncinterval) | | | | | +| [NTPRetryInterval](#ntpretryinterval) | | | | | +| [NTPServer](#ntpserver) | | | | | +| [PreferredSlot](#preferredslot) | | | | | ## EnableAutomaticTime diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index d7e8ff6e10..bfdf0dcfcc 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -19,13 +19,13 @@ Use to configure browser settings that should only be set by OEMs who are part o ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AllowPrelaunch](#allowprelaunch) | | | X | | | -| [FavoriteBarItems](#favoritebaritems) | X | | | | | -| [Favorites](#favorites) | | X | | | | -| [PartnerSearchCode](#partnersearchcode) | X | X | X | | | -| [SearchProviders](#searchproviders) | | X | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [AllowPrelaunch](#allowprelaunch) | | X | | | +| [FavoriteBarItems](#favoritebaritems) | X | | | | +| [Favorites](#favorites) | | | | | +| [PartnerSearchCode](#partnersearchcode) | X | X | | | +| [SearchProviders](#searchproviders) | | | | | ## AllowPrelaunch diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md index d841991b53..b3d1396cdc 100644 --- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md +++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md @@ -22,10 +22,10 @@ Use to configure call origin and blocking apps. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [BlockingApp](#blockingapp) | | X | | | | -| [CallOriginApp](#calloriginapp) | | X | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [BlockingApp](#blockingapp) | | | | | +| [CallOriginApp](#calloriginapp) | | | | | ## BlockingApp diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md index d346a04e2c..3489892af7 100644 --- a/windows/configuration/wcd/wcd-calling.md +++ b/windows/configuration/wcd/wcd-calling.md @@ -22,9 +22,9 @@ Use to configure settings for Calling. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | X | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | | | ## Branding diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index de0d3359b2..4273166758 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -24,26 +24,26 @@ Use to configure settings for cellular data. ## Applies to - Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core - --- | :---: | :---: | :---: | :---: | :---: - PerDevice: [CellConfigurations](#cellconfigurations) | | X | | | | - PerDevice: [CellData](#celldata) | X | X | X | | - PerDevice: [CellUX](#cellux) | X | X | X | | - PerDevice: [CGDual](#cgdual) | | X | | | - PerDevice: [eSim](#esim) | X | X | X | | - PerDevice: [External](#external) | | X | | | - PerDevice: [General](#general) | | X | | | - PerDevice: [RCS](#rcs) | | X | | | - PerDevice: [SMS](#sms) | X | X | X | | - PerDevice: [UIX](#uix) | | X | | | - PerDevice: [UTK](#utk) | | X | | | - PerlMSI: [CellData](#celldata2) | | X | | | - PerIMSI: [CellUX](#cellux2) | | X | | | - PerIMSI: [General](#general2) | | X | | | - PerIMSI: [RCS](#rcs2) | | X | | | - PerIMSI: [SMS](#sms2) | X | X | X | | - PerIMSI: [UTK](#utk2) | | X | | | - PerIMSI: [VoLTE](#volte) | | X | | | + Setting groups | Windows client | Surface Hub | HoloLens | IoT Core + --- | :---: | :---: | :---: | :---: + PerDevice: [CellConfigurations](#cellconfigurations) | | | | | + PerDevice: [CellData](#celldata) | X | X | | + PerDevice: [CellUX](#cellux) | X | X | | + PerDevice: [CGDual](#cgdual) | | | | + PerDevice: [eSim](#esim) | X | X | | + PerDevice: [External](#external) | | | | + PerDevice: [General](#general) | | | | + PerDevice: [RCS](#rcs) | | | | + PerDevice: [SMS](#sms) | X | X | | + PerDevice: [UIX](#uix) | | | | + PerDevice: [UTK](#utk) | | | | + PerlMSI: [CellData](#celldata2) | | | | + PerIMSI: [CellUX](#cellux2) | | | | + PerIMSI: [General](#general2) | | | | + PerIMSI: [RCS](#rcs2) | | | | + PerIMSI: [SMS](#sms2) | X | X | | + PerIMSI: [UTK](#utk2) | | | | + PerIMSI: [VoLTE](#volte) | | | | ## PerDevice diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 2a3982c0d3..04ac696fc5 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -21,9 +21,9 @@ Use to configure settings for cellular connections. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | X | | | | | +| Setting groups | Windows client | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | X | | | | ## PerDevice diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index 79d200e65c..4396988b08 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -25,9 +25,9 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All setting groups | X | X | X | X | X | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All setting groups | X | X | X | X | ## CACertificates diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md index 17750d5db9..502fd00a9a 100644 --- a/windows/configuration/wcd/wcd-cleanpc.md +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -19,10 +19,10 @@ Use to remove user-installed and pre-installed applications, with the option to ## Applies to -| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| CleanPCRetainingUserData | X | | | | | -| CleanPCWithoutRetainingUserData | X | | | | | +| Settings | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| CleanPCRetainingUserData | X | | | | +| CleanPCWithoutRetainingUserData | X | | | | For each setting, the options are **Enable** and **Not configured**. diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index 807e392469..ef1498384b 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -19,9 +19,9 @@ Use to configure settings related to various types of phone connections. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | X | X | X | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | X | X | | | For each setting group: diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 248a5ab250..5a0d2eb742 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -19,14 +19,14 @@ Use to configure profiles that a user will connect with, such as an email accoun ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Email](#email) | X | X | X | | | -| [Exchange](#exchange) | X | X | X | | | -| [KnownAccounts](#knownaccounts) | X | X | X | | | -| [VPN](#vpn) | X | X | X | X | | -| [WiFiSense](#wifisense) | X | X | X | | | -| [WLAN](#wlan) | X | X | X | X | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Email](#email) | X | X | | | +| [Exchange](#exchange) | X | X | | | +| [KnownAccounts](#knownaccounts) | X | X | | | +| [VPN](#vpn) | X | X | X | | +| [WiFiSense](#wifisense) | X | X | | | +| [WLAN](#wlan) | X | X | X | | ## Email From 128c1b80f8fe7b41e223895f1c2a4eeafcbf316d Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 8 Nov 2021 14:51:19 +0530 Subject: [PATCH 009/104] Updated as per tasks 5544015 --- .../auditing/advanced-security-auditing-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index a3f1fdac56..291e687b2b 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -16,17 +16,17 @@ metadata: ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/06/2021 - ms.technology: windows-sec + ms.technology: mde title: Advanced security auditing FAQ - +summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) + - [What is the interasction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) From 3abea34574616ce45612efc3602ea68e84561320 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 8 Nov 2021 15:08:05 +0530 Subject: [PATCH 010/104] Updated --- .../auditing/advanced-security-auditing-faq.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 291e687b2b..bef7a3080d 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -19,10 +19,7 @@ metadata: ms.technology: mde title: Advanced security auditing FAQ -summary: - - - This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. +summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) From 2aed9f45ab495cabb81088d6afa632a39fb4aa5e Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 8 Nov 2021 15:16:41 +0530 Subject: [PATCH 011/104] Update advanced-security-auditing-faq.yml --- .../auditing/advanced-security-auditing-faq.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index bef7a3080d..d00bf92f4a 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -23,6 +23,7 @@ summary: This topic for the IT professional lists questions and answers about un - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) + - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - [What is the interasction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) From be82eb108a01a018a2bdaa502fdd0cf6da99f68f Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Mon, 8 Nov 2021 16:02:56 +0530 Subject: [PATCH 012/104] part2-5548257 --- windows/configuration/wcd/wcd-countryandregion.md | 6 +++--- .../wcd/wcd-desktopbackgroundandcolors.md | 6 +++--- windows/configuration/wcd/wcd-developersetup.md | 8 ++++---- windows/configuration/wcd/wcd-deviceformfactor.md | 6 +++--- windows/configuration/wcd/wcd-devicemanagement.md | 12 ++++++------ windows/configuration/wcd/wcd-deviceupdatecenter.md | 6 +++--- windows/configuration/wcd/wcd-dmclient.md | 6 +++--- windows/configuration/wcd/wcd-editionupgrade.md | 10 +++++----- .../configuration/wcd/wcd-firewallconfiguration.md | 6 +++--- windows/configuration/wcd/wcd-firstexperience.md | 6 +++--- windows/configuration/wcd/wcd-folders.md | 6 +++--- 11 files changed, 39 insertions(+), 39 deletions(-) diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md index e8cf5a0b37..81597e49d4 100644 --- a/windows/configuration/wcd/wcd-countryandregion.md +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -19,8 +19,8 @@ Use to configure a setting that partners must customize to ship Windows devices ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| CountryCodeForExtendedCapabilityPrompts | ✔️ | ✔️ | ✔️ | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| CountryCodeForExtendedCapabilityPrompts | ✔️ | ✔️ | | | You can set the **CountryCodeForExtendedCapabilityPrompts** setting for **China** to enable additional capability prompts when apps use privacy-sensitive features (such as Contacts or Microphone). diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md index 464d3c8163..e18abe6ad1 100644 --- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -19,7 +19,7 @@ Do not use. Instead, use the [Personalization settings](wcd-personalization.md). ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md index 666109a375..54acfa4e05 100644 --- a/windows/configuration/wcd/wcd-developersetup.md +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -19,10 +19,10 @@ Use to unlock developer mode on HoloLens devices and configure authentication to ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [EnableDeveloperMode](#enabledevelopermode) | | | | ✔️ | | -| [AuthenticationMode](#authenticationmode) | | | | ✔️ | | +| Setting groups | Windows client | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [EnableDeveloperMode](#enabledevelopermode) | | | ✔️ | | +| [AuthenticationMode](#authenticationmode) | | | ✔️ | | diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index fc86909bc1..b233406d79 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -19,9 +19,9 @@ Use to identify the form factor of the device. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| DeviceForm | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| DeviceForm | ✔️ | ✔️ | | | Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization. diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 236416cf96..bb1692d17e 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -19,12 +19,12 @@ Use to configure device management settings. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Accounts](#accounts) | ✔️ | ✔️ | ✔️ | | | -| [PGList](#pglist) | ✔️ | ✔️ | ✔️ | | | -| [Policies](#policies) | ✔️ | ✔️ | ✔️ | | | -| [TrustedProvisioningSource](#trustedprovisioningsource) | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Accounts](#accounts) | ✔️ | ✔️ | | | +| [PGList](#pglist) | ✔️ | ✔️ | | | +| [Policies](#policies) | ✔️ | ✔️ | | | +| [TrustedProvisioningSource](#trustedprovisioningsource) | ✔️ | ✔️ | | | ## Accounts diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 3dfa2d7fe2..e72df83e2d 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -17,7 +17,7 @@ Do not use **DeviceUpdateCenter** settings at this time. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md index 39949ed4c4..31d0ed7b8c 100644 --- a/windows/configuration/wcd/wcd-dmclient.md +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -19,9 +19,9 @@ Use to specify enterprise-specific mobile device management configuration settin ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| UpdateManagementServiceAddress | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| UpdateManagementServiceAddress | ✔️ | ✔️ | | ✔️ | For the **UpdateManagementServiceAddress** setting, enter a list of servers. The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md index 79e2667cb2..aaa3c9a10e 100644 --- a/windows/configuration/wcd/wcd-editionupgrade.md +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -19,11 +19,11 @@ Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ChangeProductKey](#changeproductkey) | ✔️ | ✔️ | | | | -| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | ✔️ | ✔️ | | ✔️ | | -| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | ✔️ | ✔️ | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ChangeProductKey](#changeproductkey) | ✔️ | | | | +| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | ✔️ | | ✔️ | | +| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | ✔️ | | | | ## ChangeProductKey diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md index 4bc834f3ac..cd505cda87 100644 --- a/windows/configuration/wcd/wcd-firewallconfiguration.md +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -19,9 +19,9 @@ Use to enable AllJoyn router to work on public networks. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| EnableAllJoynOnPublicNetwork | | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| EnableAllJoynOnPublicNetwork | | | | ✔️ | Set to **True** or **False**. diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 0561b8d3f4..a854a53a49 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -19,9 +19,9 @@ Use these settings to configure the out-of-box experience (OOBE) to set up HoloL ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | ✔️ | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | ✔️ | | Setting | Description --- | --- diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md index cc594611bc..1eab5f086b 100644 --- a/windows/configuration/wcd/wcd-folders.md +++ b/windows/configuration/wcd/wcd-folders.md @@ -19,8 +19,8 @@ Use to add files to the device. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| PublicDocuments | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| PublicDocuments | ✔️ | ✔️ | | | Browse to and select a file or files that will be included in the provisioning package and added to the public profile documents folder on the target device. You can use the **Relative path to directory on target device** field to create a new folder within the public profile documents folder. From 61348a9a82fc1d520ad05600cb5f62603c3bbed2 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 8 Nov 2021 16:37:10 +0530 Subject: [PATCH 013/104] Update advanced-security-auditing-faq.yml --- .../auditing/advanced-security-auditing-faq.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index d00bf92f4a..bef7a3080d 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -23,7 +23,6 @@ summary: This topic for the IT professional lists questions and answers about un - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - [What is the interasction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) From 3c65bb7ded60c2c9dd202b463d96fe30e671d9e3 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 8 Nov 2021 16:48:04 +0530 Subject: [PATCH 014/104] Update advanced-security-auditing-faq.yml --- .../auditing/advanced-security-auditing-faq.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index bef7a3080d..0a5f4d7f2a 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -22,6 +22,7 @@ title: Advanced security auditing FAQ summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) + - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - [What is the interasction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) From b82478420660db3a9139d2134068299a23489e1d Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 8 Nov 2021 16:55:08 +0530 Subject: [PATCH 015/104] Update advanced-security-auditing-faq.yml --- .../advanced-security-auditing-faq.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 0a5f4d7f2a..a8750ae539 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -22,23 +22,39 @@ title: Advanced security auditing FAQ summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - + - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) + - [What is the interasction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) + - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) + - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) + - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) + - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-) + - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-) + - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-) + - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-) + - [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-) + - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-) + - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-) + - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-) + - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-) + - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) + - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) + - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) From 1d305857ced1ddef6b03bc717abccabd9dacfcb4 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Mon, 8 Nov 2021 17:08:28 +0530 Subject: [PATCH 016/104] Update advanced-security-auditing-faq.yml --- .../auditing/advanced-security-auditing-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index a8750ae539..73605a664a 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -54,7 +54,7 @@ summary: This topic for the IT professional lists questions and answers about un - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) - + - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) From 227c55a187702a5210b6da0f4fdccb34b9306264 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 8 Nov 2021 08:51:00 -0800 Subject: [PATCH 017/104] Update .gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 1bc5b9c3de..8195f14f24 100644 --- a/.gitignore +++ b/.gitignore @@ -20,4 +20,3 @@ packages.config wdav-pm-sln.csproj wdav-pm-sln.csproj.user wdav-pm-sln.sln -windows/client-management/mdm/bitlocker-csp.md From 8d9948004d3eb3be0ae7e5609939c8a0e805f2a7 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 9 Nov 2021 09:55:04 +0530 Subject: [PATCH 018/104] part3 5548257 changes --- windows/configuration/wcd/wcd-kioskbrowser.md | 6 +- windows/configuration/wcd/wcd-licensing.md | 8 +- windows/configuration/wcd/wcd-location.md | 6 +- windows/configuration/wcd/wcd-maps.md | 10 +- windows/configuration/wcd/wcd-networkproxy.md | 6 +- .../configuration/wcd/wcd-networkqospolicy.md | 6 +- windows/configuration/wcd/wcd-oobe.md | 10 +- .../configuration/wcd/wcd-personalization.md | 12 +- windows/configuration/wcd/wcd-policies.md | 787 +++++++++--------- windows/configuration/wcd/wcd-privacy.md | 6 +- 10 files changed, 447 insertions(+), 410 deletions(-) diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md index 0db1c60a59..cbb31ac787 100644 --- a/windows/configuration/wcd/wcd-kioskbrowser.md +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -19,9 +19,9 @@ Use KioskBrowser settings to configure Internet sharing. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | | ✔️ | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | | ✔️ | >[!NOTE] >To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser). diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md index 98ebd963b2..82adee0181 100644 --- a/windows/configuration/wcd/wcd-licensing.md +++ b/windows/configuration/wcd/wcd-licensing.md @@ -19,10 +19,10 @@ Use for settings related to Microsoft licensing programs. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✔️ | | | | | -| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [AllowWindowsEntitlementReactivation](#allowwindowsentitlementreactivation) | ✔️ | | | | +| [DisallowKMSClientOnlineAVSValidation](#disallowkmsclientonlineavsvalidation) | ✔️ | | | | ## AllowWindowsEntitlementReactivation diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md index c0617f9b4a..a2989cead5 100644 --- a/windows/configuration/wcd/wcd-location.md +++ b/windows/configuration/wcd/wcd-location.md @@ -18,9 +18,9 @@ Use Location settings to configure location services. ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](#enablelocation) | | | | | ✔️ | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [EnableLocation](#enablelocation) | | | | ✔️ | ## EnableLocation diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index b92e27c14e..51aacf0da3 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -18,11 +18,11 @@ Use for settings related to Maps. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ChinaVariantWin10](#chinavariantwin10) | ✔️ | ✔️ | ✔️ | | | -| [UseExternalStorage](#useexternalstorage) | ✔️ | ✔️ | ✔️ | | | -| [UseSmallerCache](#usesmallercache) | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ChinaVariantWin10](#chinavariantwin10) | ✔️ | ✔️ | | | +| [UseExternalStorage](#useexternalstorage) | ✔️ | ✔️ | | | +| [UseSmallerCache](#usesmallercache) | ✔️ | ✔️ | | | ## ChinaVariantWin10 diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index e19c13f19c..1208a335d7 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -18,9 +18,9 @@ Use for settings related to NetworkProxy. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | ## AutoDetect diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index 80e515c380..177a49d274 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -18,9 +18,9 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | 1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**. 2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 4245590994..e7f5dac2de 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -18,12 +18,12 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️ | | | | | -| [Desktop > HideOobe](#hided) | ✔️ | | | | | -| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | ✔️ | | | | -| [Mobile > HideOobe](#hidem) | | ✔️ | | | | +| [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️ | | | | +| [Desktop > HideOobe](#hided) | ✔️ | | | | +| [Mobile > EnforceEnterpriseProvisioning](#nforce) | | | | | +| [Mobile > HideOobe](#hidem) | | | | | diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 08af869bd0..18b6259bdc 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -18,12 +18,12 @@ Use to configure settings to personalize a PC. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [DeployDesktopImage](#deploydesktopimage) | ✔️ | | | | | -| [DeployLockScreenImage](#deploylockscreenimage) | ✔️ | | | | | -| [DesktopImageUrl](#desktopimageurl) | ✔️ | | | | | -| [LockScreenImageUrl](#lockscreenimageurl) | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [DeployDesktopImage](#deploydesktopimage) | ✔️ | | | | +| [DeployLockScreenImage](#deploylockscreenimage) | ✔️ | | | | +| [DesktopImageUrl](#desktopimageurl) | ✔️ | | | | +| [LockScreenImageUrl](#lockscreenimageurl) | ✔️ | | | | ## DeployDesktopImage diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 1d9c4d1eee..ec5c1d2844 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -18,176 +18,177 @@ This section describes the **Policies** settings that you can configure in [prov ## AboveLock -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | ✔️ | | | | -| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowActionCenterNotifications](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | | | | +| [AllowToasts](/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | ✔️ | | | | ## Accounts -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✔️ | ✔️ | | | | -| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✔️ | ✔️ | | ✔️ | | -| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✔️ | ✔️ | | | | -| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAddingNonMicrosoftAccountManually](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | ✔️ | | | | +| [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | ✔️ | | ✔️ | | +| [AllowMicrosoftAccountSigninAssistant](/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | ✔️ | | | | +| [DomainNamesForEmailSync](/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | ✔️ | | | | ## ApplicationDefaults -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | | | +| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | ## ApplicationManagement -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | ✔️ | | | ✔️ | -| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | ✔️ | | | ✔️ | -| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ | | | ✔️ | +| [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | ✔️ | | | ✔️ | +| [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | ✔️ | ✔️ | ✔️ | ✔️ | | [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | ✔️ | | | | | -| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | ✔️ | | | | -| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | ✔️ | | | | -| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | ✔️ | | | | -| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | | | -| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | ✔️ | | | ✔️ | -| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | ✔️ | | | ✔️ | +| [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | ✔️ | | | | +| [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | | | | +| [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | | | | +| [LaunchAppAfterLogOn](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | ✔️ | | | | +| [RestrictAppDataToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | ✔️ | | | ✔️ | +| [RestrictAppToSystemVolume](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | ✔️ | | | ✔️ | ## Authentication -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowFastReconnect](/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | ✔️ | ✔️ | ✔️ | ✔️ | +| [EnableFastFirstSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | ✔️ | ✔️ | | ✔️ | +| [EnableWebSignin](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | ✔️ | ✔️ | | ✔️ | +| [PreferredAadTenantDomainName](/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | ✔️ | ✔️ | | ✔️ | ## BitLocker -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | ✔️ | | | | +| [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | | | | ## Bluetooth -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAdvertising](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowDiscoverableMode](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowPrepairing](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | ✔️ | ✔️ | ✔️ | ✔️ | +| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | ✔️ | ✔️ | ✔️ | ✔️ | +| [LocalDeviceName](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | ✔️ | ✔️ | ✔️ | ✔️ | +| [ServicesAllowedList](/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | ✔️ | ✔️ | ✔️ | ✔️ | ## Browser -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | | | -| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | ✔️ | | | | -[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | ✔️ | | | | -| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | | | -| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | | | -| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | | | -| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | | | -| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✔️ | | | ✔️ | | -| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✔️ | | | | | -| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✔️ | | | | | -| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✔️ | | | | | -| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✔️ | | | | | -| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | ✔️ | | ✔️ | -[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | ✔️ | | | | -| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | | | -| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | | | -| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | | | -| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | | | -| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | | | -| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | | | -| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | | | -| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | | | -[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | | | -| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | | | -| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | | | -| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | ✔️ | ✔️ | | | | -| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | | | -[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | ✔️ | | | | -| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✔️ | | | | | -| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | ✔️ | | ✔️ | -PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | | | -| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | | | -| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | ✔️ | | ✔️ | -[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | ✔️ | ✔️ | | | | -| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | | | -| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | | | -| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✔️ | | | | | -| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✔️ | | | | | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✔️ | | | | | -| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✔️ | | | | | -[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✔️ | ✔️ | | | | +| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | | +| [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | | | | +[AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | ✔️ | | | | +| [AllowCookies](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowDeveloperTools](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | ✔️ | | | | +| [AllowDoNotTrack](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | ✔️ | | | | +| [AllowFlash](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | ✔️ | | | | +| [AllowFlashClickToRun](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | ✔️ | | | | +| [AllowFullScreenMode](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowInPrivate](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | ✔️ | ✔️ | | ✔️ | +| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | ✔️ | ✔️ | | ✔️ | +| [AllowPasswordManager](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowPopups](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | ✔️ | | ✔️ | | +| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | ✔️ | | | | +| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | ✔️ | ✔️ | | ✔️ | +| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | ✔️ | | | | +| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ | +| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | ✔️ | ✔️ | | ✔️ | +| [AllowSideloadingOfExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | ✔️ | | | | +| [AllowSmartScreen](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | ✔️ | | | | +| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | ✔️ | ✔️ | | ✔️ | +[AlwaysEnableBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | ✔️ | | | | +| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | ✔️ | | | | +| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 additional search engines for MDM-enrolled devices. | ✔️ | ✔️ | | ✔️ | +| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | ✔️ | | | | +| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | ✔️ | | | | +| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | ✔️ | | | | +| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | ✔️ | | | | +| [ConfigureOpenMicrosoftEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | ✔️ | | | | +| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | ✔️ | | | | +| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | ✔️ | | | | +[EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | ✔️ | ✔️ | | | +| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | ✔️ | | | | +| [EnterpriseSiteListServiceUrl](/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | ✔️ | | | | +| [FirstRunURL](/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | ✔️ | | | | +| [HomePages](/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | ✔️ | | | | +[LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | ✔️ | | | | +| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | ✔️ | ✔️ | | ✔️ | +| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | ✔️ | ✔️ | | ✔️ | +| [PreventFirstRunPage](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | ✔️ | | | | +| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | ✔️ | ✔️ | | ✔️ | +| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen warnings about potentially malicious websites. | ✔️ | ✔️ | | ✔️ | +| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen warnings about downloading unverified files. | ✔️ | ✔️ | | ✔️ | +PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | ✔️ | | | | +| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | ✔️ | | | | +| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | ✔️ | ✔️ | | ✔️ | +[ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | ✔️ | | | | +| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | ✔️ | | | | +| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | ✔️ | ✔️ | | ✔️ | +| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | ✔️ | | | | +| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | ✔️ | | | | +| [ShowMessageWhenOpeningSitesInInternetExplorer](/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | ✔️ | | | | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | ✔️ | | | | +| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | ✔️ | | | | +[UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | ✔️ | | | | ## Camera -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | ✔️ | | | +| [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | | | ## Connectivity -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | ✔️ | | | ✔️ | -| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | ✔️ | | | ✔️ | -| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ | ✔️ | | ✔️ | -| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ | ✔️ | | ✔️ | -| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✔️ | ✔️ | ✔️ | | ✔️ | +| [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | | ✔️ | +| [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | | ✔️ | +| [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ | | ✔️ | +| [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | | | ✔️ | +| [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | | | ✔️ | +| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |✔️ | ✔️ | | ✔️ | +| [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ | | ✔️ | +| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ | | ✔️ | +| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | ✔️ | ✔️ | | ✔️ | ## CredentialProviders -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +[DisableAutomaticReDeploymentCredentials](/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | ✔️ | | | | ## Cryptography -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | ✔️ | | | | -| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | ✔️ | | | | +| [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | | | | +| [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | | | | ## Defender +<<<<<<< Updated upstream | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | | | @@ -215,118 +216,148 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | | | | [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | | | | [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | | | +======= +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | | +| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | | +| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | | +| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | | +| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | | +| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | | +| [AllowIntrusionPreventionSystem](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | ✔️ | | | | +| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | | +| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | | +| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | | +| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✔️ | | | | +| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ | | | | +| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✔️ | | | | +| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | ✔️ | | | | +| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | | +| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | ✔️ | | | | +| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | | +| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | | +| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | | +| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | | +| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | | +| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✔️ | | | | +| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✔️ | | | | +| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | | +| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | | +| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | | +>>>>>>> Stashed changes ## DeliveryOptimization -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✔️ | | | | | -| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✔️ | | | | | -| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✔️ | | | | | -| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✔️ | | | | | -| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✔️ | | | | | -| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✔️ | | | | | -| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✔️ | | | | | -| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ | | | | | -| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ | | | | | -| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ | | | | | -| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | ✔️ | | | | | -| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ | | | | | -| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ | | | | | -| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | ✔️ | | | | | -| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ | | | | | -| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | ✔️ | | | | | -| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ | | | | | -| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ | | | | | -| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✔️ | | | | | -| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | -| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [DOAbsoluteMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | ✔️ | | | | +| [DOAllowVPNPeerCaching](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | ✔️ | | | | +| [DODelayBackgroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | ✔️ | | | | +| [DODelayForegroundDownloadFromHttp](/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | ✔️ | | | | +| [DODownloadMode](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | ✔️ | | | | +| [DOGroupId](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | ✔️ | | | | +| [DOGroupIdSource](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | ✔️ | | | | +| [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ | | | | +| [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ | | | | +| [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ | | | | +| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | ✔️ | | | | +| [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ | | | | +| [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ | | | | +| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | ✔️ | | | | +| [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ | | | | +| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | ✔️ | | | | +| [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ | | | | +| [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ | | | | +| [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DOPercentageMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DOPercentageMaxForeDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DORestrictPeerSelectionBy](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | ✔️ | | | | +| [DOSetHoursToLimitBackgroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | +| [DOSetHoursToLimitForegroundDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | ✔️ | | | | ## DeviceGuard -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +[EnableVirtualizationBasedSecurity](/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | ✔️ | | | | ## DeviceLock -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | ✔️ | | | | -| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | ✔️ | | | | -| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | ✔️ | | ✔️ | | -|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✔️ | ✔️ | | ✔️ | | -| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✔️ | ✔️ | | ✔️ | | -| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✔️ | ✔️ | | ✔️ | | -| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✔️ | ✔️ | | ✔️ | | -| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✔️ | ✔️ | | ✔️ | | -| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✔️ | ✔️ | | ✔️ | | -| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✔️ | ✔️ | | ✔️ | | -| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✔️ | ✔️ | | ✔️ | | -| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | ✔️ | | | | +| [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | | | | +| [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | | | | +| [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | | ✔️ | | +|[AlphanumericDevicePasswordRequired](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | ✔️ | | ✔️ | | +| [DevicePasswordEnabled](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | ✔️ | | ✔️ | | +| [DevicePasswordExpiration](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | ✔️ | | ✔️ | | +| [DevicePasswordHistory](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | ✔️ | | ✔️ | | +| [MaxDevicePasswordFailedAttempts](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | ✔️ | | ✔️ | | +| [MaxInactivityTimeDeviceLock](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | ✔️ | | ✔️ | | +| [MinDevicePasswordComplexCharacters](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | ✔️ | | ✔️ | | +| [MinDevicePasswordLength](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | ✔️ | | ✔️ | | +| [ScreenTimeoutWhileLocked](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | | | | ## DeviceManagement -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| DisableMDMEnrollment | Use this setting to prevent the device from enrolling in MDM. | ✔️ | | | | ## Experience -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | ✔️ | | | | -| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | ✔️ | | ✔️ | | -| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | ✔️ | | | | -| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | ✔️ | | | | -| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✔️ | ✔️ | | ✔️ | | -| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | ✔️ | | | | -| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | ✔️ | | | | -| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✔️ | ✔️ | | | | -| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✔️ | | | | | -| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | ✔️ | | | | -| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ | | | | | -| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | ✔️ | | | | -| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ | | | | | -| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✔️ | | | | | -| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | | | | | -| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ | | | | | -| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✔️ | | | | | -| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✔️ | | | | | +| [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | | | | +| [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | | ✔️ | | +| [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | | | | +| [AllowFindMyDevice](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | ✔️ | | | | +| [AllowManualMDMUnenrollment](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | ✔️ | | ✔️ | | +| [AllowScreenCapture](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | | | | +| [AllowSIMErrorDialogPromptWhenNoSIM](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | | | | +| [AllowSyncMySettings](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | ✔️ | | | | +| [AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | ✔️ | | | | +| [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | | | | +| [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ | | | | +| [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | | | | +| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ | | | | +| [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | ✔️ | | | | +| [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | | | | +| [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ | | | | +| [AllowWindowsTips](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | ✔️ | | | | +| [ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | ✔️ | | | | ## ExploitGuard -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | ✔️ | | | | +| [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | | | | ## Games -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAdvancedGamingServices](/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | ✔️ | | | | ## KioskBrowser These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | | | +[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | | [BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ | | | | | -[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | | | -[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | | | -[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | | | -[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | | | -[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ | | | | | +[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | | +[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | ✔️ | | | | +[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | ✔️ | | | | +[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ | | | | +[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ | | | | To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: @@ -339,252 +370,258 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in ## LocalPoliciesSecurityOptions -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | | | -| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | | | -| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | | | +| [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | | +| [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | | +| [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | | ## Location -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [EnableLocation](/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | ## Power -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | | | -| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | | | -| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | | | -| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✔️ | | | | | -| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✔️ | | | | | -| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✔️ | | | | | -| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✔️ | | | | | -| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✔️ | | | | | -| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✔️ | | | | | -| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✔️ | | | | | -| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✔️ | | | | | -| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✔️ | | | | | -| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✔️ | | | | | -| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✔️ | | | | | -| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✔️ | | | | | -| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✔️ | | | | | -| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✔️ | | | | | -| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | | | -| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | | | -| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | | | -| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | ✔️ | | | | | -| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | ✔️ | | | | | +| [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | | +| [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | | +| [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | | +| [DisplayOffTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#displayofftimeoutpluggedin) | Specify the period of inactivity before Windows turns off the display while plugged in. | ✔️ | | | | +| [EnergySaverBatteryThresholdOnBattery](/windows/client-management/mdm/policy-csp-power#energysaverbatterythresholdonbattery) | Specify the battery charge level at which Energy Saver is turned on while on battery. | ✔️ | | | | +| [EnergySaverBatteryThresholdPluggedIn](/windows/client-management/mdm/policy-csp-power#EnergySaverBatteryThresholdPluggedIn) | Specify the battery charge level at which Energy Saver is turned on while plugged in. | ✔️ | | | | +| [HibernateTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to hibernate while on battery. | ✔️ | | | | +| [HibernateTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#hibernatetimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to hibernate while plugged in. | ✔️ | | | | +| [RequirePasswordWhenComputerWakesOnBattery](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakesonbattery) | Specify whether the user is prompted for a password when the system resumes from sleep while on battery. | ✔️ | | | | +| [RequirePasswordWhenComputerWakesPluggedIn](/windows/client-management/mdm/policy-csp-power#requirepasswordwhencomputerwakespluggedin) | Specify whether the user is prompted for a password when the system resumes from sleep while plugged in. | ✔️ | | | | +| [SelectLidCloseActionBattery](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on battery. | ✔️ | | | | +| [SelectLidCloseActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectlidcloseactionpluggedin) | Select the action to be taken when a user closes the lid on a mobile device while on plugged in. | ✔️ | | | | +| [SelectPowerButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactiononbattery) | Select the action to be taken when the user presses the power button while on battery. | ✔️ | | | | +| [SelectPowerButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectpowerbuttonactionpluggedin) | Select the action to be taken when the user presses the power button while on plugged in. | ✔️ | | | | +| [SelectSleepButtonActionOnBattery](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactiononbattery) | Select the action to be taken when the user presses the sleep button while on battery. | ✔️ | | | | +| [SelectSleepButtonActionPluggedIn](/windows/client-management/mdm/policy-csp-power#selectsleepbuttonactionpluggedin) | Select the action to be taken when the user presses the sleep button while plugged in. | ✔️ | | | | +| [StandbyTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#StandbyTimeoutOnBattery) | Specify the period of inactivity before Windows transitions the system to sleep while on battery. | ✔️ | | | | +| [StandbyTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#standbytimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep while plugged in. | ✔️ | | | | +| [TurnOffHybridSleepOnBattery](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeponbattery) | Turn off hybrid sleep while on battery. | ✔️ | | | | +| [TurnOffHybridSleepPluggedIn](/windows/client-management/mdm/policy-csp-power#turnoffhybridsleeppluggedin) | Turn off hybrid sleep while plugged in. | ✔️ | | | | +| [UnattendedSleepTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutonbattery) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while on battery. | ✔️ | | | | +| [UnattendedSleepTimeoutPluggedIn](/windows/client-management/mdm/policy-csp-power#unattendedsleeptimeoutpluggedin) | Specify the period of inactivity before Windows transitions the system to sleep automatically when a user is not present while plugged in. | ✔️ | | | | ## Privacy -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | ✔️ | | | | -| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | ✔️ | | ✔️ | | +| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | | | | +| [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | | ✔️ | | ## Search -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | ✔️ | | | | -[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | | | -| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | ✔️ | | | | -| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | ✔️ | | ✔️ | | -| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | ✔️ | | | | -| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

- **Off** setting disables Windows indexer
- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
- **Enterprise** setting reduces potential network loads for enterprises
- **Standard** setting is appropriate for consuemrs | ✔️ | ✔️ | | | | -| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | ✔️ | | | | -| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | ✔️ | | | | -| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | ✔️ | | | | -| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✔️ | ✔️ | | | | -| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✔️ | ✔️ | | | | -| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✔️ | ✔️ | | | | -| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | ✔️ | | | | +[AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | | | | +[AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | | +| [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | | | | +| [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ | | ✔️ | | +| [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ | | | | +| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

- **Off** setting disables Windows indexer
- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
- **Enterprise** setting reduces potential network loads for enterprises
- **Standard** setting is appropriate for consuemrs | ✔️ | | | | +| [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ | | | | +| [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ | | | | +| [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ | | | | +| [DisableRemovableDriveIndexing](/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | ✔️ | | | | +| [PreventIndexingLowDiskSpaceMB](/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | ✔️ | | | | +| [PreventRemoteQueries](/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | ✔️ | | | | +| [SafeSearchPermissions](/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | | | | ## Security -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | ✔️ | | | | -| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | ✔️ | | | | -| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✔️ | ✔️ | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAddProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | ✔️ | ✔️ | | ✔️ | +| [AllowManualRootCertificateInstallation](/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | | | | +| [AllowRemoveProvisioningPackage](/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | ✔️ | ✔️ | | ✔️ | +| [AntiTheftMode](/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | | | | +| [RequireDeviceEncryption](/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | ✔️ | ✔️ | ✔️ | ✔️ | +| [RequireProvisioningPackageSignature](/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | ✔️ | ✔️ | | ✔️ | +| [RequireRetrieveHealthCertificateOnBoot](/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | ✔️ | | | | ## Settings -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | ✔️ | | | | -| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | ✔️ | | | | -| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | ✔️ | | ✔️ | | -| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | | | -[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAutoPlay](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | | | | +| [AllowDataSense](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | | | | +| [AllowVPN](/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | | ✔️ | | +| [ConfigureTaskbarCalendar](/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | ✔️ | | | | +[PageVisiblityList](/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | ✔️ | | | | ## Start -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | ✔️ | | | | +| [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | ✔️ | | | | | [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✔️ | | | | | +| [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | ✔️ | | | | | [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | ✔️ | | | | | -| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✔️ | | | | | -DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✔️ | | | | | -| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ | | | | | -| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ | | | | | -| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ | | | | | -| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | | | -| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | | | -| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | | | -| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | | | -| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | | | -| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | | | -| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | | | -| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✔️ | | | | | -| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✔️ | | | | | -| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✔️ | | | | | -| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✔️ | | | | | -| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✔️ | | | | | -| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✔️ | | | | | -| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✔️ | | | | | -| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✔️ | | | | | -| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✔️ | | | | | +| [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | ✔️ | | | | +DisableContextMenus | Prevent context menus from being invoked in the Start menu. | ✔️ | | | | +| [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ | | | | +| [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ | | | | +| [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ | | | | +| [HideFrequentlyUsedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | ✔️ | | | | +| [HideHibernate](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | ✔️ | | | | +| [HideLock](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | ✔️ | | | | +| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | ✔️ | | | | +| [HidePowerButton](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | ✔️ | | | | +| [HideRecentJumplists](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | ✔️ | | | | +| [HideRecentlyAddedApps](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | ✔️ | | | | +| [HideRestart](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | ✔️ | | | | +| [HideShutDown](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | ✔️ | | | | +| [HideSignOut](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | ✔️ | | | | +| [HideSleep](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | ✔️ | | | | +| [HideSwitchAccount](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | ✔️ | | | | +| [HideUserTile](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | ✔️ | | | | +| [ImportEdgeAssets](/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](../start-secondary-tiles.md). | ✔️ | | | | +| [NoPinningToTaskbar](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | ✔️ | | | | +| [StartLayout](/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) | ✔️ | | | | ## System -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | ✔️ | | | | -| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | ✔️ | | | | -| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✔️ | ✔️ | | ✔️ | | -| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✔️ | ✔️ | | | | -ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✔️ | ✔️ | | | | -ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✔️ | ✔️ | | | | -| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | ✔️ | | | | -| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | ✔️ | | | | -| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | | | -| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | ✔️ | | | | +| [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | | | | +| [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | | ✔️ | +| [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | | | | +| [AllowLocation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowStorageCard](/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | ✔️ | ✔️ | | ✔️ | +| [AllowTelemetry](/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | ✔️ | | ✔️ | | +| [AllowUserToResetPhone](/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | ✔️ | | | | +ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | ✔️ | | | | +ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | ✔️ | | | | +| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | ✔️ | | | | +| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | ✔️ | | | | +| [DisableOneDriveFileSync](/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | ✔️ | | | | +| [LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | ✔️ | | | | ## TextInput -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | | | -| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | ✔️ | | | | | -| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | | | -| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | | | -| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | | | -| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✔️ | | | | | -| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | | | -| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | | | -| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowIMELogging](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | ✔️ | | | | +| [AllowIMENetworkAccess](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | ✔️ | | | | +| [AllowInputPanel](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | ✔️ | | | | +| [AllowJapaneseIMESurrogatePairCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | ✔️ | | | | +| [AllowJapaneseIVSCharacters](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | ✔️ | | | | +| [AllJapaneseNonPublishingStandardGlyph](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | ✔️ | | | | +| [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ | | | | +| [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ | | | | +| [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ | | | | | AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | -| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | -| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | -| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | | +| [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | +| [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | +| [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ | | | | ## TimeLanguageSettings -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | ✔️ | | | | +| [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | | | | ## Update -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:|:--------:| -| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | ✔️ | | ✔️ | | ✔️ | -| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | ✔️ | | ✔️ | -| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| PhoneUpdateRestrictions | Deprecated | | ✔️ | | | | -| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | ✔️ | | ✔️ | -| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | ✔️ | | ✔️ | -| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | -| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | +| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | ✔️ | ✔️ | | ✔️ | +| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ | +| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ | +| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | | ✔️ | +| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | | ✔️ | +| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ | +| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ | +| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ | +| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | | ✔️ | +| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ | +| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ | +| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ | +| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ | +| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ | +| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ | +| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | | ✔️ | +| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ | +| PhoneUpdateRestrictions | Deprecated | | ✔️ | | | +| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ | +| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | | ✔️ | +| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | | ✔️ | +| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | | ✔️ | +| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | | ✔️ | +| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | | ✔️ | +| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | | ✔️ | +| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | | ✔️ | +| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | +| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ | ## WiFi -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✔️ | ✔️ | | | | -| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✔️ | ✔️ | | | | -| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | ✔️ | | | | -| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | ✔️ | | | | -| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowAutoConnectToWiFiSenseHotspots](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | ✔️ | | | | +| [AllowInternetSharing](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | ✔️ | | | | +| [AllowManualWiFiConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | | | | +| [AllowWiFi](/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | | | | +| [WLANScanMode](/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | ✔️ | ✔️ | | ✔️ | ## WindowsInkWorkspace -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✔️ | | | | | -| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✔️ | | | | | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowSuggestedAppsInWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | ✔️ | | | | +| [AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | ✔️ | | | | ## WindowsLogon -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | | | +| [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | | ## WirelessDisplay +<<<<<<< Updated upstream | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | | [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | ✔️ | | | | +======= +| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | --- | :---: | :---: | :---: | :---: | +| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | | | | +>>>>>>> Stashed changes diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index 5904abff0c..425fab9796 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -17,9 +17,9 @@ Use **Privacy** to configure settings for app activation with voice. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | ✔️ | | ✔️ | ## LetAppsActivateWithVoice From 9a450d88bea60f2fcdfa6931b1db067e1d73bf9a Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 9 Nov 2021 11:07:14 +0530 Subject: [PATCH 019/104] part3 5548257 wcd-policies.md warnings fixed --- windows/configuration/wcd/wcd-policies.md | 77 +++++++---------------- 1 file changed, 21 insertions(+), 56 deletions(-) diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index ec5c1d2844..9bb5dc2f45 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -36,8 +36,8 @@ This section describes the **Policies** settings that you can configure in [prov ## ApplicationDefaults | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | +| --- | --- | :---: | :---: | :---: | :---: | +| [DefaultAssociationsConfiguration](/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | ✔️ | | | | ## ApplicationManagement @@ -72,7 +72,7 @@ This section describes the **Policies** settings that you can configure in [prov ## BitLocker | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [EncryptionMethod](/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | ✔️ | | | | @@ -90,7 +90,7 @@ This section describes the **Policies** settings that you can configure in [prov ## Browser | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowAddressBarDropdown](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | ✔️ | | | | | [AllowAutofill](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | ✔️ | ✔️ | | ✔️ | | [AllowBrowser](/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | ✔️ | | | | @@ -154,14 +154,14 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star ## Camera | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowCamera](/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | ✔️ | ✔️ | | | ## Connectivity | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowBluetooth](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | ✔️ | ✔️ | ✔️ | ✔️ | | [AllowCellularData](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | ✔️ | ✔️ | | ✔️ | | [AllowCellularDataRoaming](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | ✔️ | ✔️ | | ✔️ | @@ -182,43 +182,14 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star ## Cryptography | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowFipsAlgorithmPolicy](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | ✔️ | | | | | [TLSCiperSuites](/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | ✔️ | | | | ## Defender -<<<<<<< Updated upstream -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | | | -| [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | | | -| [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | | | -| [AllowEmailScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | ✔️ | | | | | -| [AllowFullScanOnMappedNetworkDrives](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | ✔️ | | | | | -| [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | ✔️ | | | | | -| [AllowIOAVProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | ✔️ | | | | | -| [AllowOnAccessProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | ✔️ | | | | | -| [AllowRealtimeMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | ✔️ | | | | | -| [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | ✔️ | | | | | -| [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ | | | | | -| [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | ✔️ | | | | | -| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | ✔️ | | | | | -| [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | ✔️ | | | | | -| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | ✔️ | | | | | -| [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | ✔️ | | | | | -| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ | | | | | -| [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | ✔️ | | | | | -| [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ | | | | | -| [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | ✔️ | | | | | -| [ScheduleScanDay](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | ✔️ | | | | | -| [ScheduleScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | ✔️ | | | | | -| [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | | | -| [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | | | -| [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | | | -======= | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowArchiveScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | ✔️ | | | | | [AllowBehaviorMonitoring](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | ✔️ | | | | | [AllowCloudProtection](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | ✔️ | | | | @@ -245,7 +216,6 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | [SignatureUpdateInterval](/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | ✔️ | | | | | [SubmitSamplesConsent](/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | ✔️ | | | | | [ThreatSeverityDefaultAction](/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | ✔️ | | | | ->>>>>>> Stashed changes ## DeliveryOptimization @@ -285,7 +255,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star ## DeviceLock | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowIdleReturnWithoutPassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | | | | | [AllowScreenTimeoutWhileLockedUserConfig](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | | | | | [AllowSimpleDevicePassword](/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | ✔️ | | ✔️ | | @@ -311,7 +281,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star ## Experience | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowCopyPaste](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | | | | | [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | ✔️ | | ✔️ | | | [AllowDeviceDiscovery](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | ✔️ | | | | @@ -334,7 +304,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star ## ExploitGuard | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | ✔️ | | | | @@ -350,7 +320,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star These settings apply to the **Kiosk Browser** app available in Microsoft Store. For more information, see [Guidelines for web browsers](../guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | [BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ | | | | [BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ | | | | | [DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | ✔️ | | | | @@ -371,7 +341,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in ## LocalPoliciesSecurityOptions | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [InteractiveLogon_DoNotDisplayLastSignedIn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) | Specify whether the Windows sign-in screen will show the username of the last person who signed in. | ✔️ | | | | | [Shutdown_AllowSystemtobeShutDownWithoutHavingToLogOn](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) | Specify whether a computer can be shut down without signing in. | ✔️ | | | | | [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) | Configure how an elevation prompt should behave for standard users. | ✔️ | | | | @@ -385,7 +355,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in ## Power | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowStandbyStatesWhenSleepingOnBattery](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingonbattery) | Specify whether Windows can use standby states when putting the computer in a sleep state while on battery. | ✔️ | | | | | [AllowStandbyWhenSleepingPluggedIn](/windows/client-management/mdm/policy-csp-power#allowstandbystateswhensleepingpluggedin) | Specify whether Windows can use standby states when putting the computer in a sleep state while plugged in. | ✔️ | | | | | [DisplayOffTimeoutOnBattery](/windows/client-management/mdm/policy-csp-power#displayofftimeoutonbattery) | Specify the period of inactivity before Windows turns off the display while on battery. | ✔️ | | | | @@ -412,7 +382,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in ## Privacy | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowAutoAcceptPairingAndPrivacyConsentPrompts](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | | | | | [AllowInputPersonalization](/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | ✔️ | | ✔️ | | @@ -420,7 +390,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in ## Search | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | [AllowCloudSearch](/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | ✔️ | | | | [AllowCortanaInAAD](/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | ✔️ | | | | | [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ | | | | @@ -497,7 +467,7 @@ DisableContextMenus | Prevent context menus from being invoked in the Start menu ## System | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowBuildPreview](/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | ✔️ | | | | | [AllowEmbeddedMode](/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | ✔️ | ✔️ | | ✔️ | | [AllowExperimentation](/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | ✔️ | | | | @@ -535,14 +505,14 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl ## TimeLanguageSettings | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [AllowSet24HourClock](/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | | | | ## Update | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:|:--------:| +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:| | [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | ✔️ | ✔️ | | ✔️ | | [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ | | [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ | @@ -610,18 +580,13 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl ## WindowsLogon + | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | +| --- | --- | :---: | :---: | :---: | :---: | | [HideFastUserSwitching](/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | ✔️ | | | | ## WirelessDisplay -<<<<<<< Updated upstream -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | ✔️ | | | | -======= | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | | [AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | ✔️ | | | | ->>>>>>> Stashed changes From 2aaea75d3fceb4401b3e21a7e29b062c90d6d70a Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 9 Nov 2021 12:50:02 +0530 Subject: [PATCH 020/104] part4-5548257 --- windows/configuration/wcd/wcd-provisioningcommands.md | 6 +++--- windows/configuration/wcd/wcd-sharedpc.md | 6 +++--- windows/configuration/wcd/wcd-smisettings.md | 6 +++--- windows/configuration/wcd/wcd-start.md | 2 +- windows/configuration/wcd/wcd-startupapp.md | 6 +++--- windows/configuration/wcd/wcd-startupbackgroundtasks.md | 6 +++--- windows/configuration/wcd/wcd-storaged3inmodernstandby.md | 6 +++--- windows/configuration/wcd/wcd-surfacehubmanagement.md | 6 +++--- windows/configuration/wcd/wcd-tabletmode.md | 6 +++--- windows/configuration/wcd/wcd-takeatest.md | 6 +++--- windows/configuration/wcd/wcd-time.md | 6 +++--- 11 files changed, 31 insertions(+), 31 deletions(-) diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 51ca4daddb..dab5b939b7 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -19,9 +19,9 @@ Use ProvisioningCommands settings to install Windows desktop applications using ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | For instructions on adding apps to provisioning packages, see [Provision PCs with apps](../provisioning-packages/provision-pcs-with-apps.md). diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 2cee7eec84..3dd25e3954 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -20,9 +20,9 @@ Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as t ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | ## AccountManagement diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index f378d5f114..ed3dbc5df6 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -19,9 +19,9 @@ Use SMISettings settings to customize the device with custom shell, suppress Win ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | ## All settings in SMISettings diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index cd1ddd0c36..bebe2a9e3d 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -19,7 +19,7 @@ Use Start settings to apply a customized Start screen to devices. ## Applies to -| Setting | Desktop editions | Surface Hub | HoloLens | IoT Core | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | | StartLayout | ✔️ | | | | diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md index 84b5fbc1cd..49815cf169 100644 --- a/windows/configuration/wcd/wcd-startupapp.md +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -19,8 +19,8 @@ Use StartupApp settings to configure the default app that will run on start for ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| Default | | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| Default | | | | ✔️ | Enter the [Application User Model ID (AUMID)](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the default app. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md index 375b29173c..7d169c131d 100644 --- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -19,7 +19,7 @@ Documentation not available at this time. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | | ✔️ | diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md index bf25d4dfd0..d48b954521 100644 --- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -22,6 +22,6 @@ Use **StorageD3InModernStandby** to enable or disable low-power state (D3) durin ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | ✔️ | ✔️ | | ✔️ | \ No newline at end of file +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | ✔️ | | ✔️ | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index d0492b9ac5..edf2a819ed 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -24,9 +24,9 @@ Use SurfaceHubManagement settings to set the administrator group that will manag ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | ## GroupName diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index 6f1c67bfb8..e97c3ebf6e 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -19,9 +19,9 @@ Use TabletMode to configure settings related to tablet mode. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | ✔️ | | | ## ConvertibleSlateModePromptPreference diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index 0f3d22d642..f9f3708a13 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -19,9 +19,9 @@ Use TakeATest to configure the Take A Test app, a secure browser for test-taking ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | | ## AllowScreenMonitoring diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 1efcbc613a..259df9fdd1 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -17,9 +17,9 @@ Use **Time** to configure settings for time zone setup for Windows 10, version ( ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [ProvisionSetTimeZone](#provisionsettimezone) | ✔️ | | | | ## ProvisionSetTimeZone From 858d2e7f18057cab069526d31036a7d2ea72b719 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 9 Nov 2021 14:48:12 +0530 Subject: [PATCH 021/104] part5-5548257 --- .../configuration/wcd/wcd-unifiedwritefilter.md | 6 +++--- .../configuration/wcd/wcd-universalappinstall.md | 14 +++++++------- .../configuration/wcd/wcd-universalappuninstall.md | 8 ++++---- .../configuration/wcd/wcd-usberrorsoemoverride.md | 6 +++--- windows/configuration/wcd/wcd-weakcharger.md | 8 ++++---- .../wcd/wcd-windowshelloforbusiness.md | 6 +++--- .../configuration/wcd/wcd-windowsteamsettings.md | 6 +++--- windows/configuration/wcd/wcd-wlan.md | 6 +++--- windows/configuration/wcd/wcd-workplace.md | 6 +++--- windows/configuration/wcd/wcd.md | 2 +- 10 files changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index 2463513137..c5586d1c3a 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -40,9 +40,9 @@ The overlay doesn't mirror the entire volume. It dynamically grows to keep track ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | ✔️ | | | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | ✔️ | | | ✔️ | ## FilterEnabled diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index 2085c5e99a..0822937da4 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -22,13 +22,13 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [DeviceContextApp](#devicecontextapp) | ✔️ | | ✔️ | | | -| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | | ✔️ | | | -| [StoreInstall](#storeinstall) | ✔️ | ✔️ | ✔️ | | ✔️ | -| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | ✔️ | | ✔️ | -| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [DeviceContextApp](#devicecontextapp) | ✔️ | ✔️ | | | +| [DeviceContextAppLicense](#devicecontextapplicense) | ✔️ | ✔️ | | | +| [StoreInstall](#storeinstall) | ✔️ | ✔️ | | ✔️ | +| [UserContextApp](#usercontextapp) | ✔️ | ✔️ | | ✔️ | +| [UserContextAppLicense](#usercontextapplicense) | ✔️ | ✔️ | | ✔️ | ## DeviceContextApp diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index 0ae1ade853..625891ae05 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -20,10 +20,10 @@ Use UniversalAppUninstall settings to uninstall or remove Windows apps. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | | | -| [Uninstall](#uninstall) | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [RemoveProvisionedApp](#removeprovisionedapp) | ✔️ | | | | +| [Uninstall](#uninstall) | ✔️ | ✔️ | | ✔️ | ## RemoveProvisionedApp diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index 9b4fc26665..3eb9975d01 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -20,9 +20,9 @@ Allows an OEM to hide the USB option UI in Settings and all USB device errors. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | ✔️ | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [HideUsbErrorNotifyOptionUI](#hideusberrornotifyoptionui) | ✔️ | ✔️ | ✔️ | | ## HideUsbErrorNotifyOptionUI diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index 0f57e581fd..ce9f3ab265 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -20,10 +20,10 @@ Use WeakCharger settings to configure the charger notification UI. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | ✔️ | | | -| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [HideWeakChargerNotifyOptionUI](#hideweakchargernotifyoptionui) | ✔️ | ✔️ | | | +| [NotifyOnWeakCharger](#notifyonweakcharger) | ✔️ | ✔️ | | | ## HideWeakChargerNotifyOptionUI diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index d000b9facc..fc0d8fbd54 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -19,9 +19,9 @@ Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for ## Applies to -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [SecurityKeys](#securitykeys) | ✔️ | | | | | +| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [SecurityKeys](#securitykeys) | ✔️ | | | | ## SecurityKeys diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index a4e82b4a0e..9307518bf1 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -20,9 +20,9 @@ Use WindowsTeamSettings settings to configure Surface Hub. ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | ✔️ | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | ✔️ | | | ## Connect diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 2a746063eb..8b931bc90a 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -20,7 +20,7 @@ Do not use at this time. Instead, use [ConnectivityProfiles > WLAN](wcd-connecti ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | | | | | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| All settings | | | | | diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md index 48f7826dc9..e810f28679 100644 --- a/windows/configuration/wcd/wcd-workplace.md +++ b/windows/configuration/wcd/wcd-workplace.md @@ -20,9 +20,9 @@ Use Workplace settings to configure bulk user enrollment to a mobile device mana ## Applies to -| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [Enrollments](#enrollments) | ✔️ | ✔️ | ✔️ | | ✔️ | +| Setting | Windows client | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | +| [Enrollments](#enrollments) | ✔️ | ✔️ | | ✔️ | ## Enrollments diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 0d09e59143..952a247ff3 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -18,7 +18,7 @@ This section describes the settings that you can configure in [provisioning pack ## Edition that each group of settings applies to -| Setting group | Desktop editions | Surface Hub | HoloLens | IoT Core | +| Setting group | Windows client | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | | [AccountManagement](wcd-accountmanagement.md) | | | ✔️ | | | [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ | From 185f04399e1a10c64b5ed5af3a841e654c9955bf Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 9 Nov 2021 16:40:58 +0530 Subject: [PATCH 022/104] 5548201: HTML Tables converted to Markdown Batch 01 This is a batch of ten files that consists of HTML tables converted into Markdown as per Task 5548201. --- ...ct-data-using-enterprise-site-discovery.md | 76 +- ...terprise-mode-schema-version-1-guidance.md | 135 +--- ...terprise-mode-schema-version-2-guidance.md | 198 +---- ...ct-data-using-enterprise-site-discovery.md | 74 +- ...terprise-mode-schema-version-1-guidance.md | 167 +--- ...terprise-mode-schema-version-2-guidance.md | 200 +---- .../windows/chromebook-migration-guide.md | 453 ++--------- .../deploy-windows-10-in-a-school-district.md | 764 ++---------------- .../microsoft-store-for-business-overview.md | 336 ++++---- ...ting-on-the-appv-client-with-powershell.md | 59 +- ...-a-stand-alone-computer-with-powershell.md | 56 +- .../app-v/appv-managing-connection-groups.md | 55 +- ...grating-to-appv-from-a-previous-version.md | 167 +--- 13 files changed, 406 insertions(+), 2334 deletions(-) diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index d4f9600d8b..10d59733dd 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -201,68 +201,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you You can use both the WMI and XML settings individually or together: **To turn off Enterprise Site Discovery** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | Off | +|Turn on Site Discovery XML output | Blank | **Turn on WMI recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | On | +|Turn on Site Discovery XML output | Blank | **To turn on XML recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | Off | +|Turn on Site Discovery XML output | XML file path | **To turn on both WMI and XML recording** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
+ +|Setting name |Option | +|---------|---------| +|Turn on Site Discovery WMI output | On | +|Turn on Site Discovery XML output | XML file path | ## Use Configuration Manager to collect your data After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md index 634fd7cd91..d04fbf79b9 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md @@ -60,132 +60,21 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l ### Schema elements This table includes the elements used by the Enterprise Mode schema. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ElementDescriptionSupported browser
<rules>Root node for the schema. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
Internet Explorer 11 and Microsoft Edge
<emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. -

Example -

-<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
--or- -

For IPv6 ranges:

<rules version="205">
-  <emie>
-    <domain>[10.122.34.99]:8080</domain>
-  </emie>
-  </rules>
--or- -

For IPv4 ranges:

<rules version="205">
-  <emie>
-    <domain>10.122.34.99:8080</domain>
-  </emie>
-  </rules>
Internet Explorer 11 and Microsoft Edge
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. -

Example -

-<rules version="205">
-  <docMode>
-    <domain docMode="7">contoso.com</domain>
-  </docMode>
-</rules>
Internet Explorer 11
<domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. -

Example -

-<emie>
-  <domain>contoso.com:8080</domain>
-</emie>
Internet Explorer 11 and Microsoft Edge
<path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section. -

Example -

-<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.

Internet Explorer 11 and Microsoft Edge
+|Element |Description |Supported browser | +|---------|---------|---------| +|<rules> | Root node for the schema.
**Example** 
<rules version="205"> 
  <emie> 
   <domain>contoso.com</domain> 
  </emie>
 </rules> |Internet Explorer 11 and Microsoft Edge         |
+|<emie>     |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. 
 **Example** 
<rules version="205"> 
 <emie> 
   <domain>contoso.com</domain> 
 </emie>
</rules>  
 
 **or** 
 For IPv6 ranges: 

<rules version="205"> 
 <emie> 
  <domain>[10.122.34.99]:8080</domain> 
 </emie>
</rules> 
 
 **or**
 For IPv4 ranges:
<rules version="205"> 
 <emie> 
  <domain>[10.122.34.99]:8080</domain> 
 </emie>
</rules> | Internet Explorer 11 and Microsoft Edge       |
+|<docMode>     |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.  
 **Example** 
 
<rules version="205"> 
 <docmode> 
   <domain docMode="7">contoso.com</domain> 
 </docmode>
</rules>     |Internet Explorer 11         |
+|<domain>     |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. 
 **Example** 
 
<emie> 
 <domain>contoso.com:8080</domain>
</emie>       |Internet Explorer 11 and Microsoft Edge         |
+|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
 **Example**  
 
<emie> 
 <domain exclude="false">fabrikam.com 
   <path exclude="true">/products</path>
 </domain>
</emie>
 
 Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
 
 ### Schema attributes
 This table includes the attributes used by the Enterprise Mode schema.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
AttributeDescriptionSupported browser
<version>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
<exclude>Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
-
Example
-
-<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>

-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.
Internet Explorer 11 and Microsoft Edge
<docMode>Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
-
Example
-
-<docMode>
-  <domain exclude="false">fabrikam.com
-    <path docMode="7">/products</path>
-  </domain>
-</docMode>
Internet Explorer 11

+|Attribute|Description|Supported browser|
+|--- |--- |--- |
+|<version>|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
+|<exclude>|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the  and  elements.
 **Example** 
<emie>
  <domain exclude="false">fabrikam.com 
    <path exclude="true">/products</path>
  </domain>
</emie> 
 Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|<docMode>|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
 **Example**
<docMode> 
  <domain exclude="false">fabrikam.com 
    <path docMode="7">/products</path>
  </domain>
</docMode>|Internet Explorer 11|
 
 ### Using Enterprise Mode and document mode together
 If you want to use both Enterprise Mode and document mode together, you need to be aware that  <emie> entries override <docMode> entries for the same domain. 
diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
index 70694a3df2..fcdaa18eee 100644
--- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
@@ -92,194 +92,32 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
 ### Updated schema elements
 This table includes the elements used by the v.2 version of the Enterprise Mode schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
ElementDescriptionSupported browser
<site-list>A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
Example
-
-<site-list version="205">
-  <site url="contoso.com">
-    <compat-mode>IE8Enterprise</compat-mode>
-    <open-in>IE11</open-in>
-  </site>
-</site-list>
Internet Explorer 11 and Microsoft Edge
<site>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
Example
-
-<site url="contoso.com">
-  <compat-mode>default</compat-mode>
-  <open-in>none</open-in>
-</site>

--or-
-
For IPv4 ranges:
<site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

--or-
-
For IPv6 ranges:
<site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

-You can also use the self-closing version, <url="contoso.com" />, which also sets:
-
    
-  
  • <compat-mode>default</compat-mode>
    • 
-  
  • <open-in>none</open-in>
    • 
-
Internet Explorer 11 and Microsoft Edge
<compat-mode>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
-
Example
-
-<site url="contoso.com">
-  <compat-mode>IE8Enterprise</compat-mode>
-</site>

--or-
-
For IPv4 ranges:
<site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

--or-
-
For IPv6 ranges:
<site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>

-Where:
-
    
-  
  • IE8Enterprise. Loads the site in IE8 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
    • 
-  
  • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
    This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
    Important
    This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
    • 
-  
  • IE[x]. Where [x] is the document mode number into which the site loads.
    • 
-  
  • Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
    • 
-
Internet Explorer 11
<open-in>A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
Example
-
-<site url="contoso.com">
-  <open-in>none</open-in>
-</site>

-Where:
-
    
-  
  • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
    • 
-  
  • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
    • 
-  
  • None or not specified. Opens in whatever browser the employee chooses.
    • 
-
Internet Explorer 11 and Microsoft Edge

+
+|Element  |Description |Supported browser  |
+|---------|---------|---------|
+|<site-list>     |A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. 
 **Example** 
 
<site-list version="205">
  <site url="contoso.com">
   <compat-mode>IE8Enterprise</compat-mode>
   <open-in>IE11</open-in>
  </site>
</site-list>
         | Internet Explorer 11 and Microsoft Edge        |
+|<site>    |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. 
 **Example** 
<site url="contoso.com">
  <compat-mode>default</compat-mode>
  <open-in>none</open-in>
</site>
 
 **or** For IPv4 ranges: 
  
<site url="10.122.34.99:8080">
 <compat-mode>IE8Enterprise</compat-mode>
<site>
 
 **or**  For IPv6 ranges:
<site url="[10.122.34.99]:8080">
  <compat-mode>IE8Enterprise</compat-mode>
<site>
 
 You can also use the self-closing version, <url="contoso.com" />, which also sets:
  • <compat-mode>default</compat-mode>
  • <open-in>none</open-in>
    • | Internet Explorer 11 and Microsoft Edge        |
+|<compat-mode>     |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. 
     **Example** 

    <site url="contoso.com">
      <compat-mode>IE8Enterprise</compat-mode>
    </site>
     **or** 
     For IPv4 ranges:
    <site url="10.122.34.99:8080">
      <compat-mode>IE8Enterprise</compat-mode>
    <site>
     **or** For IPv6 ranges:
    <site url="[10.122.34.99]:8080">
      <compat-mode>IE8Enterprise</compat-mode>
    <site>
     Where
    • **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
      This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
    • **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
      This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
      **Important**
      This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
    • **IE[x]**. Where [x] is the document mode number into which the site loads.
    • **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
      •       |Internet Explorer 11         |
+|<open-in>    |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
       **Examples**
      <site url="contoso.com">
        <open-in>none</open-in> 
      </site>
       
       Where
      • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
      • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
      • None or not specified. Opens in whatever browser the employee chooses.
        •   | Internet Explorer 11 and Microsoft Edge        |
 
 ### Updated schema attributes
 The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        AttributeDescriptionSupported browser
        allow-redirectA boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
        Example
-
        -<site url="contoso.com/travel">
-  <open-in allow-redirect="true">IE11</open-in>
-</site>
        
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.        		Internet Explorer 11 and Microsoft Edge
        versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.Internet Explorer 11 and Microsoft Edge
        urlSpecifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
-
        Note
        
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
-
        Example
-
        -<site url="contoso.com:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
        
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.        		Internet Explorer 11 and Microsoft Edge
        
+|Attribute|Description|Supported browser|
+|---------|---------|---------|
+|allow-redirect|A boolean attribute of the  element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
        **Example**
        <site url="contoso.com/travel">
          <open-in allow-redirect="true">IE11 </open-in>
        </site> 
         In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.| Internet Explorer 11 and Microsoft Edge|
+|version     |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.   | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
         **Note**
         Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). 
         **Example**
        <site url="contoso.com:8080">
           <compat-mode>IE8Enterprise</compat-mode> 
         <open-in>IE11</open-in>
        </site>
        In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
 
 ### Deprecated attributes
 These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        Deprecated attributeNew attributeReplacement example
        <forceCompatView><compat-mode>Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
        <docMode><compat-mode>Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
        <doNotTransition><open-in>Replace <doNotTransition="true"> with <open-in>none</open-in>
        <domain> and <path><site>Replace:
-
        -<emie>
-  <domain exclude="false">contoso.com</domain>
-</emie>
        
-With:
-
        -<site url="contoso.com"/>
-  <compat-mode>IE8Enterprise</compat-mode>
-</site>
        
--AND-
        
-Replace:
-
        -<emie>
-  <domain exclude="true">contoso.com
-     <path exclude="false" forceCompatView="true">/about</path>
-  </domain>
-</emie>
        
-With:
-
        -<site url="contoso.com/about">
-  <compat-mode>IE7Enterprise</compat-mode>
-</site>
        
+|Deprecated attribute|New attribute|Replacement example|
+|--- |--- |--- |
+|<forceCompatView>|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
+|<docMode>|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
+|<doNotTransition>|<open-in>|Replace:
         <doNotTransition="true"> with <open-in>none</open-in>|
+|<domain> and <path>|<site>|Replace:
        <emie>
         <domain exclude="false">contoso.com</domain>
        </emie>
        With:
        <site url="contoso.com"/> 
          <compat-mode>IE8Enterprise</compat-mode>
        </site>
        **-AND-** 
        Replace:
        <emie> 
          <domain exclude="true">contoso.com 
         <path exclude="false" forceCompatView="true">/about</path>
         </domain>
        </emie>

         With:
        <site url="contoso.com/about">
         <compat-mode>IE7Enterprise</compat-mode>
        </site>|
 
 While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 65fbb8eaaf..488c893951 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -205,68 +205,28 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
 You can use both the WMI and XML settings individually or together:
 
 **To turn off Enterprise Site Discovery**
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOff
        Turn on Site Discovery XML outputBlank
        
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|Off|
+|Turn on Site Discovery XML output|Blank|
 
 **Turn on WMI recording only**
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOn
        Turn on Site Discovery XML outputBlank
        
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|On|
+|Turn on Site Discovery XML output|Blank|
 
 **To turn on XML recording only**
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOff
        Turn on Site Discovery XML outputXML file path
        
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|Off|
+|Turn on Site Discovery XML output|XML file path|
  
-To turn on both WMI and XML recording
-
-    
-        
-        
-    
-    
-        
-        
-    
-        
-        
-        
-    
-
        Setting nameOption
        Turn on Site Discovery WMI outputOn
        Turn on Site Discovery XML outputXML file path
        
+**To turn on both WMI and XML recording**
+|Setting name|Option|
+|--- |--- |
+|Turn on Site Discovery WMI output|On|
+|Turn on Site Discovery XML output|XML file path|
 
 ## Use Configuration Manager to collect your data
 After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 6832c2797b..adf856e767 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -64,163 +64,24 @@ The following is an example of the Enterprise Mode schema v.1. This schema can r
 
 ### Schema elements
 This table includes the elements used by the Enterprise Mode schema.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        ElementDescriptionSupported browser
        <rules>Root node for the schema.
-
        Example
-
        -<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
        		Internet Explorer 11 and Microsoft Edge
        <emie>The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
-
        Example
-
        -<rules version="205">
-  <emie>
-    <domain>contoso.com</domain>
-  </emie>
-</rules>
        
--or-
-
        For IPv6 ranges:
        <rules version="205">
-  <emie>
-    <domain>[10.122.34.99]:8080</domain>
-  </emie>
-  </rules>
        
--or-
-
        For IPv4 ranges:
        <rules version="205">
-  <emie>
-    <domain>10.122.34.99:8080</domain>
-  </emie>
-  </rules>
        		Internet Explorer 11 and Microsoft Edge
        <docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.
-
        Example
-
        -<rules version="205">
-  <docMode>
-    <domain docMode="7">contoso.com</domain>
-  </docMode>
-</rules>
        		Internet Explorer 11
        <domain>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
-
        Example
-
        -<emie>
-  <domain>contoso.com:8080</domain>
-</emie>
        		Internet Explorer 11 and Microsoft Edge
        <path>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
-
        Example
-
        -<emie>
-  <domain exclude="true">fabrikam.com
-    <path exclude="false">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.
        		Internet Explorer 11 and Microsoft Edge
        
+|Element |Description  |Supported browser  |
+|---------|---------|---------|
+|<rules>   | Root node for the schema.
        **Example** 
        <rules version="205"> 
          <emie> 
           <domain>contoso.com</domain> 
          </emie>
         </rules> |Internet Explorer 11 and Microsoft Edge         |
+|<emie>     |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. 
         **Example** 
        <rules version="205"> 
         <emie> 
           <domain>contoso.com</domain> 
         </emie>
        </rules>  
         
         **or** 
         For IPv6 ranges: 

        <rules version="205"> 
         <emie> 
          <domain>[10.122.34.99]:8080</domain> 
         </emie>
        </rules> 
         
         **or**
         For IPv4 ranges:
        <rules version="205"> 
         <emie> 
          <domain>[10.122.34.99]:8080</domain> 
         </emie>
        </rules> | Internet Explorer 11 and Microsoft Edge       |
+|<docMode>     |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.  
         **Example** 
         
        <rules version="205"> 
         <docmode> 
           <domain docMode="7">contoso.com</domain> 
         </docmode>
        </rules>     |Internet Explorer 11         |
+|<domain>     |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. 
         **Example** 
         
        <emie> 
         <domain>contoso.com:8080</domain>
        </emie>       |Internet Explorer 11 and Microsoft Edge         |
+|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
         **Example**  
         
        <emie> 
         <domain exclude="false">fabrikam.com 
           <path exclude="true">/products</path>
         </domain>
        </emie>
         
         Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
 
 ### Schema attributes
 This table includes the attributes used by the Enterprise Mode schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        AttributeDescriptionSupported browser
        versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.Internet Explorer 11 and Microsoft Edge
        excludeSpecifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section. If this attribute is absent, it defaults to false.
-
        
-
        Example:
        
-
        -<emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not.
        		Internet Explorer 11
        docModeSpecifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
-
        
-
        Example:
        
-
        -<docMode>
-  <domain>fabrikam.com
-    <path docMode="9">/products</path>
-  </domain>
-</docMode>
        
-Where https://fabrikam.com loads in IE11 document mode, but https://fabrikam.com/products uses IE9 document mode.
        		Internet Explorer 11
        doNotTransitionSpecifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
-
        
-
        Example:
        
-
        -<emie>
-  <domain doNotTransition="false">fabrikam.com
-    <path doNotTransition="true">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com opens in the IE11 browser, but https://fabrikam.com/products loads in the current browser (eg. Microsoft Edge).
        		Internet Explorer 11 and Microsoft Edge
        forceCompatViewSpecifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
-
        
-
        Example:
        
-
        -<emie>
-  <domain exclude="true">fabrikam.com
-    <path forceCompatView="true">/products</path>
-  </domain>
-</emie>
        
-Where https://fabrikam.com does not use Enterprise Mode, but https://fabrikam.com/products uses IE7 Enterprise Mode.
        		Internet Explorer 11
        
+|Attribute|Description|Supported browser|
+|--- |--- |--- |
+|version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
+|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the  and  elements.
         **Example** 
        <emie>
          <domain exclude="false">fabrikam.com 
            <path exclude="true">/products</path>
          </domain>
        </emie> 
         Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
         **Example**
        <docMode> 
          <domain exclude="false">fabrikam.com 
            <path docMode="9">/products</path>
          </domain>
        </docMode>|Internet Explorer 11|
+|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
         **Example**
        <emie>
         <domain doNotTransition="false">fabrikam.com 
           <path doNotTransition="true">/products</path>
         </domain>
        </emie>
        Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
+|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
         **Example**
        <emie>
         <domain doNotTransition="false">fabrikam.com 
           <path doNotTransition="true">/products</path>
         </domain>
        </emie>
        Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
 
 ### Using Enterprise Mode and document mode together
 If you want to use both Enterprise Mode and document mode together, you need to be aware that  <emie> entries override <docMode> entries for the same domain. 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index 299c6c093f..d9e6edd663 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -97,197 +97,31 @@ The following is an example of the v.2 version of the Enterprise Mode schema.
 ### Updated schema elements
 This table includes the elements used by the v.2 version of the Enterprise Mode schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
        ElementDescriptionSupported browser
        <site-list>A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
-
        Example
-
        -<site-list version="205">
-  <site url="contoso.com">
-    <compat-mode>IE8Enterprise</compat-mode>
-    <open-in>IE11</open-in>
-  </site>
-</site-list>
        		Internet Explorer 11 and Microsoft Edge
        <site>A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
-
        Example
-
        -<site url="contoso.com">
-  <compat-mode>default</compat-mode>
-  <open-in>none</open-in>
-</site>
        
--or-
-
        For IPv4 ranges:
        <site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
--or-
-
        For IPv6 ranges:
        <site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
-You can also use the self-closing version, <url="contoso.com" />, which also sets:
-
          
-  
        • <compat-mode>default</compat-mode>
          • 
-  
        • <open-in>none</open-in>
          • 
-
        		Internet Explorer 11 and Microsoft Edge
        <compat-mode>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
-
        Example
-
        -<site url="contoso.com">
-  <compat-mode>IE8Enterprise</compat-mode>
-</site>
        
--or-
-
        For IPv4 ranges:
        <site url="10.122.34.99:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
--or-
-
        For IPv6 ranges:
        <site url="[10.122.34.99]:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-<site>
        
-Where:
-
          
-  
        • IE8Enterprise. Loads the site in IE8 Enterprise Mode.
          This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
          • 
-  
        • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
          This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
          Important
          This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
          • 
-  
        • IE[x]. Where [x] is the document mode number into which the site loads.
          • 
-  
        • Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
          • 
-
        		Internet Explorer 11
        <open-in>A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
-
        Example
-
        -<site url="contoso.com">
-  <open-in>none</open-in>
-</site>
        
-Where:
-
          
-  
        • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
          • 
-  
        • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
          • 
-  
        • None or not specified. Opens in whatever browser the employee chooses.
          • 
-
        		Internet Explorer 11 and Microsoft Edge
        
+|Element  |Description |Supported browser  |
+|---------|---------|---------|
+|<site-list>     |A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>. 
         **Example** 
         
        <site-list version="205">
          <site url="contoso.com">
           <compat-mode>IE8Enterprise</compat-mode>
           <open-in>IE11</open-in>
          </site>
        </site-list>
                 | Internet Explorer 11 and Microsoft Edge        |
+|<site>    |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element. 
         **Example** 
        <site url="contoso.com">
          <compat-mode>default</compat-mode>
          <open-in>none</open-in>
        </site>
         
         **or** For IPv4 ranges: 
          
        <site url="10.122.34.99:8080">
         <compat-mode>IE8Enterprise</compat-mode>
        <site>
         
         **or**  For IPv6 ranges:
        <site url="[10.122.34.99]:8080">
          <compat-mode>IE8Enterprise</compat-mode>
        <site>
         
         You can also use the self-closing version, <url="contoso.com" />, which also sets:
        • <compat-mode>default</compat-mode>
        • <open-in>none</open-in>
          • | Internet Explorer 11 and Microsoft Edge        |
+|<compat-mode>     |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. 
           **Example** 

          <site url="contoso.com">
            <compat-mode>IE8Enterprise</compat-mode>
          </site>
           **or** 
           For IPv4 ranges:
          <site url="10.122.34.99:8080">
            <compat-mode>IE8Enterprise</compat-mode>
          <site>
           **or** For IPv6 ranges:
          <site url="[10.122.34.99]:8080">
            <compat-mode>IE8Enterprise</compat-mode>
          <site>
           Where
          • **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
            This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
          • **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
            This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode
            **Important**
            This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
          • **IE[x]**. Where [x] is the document mode number into which the site loads.
          • **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
            •       |Internet Explorer 11         |
+|<open-in>    |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
             **Examples**
            <site url="contoso.com">
              <open-in>none</open-in> 
            </site>
             
             Where
            • IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
            • MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
            • None or not specified. Opens in whatever browser the employee chooses.
              •   | Internet Explorer 11 and Microsoft Edge        |
 
 ### Updated schema attributes
 The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
              AttributeDescriptionSupported browser
              allow-redirectA boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
-
              Example
-
              -<site url="contoso.com/travel">
-  <open-in allow-redirect="true">IE11</open-in>
-</site>
              
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.              		Internet Explorer 11 and Microsoft Edge
              versionSpecifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.Internet Explorer 11 and Microsoft Edge
              urlSpecifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
-
              Note
              
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com.
-
              Example
-
              -<site url="contoso.com:8080">
-  <compat-mode>IE8Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
              
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.              		Internet Explorer 11 and Microsoft Edge
              
+|Attribute|Description|Supported browser|
+|---------|---------|---------|
+|allow-redirect|A boolean attribute of the  element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
              **Example**
              <site url="contoso.com/travel">
                <open-in allow-redirect="true">IE11 </open-in>
              </site>
               In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. 
            • | Internet Explorer 11 and Microsoft Edge|
+|version     |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.   | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
               **Note**
               Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). 
               **Example**
              <site url="contoso.com:8080">
                 <compat-mode>IE8Enterprise</compat-mode> 
               <open-in>IE11</open-in>
              </site>
              In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
 
 ### Deprecated attributes
 These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
              Deprecated element/attributeNew elementReplacement example
              forceCompatView<compat-mode>Replace forceCompatView="true" with <compat-mode>IE7Enterprise</compat-mode>
              docMode<compat-mode>Replace docMode="IE5" with <compat-mode>IE5</compat-mode>
              doNotTransition<open-in>Replace doNotTransition="true" with <open-in>none</open-in>
              <domain> and <path><site>Replace:
-
              -<emie>
-  <domain>contoso.com</domain>
-</emie>
              
-With:
-
              -<site url="contoso.com"/>
-  <compat-mode>IE8Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
              
--AND-
              
-Replace:
-
              -<emie>
-  <domain exclude="true" doNotTransition="true">
-    contoso.com
-    <path forceCompatView="true">/about</path>
-  </domain>
-</emie>
              
-With:
-
              -<site url="contoso.com/about">
-  <compat-mode>IE7Enterprise</compat-mode>
-  <open-in>IE11</open-in>
-</site>
              
+|Deprecated attribute|New attribute|Replacement example|
+|--- |--- |--- |
+|forceCompatView|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
+|docMode|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
+|doNotTransition|<open-in>|Replace:
               <doNotTransition="true"> with <open-in>none</open-in>|
+|<domain> and <path>|<site>|Replace:
              <emie>
               <domain exclude="false">contoso.com</domain>
              </emie>
              With:
              <site url="contoso.com"/> 
                <compat-mode>IE8Enterprise</compat-mode>
              </site>
              **-AND-** 
              Replace:
              <emie> 
                <domain exclude="true">contoso.com 
               <path exclude="false" forceCompatView="true">/about</path>
               </domain>
              </emie>

               With:
              <site url="contoso.com/about">
               <compat-mode>IE7Enterprise</compat-mode>
               <open-in>IE11</open-in>
              </site>|
 
 While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
 
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 2fb2324ddc..af0ea18ce1 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -126,96 +126,22 @@ Table 2 lists the settings in the Device Management node in the Google Admin Con
 
 Table 2. Settings in the Device Management node in the Google Admin Console
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
              



              SectionSettings
              Network
              These settings configure the network connections for Chromebook devices and include the following settings categories:
              
-
                
-
              • Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
                • 
-
              • Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
                • 
-
              • VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
                • 
-
              • Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
                • 
-
              Mobile
              These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
              
-
                
-
              • Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
                • 
-
              • Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
                • 
-
              • Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
                • 
-
              • Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
                • 
-
              • Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.
                • 
-
              Chrome management
              These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
              
-
                
-
              • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                • 
-
              • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                • 
-
              • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                • 
-
              • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.
                • 
-
              • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.
                • 
-
              
-
- 
+|Section  |Settings  |
+|---------|---------|
+|Network     | 
              These settings configure the network connections for Chromebook devices and include the following settings categories:
              •  **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
                •  
              • **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
              • **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
              • **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
                        |
+|Mobile     |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                   
                • **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
                • **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
                • **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
                •  **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider. 
                • **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.        |
+|Chrome management    |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
                     
                  • **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                  • **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
                  •  **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
                  • **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices 
                  • **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.      |
 
 Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
 
 Table 3. Settings in the Security node in the Google Admin Console
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    SectionSettings
                    Basic settings
                    These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
                    
-
                    Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.
                    Password monitoring
                    This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.
                    API reference
                    This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.
                    Set up single sign-on (SSO)
                    This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.
                    Advanced settings
                    This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.
                    
-
- 
+|Section|Settings|
+|--- |--- |
+|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
                     Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
+|Password monitoring|This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.|
+|API reference|This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.|
+|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
+|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.|
 
 **Identify locally-configured settings to migrate**
 
@@ -428,62 +354,14 @@ Table 5 is a decision matrix that helps you decide if you can use only on-premis
 
 Table 5. Select on-premises AD DS, Azure AD, or hybrid
 
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    If you plan to...On-premises AD DSAzure ADHybrid
                    Use Office 365XX
                    Use Intune for managementXX
                    Use Microsoft Endpoint Manager for managementXX
                    Use Group Policy for managementXX
                    Have devices that are domain-joinedXX
                    Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joinedXX
                    
-
- 
+|If you plan to...|On-premises AD DS|Azure AD|Hybrid|
+|--- |--- |--- |--- |
+|Use Office 365||X|X|
+|Use Intune for management||X|X|
+|Use Microsoft Endpoint Manager for management|X||X|
+|Use Group Policy for management|X||X|
+|Have devices that are domain-joined|X||X|
+|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||X|X|
 
 ### 
 
@@ -497,113 +375,17 @@ Table 6 is a decision matrix that lists the device, user, and app management pro
 
 Table 6. Device, user, and app management products and technologies
 
-
---------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    








                    Desired featureWindows provisioning packagesGroup PolicyConfiguration ManagerIntuneMDTWindows Software Update Services
                    Deploy operating system imagesXXX
                    Deploy apps during operating system deploymentXXX
                    Deploy apps after operating system deploymentXXX
                    Deploy software updates during operating system deploymentXX
                    Deploy software updates after operating system deploymentXXXXX
                    Support devices that are domain-joinedXXXXX
                    Support devices that are not domain-joinedXXX
                    Use on-premises resourcesXXXX
                    Use cloud-based servicesX
                    
-
- 
+|Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services|
+|--- |--- |--- |--- |--- |--- |--- |
+|Deploy operating system images|X||X||X||
+|Deploy apps during operating system deployment|X||X||X||
+|Deploy apps after operating system deployment|X|X|X||||
+|Deploy software updates during operating system deployment|||X||X||
+|Deploy software updates after operating system deployment|X|X|X|X||X|
+|Support devices that are domain-joined|X|X|X|X|X||
+|Support devices that are not domain-joined|X|||X|X||
+|Use on-premises resources|X|X|X||X||
+|Use cloud-based services||||X|||
 
 You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
 
@@ -665,35 +447,10 @@ It is important that you perform any network infrastructure remediation first be
 
 Table 7. Network infrastructure products and technologies and deployment resources
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Product or technologyResources
                    DHCP
                    DNS
                    
-
+|Product or technology|Resources|
+|--- |--- |
+|DHCP|
                  •  [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  •  [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))|
+|DNS|
                  • [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  • [Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
  
 
 If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@@ -706,38 +463,10 @@ It is important that you perform AD DS and Azure AD services deployment or remed
 In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
 
 Table 8. AD DS, Azure AD and deployment resources
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Product or technologyResources
                    AD DS
                    Azure AD
                    
-
- 
+|Product or technology|Resources|
+|--- |--- |
+|AD DS| 
                  •  [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  • [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))|
+|Azure AD| 
                  •  [Azure Active Directory documentation](/azure/active-directory/) 
                  • [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259) 
                  • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
 
 If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
@@ -750,59 +479,13 @@ Table 9 lists the Microsoft management systems and the deployment resources for
 
 Table 9. Management systems and deployment resources
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Management systemResources
                    Windows provisioning packages
                    Group Policy
                    Configuration Manager
                    Intune
                    MDT
                    
-
- 
+|Management system|Resources|
+|--- |--- |
+|Windows provisioning packages| 
                  •  [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) 
                  • [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) 
                  •  [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
+|Group Policy|
                  •  [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) 
                  •  [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
+|Configuration Manager| 
                  •  [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)) 
                  •  [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
+|Intune| 
                  •  [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262) 
                  •  [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263) 
                  •  [System Center 2012 R2 Configuration Manager &amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
+|MDT| 
                  • [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) 
                  •  [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
 
 If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
@@ -814,45 +497,11 @@ In the [Plan for app migration or replacement](#plan-app-migrate-replace) sectio
 In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
 
 Table 10. Management systems and app deployment resources
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Management systemResources
                    Group Policy
                    Configuration Manager
                    Intune
                    
-
- 
+|Management system|Resources|
+|--- |--- |
+|Group Policy| 
                  •  [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) 
                  •  [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) 
                  •  [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
+|Configuration Manager| 
                  •  [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)) 
                  •  [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
+|Intune| 
                  •  [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913) 
                  •  [Manage apps with Microsoft Intune](/mem/intune/)|
 
 If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 09c8ad86fe..2572fe0140 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -225,80 +225,10 @@ Use the cloud-centric scenario and on-premises and cloud scenario as a guide for
 
 To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    MethodDescription
                    MDT
                    MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.

                    
-Select this method when you:
                    
-
                      
-
                    • Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
                      • 
-
                    • Don’t have an existing AD DS infrastructure.
                      • 
-
                    • Need to manage devices regardless of where they are (on or off premises).
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy Windows 10 operating systems.
                      • 
-
                    • You can manage device drivers during initial deployment.
                      • 
-
                    • You can deploy Windows desktop apps (during initial deployment)
                      • 
-
                    • It doesn’t require an AD DS infrastructure.
                      • 
-
                    • It doesn’t have additional infrastructure requirements.
                      • 
-
                    • MDT doesn’t incur additional cost: it’s a free tool.
                      • 
-
                    • You can deploy Windows 10 operating systems to institution-owned and personal devices.
                      • 
-
                    
-
-
                    The disadvantages of this method are that it:
                    
-
-
                      
-
                    • Can’t manage applications throughout entire application life cycle (by itself).
                      • 
-
                    • Can’t manage software updates for Windows 10 and apps (by itself).
                      • 
-
                    • Doesn’t provide antivirus and malware protection (by itself).
                      • 
-
                    • Has limited scaling to large numbers of users and devices.
                      • 
-
                    
-
-
                    Microsoft Endpoint Configuration Manager
                    Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.

                    
-Select this method when you:
                    
-
                      
-
                    • Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
                      • 
-
                    • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
                      • 
-
                    • Typically deploy Windows 10 to on-premises devices.
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy Windows 10 operating systems.
                      • 
-
                    • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                      • 
-
                    • You can manage software updates for Windows 10 and apps.
                      • 
-
                    • You can manage antivirus and malware protection.
                      • 
-
                    • It scales to large number of users and devices.
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
                      • 
-
                    • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    
-
                    
+|Method|Description|
+|--- |--- |
+|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
                     Select this method when you: 
                  •  Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) 
                  •  Don’t have an existing AD DS infrastructure. 
                  •  Need to manage devices regardless of where they are (on or off premises). 
                    The advantages of this method are that: 
                     
                  •  You can deploy Windows 10 operating systems 
                  •  You can manage device drivers during initial deployment. 
                  • You can deploy Windows desktop apps (during initial deployment)
                  •  It doesn’t require an AD DS infrastructure.
                  • It doesn’t have additional infrastructure requirements.
                  • MDT doesn’t incur additional cost: it’s a free tool.
                  • You can deploy Windows 10 operating systems to institution-owned and personal devices. 
                     The disadvantages of this method are that it:
                     
                  • Can’t manage applications throughout entire application life cycle (by itself).
                  • Can’t manage software updates for Windows 10 and apps (by itself).
                  • Doesn’t provide antivirus and malware protection (by itself).
                  • Has limited scaling to large numbers of users and devices.|
+|Microsoft Endpoint Configuration Manager|
                  •  Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle 
                  • You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. 
                     Select this method when you: 
                  •  Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). 
                  • Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). 
                  • Typically deploy Windows 10 to on-premises devices. 
                     The advantages of this method are that: 
                  • You can deploy Windows 10 operating systems.
                  • You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
                  • You can manage software updates for Windows 10 and apps.
                  • You can manage antivirus and malware protection.
                  • It scales to large number of users and devices. 
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
                  • Can deploy Windows 10 only to domain-joined (institution-owned devices).
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).|
 
 *Table 2. Deployment methods*
 
@@ -317,81 +247,10 @@ If you have only one device to configure, manually configuring that one device i
 
 For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    MethodDescription
                    Group Policy
                    Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.

                    
-Select this method when you:
                    
-
-
                      
-
                    • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                      • 
-
                    • Want more granular control of device and user settings.
                      • 
-
                    • Have an existing AD DS infrastructure.
                      • 
-
                    • Typically manage on-premises devices.
                      • 
-
                    • Can manage a required setting only by using Group Policy.
                      • 
-
                    
-
-
                    The advantages of this method include:
                    
-
                      
-
                    • No cost beyond the AD DS infrastructure.
                      • 
-
                    • A larger number of settings (compared to Intune).
                      • 
-
                    
-
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Can only manage domain-joined (institution-owned devices).
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                      • 
-
                    • Has rudimentary app management capabilities.
                      • 
-
                    • Cannot deploy Windows 10 operating systems.
                      • 
-
                    
-
                    Intune
                    Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.

                    
-Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.

                    
-Select this method when you:
                    
-
-
                      
-
                    • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                      • 
-
                    • Don’t need granular control over device and user settings (compared to Group Policy).
                      • 
-
                    • Don’t have an existing AD DS infrastructure.
                      • 
-
                    • Need to manage devices regardless of where they are (on or off premises).
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    • Can manage a required setting only by using Intune.
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can manage institution-owned and personal devices.
                      • 
-
                    • It doesn’t require that devices be domain joined.
                      • 
-
                    • It doesn’t require any on-premises infrastructure.
                      • 
-
                    • It can manage devices regardless of their location (on or off premises).
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Intune subscription licenses.
                      • 
-
                    • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                      • 
-
                    • Cannot deploy Windows 10 operating systems.
                      • 
-
                    
-
                    
+|Method|Description|
+|--- |--- |
+|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. 
                     Select this method when you 
                  • Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
                  •  Want more granular control of device and user settings. 
                  • Have an existing AD DS infrastructure.
                  • Typically manage on-premises devices.
                  • Can manage a required setting only by using Group Policy. 
                    The advantages of this method include: 
                  • No cost beyond the AD DS infrastructure. 
                  • A larger number of settings (compared to Intune).
                    The disadvantages of this method are that it:
                  • Can only manage domain-joined (institution-owned devices).
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                  • Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
                  •  Has rudimentary app management capabilities.
                  •  Cannot deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                    Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
                    Select this method when you:
                  •  Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                  • Don’t need granular control over device and user settings (compared to Group Policy).
                  • Don’t have an existing AD DS infrastructure.
                  • Need to manage devices regardless of where they are (on or off premises).
                  • Want to provide application management for the entire application life cycle.
                  • Can manage a required setting only by using Intune.
                    The advantages of this method are that:
                  • You can manage institution-owned and personal devices.
                  • It doesn’t require that devices be domain joined.
                  • It doesn’t require any on-premises infrastructure.
                  • It can manage devices regardless of their location (on or off premises).
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Intune subscription licenses.
                  • Doesn’t offer granular control over device and user settings (compared to Group Policy).
                  • Cannot deploy Windows 10 operating systems.|
 
 *Table 4. Configuration setting management methods*
 
@@ -410,114 +269,11 @@ For a district, there are many ways to manage apps and software updates. Table 6
 
 Use the information in Table 6 to determine which combination of app and update management products is right for your district.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    SelectionManagement method
                    Microsoft Endpoint Configuration Manager
                    Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.

                    Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.

                    Select this method when you:
                    
-
                      
-
                    • Selected Configuration Manager to deploy Windows 10.
                      • 
-
                    • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                      • 
-
                    • Want to manage AD DS domain-joined devices.
                      • 
-
                    • Have an existing AD DS infrastructure.
                      • 
-
                    • Typically manage on-premises devices.
                      • 
-
                    • Want to deploy operating systems.
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    
-
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy Windows 10 operating systems.
                      • 
-
                    • You can manage applications throughout the entire application life cycle.
                      • 
-
                    • You can manage software updates for Windows 10 and apps.
                      • 
-
                    • You can manage antivirus and malware protection.
                      • 
-
                    • It scales to large numbers of users and devices.
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                      • 
-
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                      • 
-
                    • Can only manage domain-joined (institution-owned devices).
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    • Typically manages on-premises devices (unless devices through VPN or DirectAccess).
                      • 
-
                    
-
                    Intune
                    Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.

                    
-Select this method when you:
                    
-
                      
-
                    • Selected MDT only to deploy Windows 10.
                      • 
-
                    • Want to manage institution-owned and personal devices that are not domain joined.
                      • 
-
                    • Want to manage Azure AD domain-joined devices.
                      • 
-
                    • Need to manage devices regardless of where they are (on or off premises).
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can manage institution-owned and personal devices.
                      • 
-
                    • It doesn’t require that devices be domain joined.
                      • 
-
                    • It doesn’t require on-premises infrastructure.
                      • 
-
                    • It can manage devices regardless of their location (on or off premises).
                      • 
-
                    • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Intune subscription licenses.
                      • 
-
                    • Cannot deploy Windows 10 operating systems.
                      • 
-
                    
-
                    Microsoft Endpoint Manager and Intune (hybrid)
                    Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.

                    
-Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.

                    
-Select this method when you:
                    
-
                      
-
                    • Selected Microsoft Endpoint Manager to deploy Windows 10.
                      • 
-
                    • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                      • 
-
                    • Want to manage domain-joined devices.
                      • 
-
                    • Want to manage Azure AD domain-joined devices.
                      • 
-
                    • Have an existing AD DS infrastructure.
                      • 
-
                    • Want to manage devices regardless of their connectivity.
                      • 
-
                    • Want to deploy operating systems.
                      • 
-
                    • Want to provide application management for the entire application life cycle.
                      • 
-
                    
-
                    The advantages of this method are that:
                    
-
                      
-
                    • You can deploy operating systems.
                      • 
-
                    • You can manage applications throughout the entire application life cycle.
                      • 
-
                    • You can scale to large numbers of users and devices.
                      • 
-
                    • You can support institution-owned and personal devices.
                      • 
-
                    • It doesn’t require that devices be domain joined.
                      • 
-
                    • It can manage devices regardless of their location (on or off premises).
                      • 
-
                    
-
                    The disadvantages of this method are that it:
                    
-
                      
-
                    • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                      • 
-
                    • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                      • 
-
                    • Carries an additional cost for Intune subscription licenses.
                      • 
-
                    • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                      • 
-
                    
-
                    
+|Selection|Management method|
+|--- |--- |
+|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:
                  • Selected Configuration Manager to deploy Windows 10.
                  • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
                  • Want to manage AD DS domain-joined devices.
                  • Have an existing AD DS infrastructure.
                  • Typically manage on-premises devices.
                  • Want to deploy operating systems.
                  • Want to provide application management for the entire application life cycle.
                    The advantages of this method are that:
                  • You can deploy Windows 10 operating systems.
                  • You can manage applications throughout the entire application life cycle.
                  • You can manage software updates for Windows 10 and apps.
                  • You can manage antivirus and malware protection.
                  • It scales to large numbers of users and devices.
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                  • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                  • Can only manage domain-joined (institution-owned devices).
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).
                  • Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
                    Select this method when you:
                  • Selected MDT only to deploy Windows 10.
                  • Want to manage institution-owned and personal devices that are not domain joined.
                  • Want to manage Azure AD domain-joined devices.
                  • Need to manage devices regardless of where they are (on or off premises).
                  • Want to provide application management for the entire application life cycle.
                    The advantages of this method are that:
                  • You can manage institution-owned and personal devices.
                  • It doesn’t require that devices be domain joined.
                  • It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
                  • You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Intune subscription licenses.
                  • Cannot deploy Windows 10 operating systems.|
+|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
                    Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. 
                    Select this method when you:
                  • Selected Microsoft Endpoint Manager to deploy Windows 10.
                  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
                  • Want to manage domain-joined devices.
                  • Want to manage Azure AD domain-joined devices.
                  • Have an existing AD DS infrastructure.
                  • Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
                  • Want to provide application management for the entire application life cycle.
                    The advantages of this method are that:
                  • You can deploy operating systems.
                  • You can manage applications throughout the entire application life cycle.
                  • You can scale to large numbers of users and devices.
                  • You can support institution-owned and personal devices.
                  • It doesn’t require that devices be domain joined.
                  • It can manage devices regardless of their location (on or off premises).
                    The disadvantages of this method are that it:
                  • Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
                  • Carries an additional cost for Windows Server licenses and the corresponding server hardware.
                  • Carries an additional cost for Intune subscription licenses.
                  • Requires an AD DS infrastructure (if the institution does not have AD DS already).|
 
 *Table 6. App and update management products*
 
@@ -1082,64 +838,11 @@ This guide discusses thick image deployment. For information about thin image de
 
 ### Select a method to initiate deployment
 The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    MethodDescription and reason to select this method
                    Windows Deployment Services
                    This method:
                    
-
                      
-
                    • Uses diskless booting to initiate LTI and ZTI deployments.
                      • 
-
                    • Works only with devices that support PXE boot.
                      • 
-
                    • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                      • 
-
                    • Deploys images more slowly than when you use local media.
                      • 
-
                    • Requires that you deploy a Windows Deployment Services server.
                      • 
-
                    
-
                    Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
-
                    Bootable media
                    This method:
                    
-
                      
-
                    • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
                      • 
-
                    • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                      • 
-
                    • Deploys images more slowly than when using local media.
                      • 
-
                    • Requires no additional infrastructure.
                      • 
-
                    
-
                    Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
-
                    Deployment media
                    This method:
                    
-
                      
-
                    • Initiates LTI or ZTI deployment by booting from a local USB hard disk.
                      • 
-
                    • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
                      • 
-
                    • Deploys images more quickly than network-based methods do.
                      • 
-
                    • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
                      • 
-
                    
-
                    Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
-
                    
+|Method|Description and reason to select this method|
+|--- |--- |
+|Windows Deployment Services|This method:
                  • Uses diskless booting to initiate LTI and ZTI deployments.
                  • Works only with devices that support PXE boot.
                  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                  • Deploys images more slowly than when you use local media.
                  • Requires that you deploy a Windows Deployment Services server.

                    Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
+|Bootable media|This method:
                  • Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
                  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                  • Deploys images more slowly than when using local media.
                  • Requires no additional infrastructure.
                     
                    Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.|
+|Deployment media|This method:
                  • Initiates LTI or ZTI deployment by booting from a local USB hard disk.
                  • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
                  • Deploys images more quickly than network-based methods do.
                  • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
                     
                    Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
 
 *Table 15. Methods to initiate LTI and ZTI deployments*
 
@@ -1153,92 +856,14 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y
 ### Configure the MDT deployment share
 
 The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    TaskDescription
                    1. Import operating systemsImport the operating systems that you selected in the Select the operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
                    2. Import device driversDevice drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

                    
-Import device drivers for each device in your institution. For more information about how to import device drivers, see Import Device Drivers into the Deployment Workbench.
-
                    3. Create MDT applications for Microsoft Store appsCreate an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

                    
-
                    Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
                    
-
                      
-
                    • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                      • 
-
                    • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
                      • 
-
                    
-
                    If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

                    
-If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

                    
-In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:

                    
-
-
-
                    4. Create MDT applications for Windows desktop appsYou need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

                    
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool.

                    
-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
-

                    
-Note  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section.
-
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).
-
-
                    5. Create task sequences
                    You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                    
-
                      
-
                    • Deploy 64-bit Windows 10 Education to devices.
                      • 
-
                    • Deploy 32-bit Windows 10 Education to devices.
                      • 
-
                    • Upgrade existing devices to 64-bit Windows 10 Education.
                      • 
-
                    • Upgrade existing devices to 32-bit Windows 10 Education.
                      • 
-
                    
-
                    Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench.
-
-
                    6. Update the deployment shareUpdating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

                    
-For more information about how to update a deployment share, see Update a Deployment Share in the Deployment Workbench.
-
-
                    
+|Task|Description|
+|--- |--- |
+|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
+|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
                    Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
+|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
                    Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
                  • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                  • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
                     
                     If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
                    If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
                    In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
                  • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
                  • Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
                    To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
                     If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
                    This is the preferred method for deploying and managing Windows desktop apps.
                    **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) 
                    For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
+|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
                  • Deploy 64-bit Windows 10 Education to devices.
                  • Deploy 32-bit Windows 10 Education to devices.
                  • Upgrade existing devices to 64-bit Windows 10 Education.
                  • Upgrade existing devices to 32-bit Windows 10 Education.
                     
                    Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
+|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
                    For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
 
 *Table 16. Tasks to configure the MDT deployment share*
 
@@ -1430,116 +1055,20 @@ Microsoft has several recommended settings for educational institutions. Table 1
 
 Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+|Recommendation|Description|
+|--- |--- |
+|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
                    **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. 
                    **Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
                    ****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
+|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
                    **Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. 
                    **Intune**. Not available.|
+|Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
                     **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
                     **Intune**. Not available.|
+|Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
                    **Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
                    **Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
+|Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
                    **Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
                    **Intune**. Not available.|
+|Use of camera|A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
                    **Group policy**. Not available.
                    **Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.|
+|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
                    **Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
                    **Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.|
+|Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
                    **Group policy**. Not available.
                    **Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.|
+|Use of location services|Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
                    **Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
                    **Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.|
+|Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.
                    **Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
                    **Intune**. Not available.|
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    RecommendationDescription
                    Use of Microsoft accountsYou want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

                    
-
-**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

                    
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.

                    
-**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
-
-
                    Restrict the local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

                    
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.

                    
-Intune. Not available.
-
-
                    Manage the built-in administrator account created during device deploymentWhen you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.

                    
-Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.

                    
-Intune. Not available.
-
-
                    Control Microsoft Store accessYou can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

                    
-Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.

                    
-Intune. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
-
-
                    Use of Remote Desktop connections to devicesRemote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

                    
-Group Policy. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

                    
-Intune. Not available.
-
-
                    Use of cameraA device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

                    
-Group Policy. Not available.

                    
-Intune. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
                    Use of audio recordingAudio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

                    
-Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.

                    
-Intune. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
-
-
                    Use of screen captureScreen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

                    
-Group Policy. Not available.

                    
-Intune. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.
-
-
                    Use of location servicesProviding a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

                    
-Group Policy. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.

                    
-Intune. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.
-
-
                    Changing wallpaperCustom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.

                    
-Group Policy. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.

                    
-Intune. Not available.
-
-
                    
 
                    
 Table 17. Recommended settings for educational institutions
 
@@ -1718,206 +1247,23 @@ After the initial deployment, you need to perform certain tasks to maintain the
 - **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
 
 Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
-
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    Task and resourcesMonthlyNew semester or academic yearAs required
                    Verify that Windows Update is active and current with operating system and software updates.

                    
-For more information about completing this task when you have:
-
-                    		xxx
                    Verify that Windows Defender is active and current with malware Security intelligence.

                    
-For more information about completing this task, see Turn Windows Defender on or off and Updating Windows Defender.
-                    		xxx
                    Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

                    
-For more information about completing this task, see the “How do I find and remove a virus?” topic in Protect my PC from viruses.
-                    		xxx
                    Download and approve updates for Windows 10, apps, device driver, and other software.

                    
-For more information, see:
-
-                    		xxx
                    Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

                    
-For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options.
-                    		xx
                    Refresh the operating system and apps on devices.

                    
-For more information about completing this task, see the following resources:
-
-                    		xx
                    Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.

                    
-For more information, see:
-
-                    		xx
                    Install new or update existing Microsoft Store apps used in the curriculum.

                    
-Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

                    
-You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
-
-                    		xx
                    Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).

                    
-For more information about how to:
-
-                    		xx
                    Create or modify security groups, and manage group membership in Office 365.

                    
-For more information about how to:
-
-                    		xx
                    Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

                    
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Create and manage distribution groups and Create, edit, or delete a security group.
-                    		xx
                    Install new student devices.

                    
-Follow the same steps you followed in the Deploy Windows 10 to devices section.
-                    		x
                    
-
                    
+|Task and resources|Monthly|New semester or academic year|As required|
+|--- |--- |--- |--- |
+|Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|x|x|x|
+|Verify that Windows Defender is active and current with malware Security intelligence.
                    For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|x|x|x|
+|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
                    For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|x|x|x|
+|Download and approve updates for Windows 10, apps, device driver, and other software.
                    For more information, see:
                  • [Manage updates by using Intune](#manage-updates-by-using-intune)
                  • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|x|x|x|
+|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||x|x|
+|Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||x|x|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
+|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  •  [Deploy and manage apps by using Microsoft Endpoint Configuration Manager]((#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager))||x|x|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
+|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)
                  •  Remove licenses, [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
+|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
+|Create or modify security groups, and manage group membership in Office 365.
                    For more information about how to:
                  • Create or modify security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US)
                  • Manage group membership, see [Manage Group membership in the admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).||x|x|
+|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                    For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and[Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB).||x|x|
+|Install new student devices.
                     Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||x|
 
 *Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
 
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index b3eed6f968..82ea8add54 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -164,184 +164,164 @@ For more information, see [Manage settings in the Store for Business](manage-set
 Store for Business and Education is currently available in these markets.
 
 ### Support for free and paid products
-
-   
-        
-   
-   
-     
-     
-     
-    
-   
-
                    Supports all free and paid products
                    
-        
                      
-            
                    • Afghanistan
                      • 
-            
                    • Algeria
                      • 
-            
                    • Andorra
                      • 
-            
                    • Angola
                      • 
-            
                    • Anguilla
                      • 
-            
                    • Antigua and Barbuda
                      • 
-            
                    • Argentina
                      • 
-            
                    • Australia
                      • 
-            
                    • Austria
                      • 
-            
                    • Bahamas
                      • 
-            
                    • Bahrain
                      • 
-            
                    • Bangladesh
                      • 
-            
                    • Barbados
                      • 
-            
                    • Belgium
                      • 
-            
                    • Belize
                      • 
-            
                    • Bermuda
                      • 
-            
                    • Benin
                      • 
-            
                    • Bhutan
                      • 
-            
                    • Bolivia
                      • 
-            
                    • Bonaire
                      • 
-            
                    • Botswana
                      • 
-            
                    • Brunei Darussalam
                      • 
-            
                    • Bulgaria
                      • 
-            
                    • Burundi
                      • 
-            
                    • Cambodia
                      • 
-            
                    • Cameroon
                      • 
-            
                    • Canada
                      • 
-            
                    • Cayman Islands
                      • 
-            
                    • Chile
                      • 
-            
                    • Colombia
                      • 
-            
                    • Comoros
                      • 
-            
                    • Costa Rica
                      • 
-            
                    • Côte D'ivoire
                      • 
-            
                    • Croatia
                      • 
-            
                    • Curçao
                      • 
-            
                    • Cyprus
                      • 
-            
                    • Czech Republic
                      • 
-            
                    • Denmark
                      • 
-            
                    • Dominican Republic
                      • 
-            
                    • Ecuador
                      • 
-        
                    
-                         		
-        
                       
-            
                    • Egypt
                      • 
-            
                    • El Salvador
                      • 
-            
                    • Estonia
                      • 
-            
                    • Ethiopia
                      • 
-            
                    • Faroe Islands
                      • 
-            
                    • Fiji
                      • 
-            
                    • Finland
                      • 
-            
                    • France
                      • 
-            
                    • French Guiana
                      • 
-            
                    • French Polynesia
                      • 
-            
                    • Germany
                      • 
-            
                    • Ghana
                      • 
-            
                    • Greece
                      • 
-            
                    • Greenland
                      • 
-            
                    • Guadeloupe
                      • 
-            
                    • Guatemala
                      • 
-            
                    • Honduras
                      • 
-            
                    • Hong Kong SAR
                      • 
-            
                    • Hungary
                      • 
-            
                    • Iceland
                      • 
-            
                    • Indonesia
                      • 
-            
                    • Iraq
                      • 
-            
                    • Ireland
                      • 
-            
                    • Israel
                      • 
-            
                    • Italy
                      • 
-            
                    • Jamaica
                      • 
-            
                    • Japan
                      • 
-            
                    • Jersey
                      • 
-            
                    • Jordan
                      • 
-            
                    • Kenya
                      • 
-            
                    • Kuwait
                      • 
-            
                    • Laos
                      • 
-            
                    • Latvia
                      • 
-            
                    • Lebanon
                      • 
-            
                    • Libya
                      • 
-            
                    • Liechtenstein
                      • 
-            
                    • Lithuania
                      • 
-            
                    • Luxembourg
                      • 
-            
                    • Macedonia
                      • 
-            
                    • Madagascar
                      • 
-        
                    
-                        		
-        
                      
-            
                    • Malawi
                      • 
-            
                    • Malaysia
                      • 
-            
                    • Maldives
                      • 
-            
                    • Mali
                      • 
-            
                    • Malta
                      • 
-            
                    • Marshall Islands
                      • 
-            
                    • Martinique
                      • 
-            
                    • Mauritius
                      • 
-            
                    • Mayotte
                      • 
-            
                    • Mexico
                      • 
-            
                    • Mongolia
                      • 
-            
                    • Montenegro
                      • 
-            
                    • Morocco
                      • 
-            
                    • Mozambique
                      • 
-            
                    • Myanamar
                      • 
-            
                    • Namibia
                      • 
-            
                    • Nepal
                      • 
-            
                    • Netherlands
                      • 
-            
                    • New Caledonia
                      • 
-            
                    • New Zealand
                      • 
-            
                    • Nicaragua
                      • 
-            
                    • Nigeria
                      • 
-            
                    • Norway
                      • 
-            
                    • Oman
                      • 
-            
                    • Pakistan
                      • 
-            
                    • Palestinian Authority
                      • 
-            
                    • Panama
                      • 
-            
                    • Papua New Guinea
                      • 
-            
                    • Paraguay
                      • 
-            
                    • Peru
                      • 
-            
                    • Philippines
                      • 
-            
                    • Poland
                      • 
-            
                    • Portugal
                      • 
-            
                    • Qatar
                      • 
-            
                    • Republic of Cabo Verde
                      • 
-            
                    • Reunion
                      • 
-            
                    • Romania
                      • 
-            
                    • Rwanda
                      • 
-            
                    • Saint Kitts and Nevis
                      •  
-        
                    
-                        		
-        
                      
-            
                    • Saint Lucia
                      • 
-            
                    • Saint Martin
                      • 
-            
                    • Saint Vincent and the Grenadines
                      • 
-            
                    • San marino
                      • 
-            
                    • Saudi Arabia
                      • 
-            
                    • Senegal
                      • 
-            
                    • Serbia
                      • 
-            
                    • Seychelles
                      • 
-            
                    • Singapore
                      • 
-            
                    • Sint Maarten
                      • 
-            
                    • Slovakia
                      • 
-            
                    • Slovenia
                      • 
-            
                    • South Africa
                      • 
-            
                    • Spain
                      • 
-            
                    • Sri Lanka
                      • 
-            
                    • Suriname
                      • 
-            
                    • Sweden
                      • 
-            
                    • Switzerland
                      • 
-            
                    • Tanzania
                      • 
-            
                    • Thailand
                      • 
-            
                    • Timor-Leste
                      • 
-            
                    • Togo
                      • 
-            
                    • Tonga
                      • 
-            
                    • Trinidad and Tobago
                      • 
-            
                    • Tunisia
                      • 
-            
                    • Turkey
                      • 
-            
                    • Turks and Caicos Islands
                      • 
-            
                    • Uganda
                      • 
-            
                    • United Arab Emirates
                      • 
-            
                    • United Kingdom
                      • 
-            
                    • United States
                      • 
-            
                    • Uruguay
                      • 
-            
                    • Vatican City
                      • 
-            
                    • Viet Nam
                      • 
-            
                    • Virgin Islands, U.S.
                      • 
-            
                    • Zambia
                      • 
-            
                    • Zimbabwe
                         

                      •         
                    
-    
                    
+
+- Afghanistan
+- Algeria
+- Andorra
+- Angola
+- Anguilla
+- Antigua and Barbuda
+- Argentina
+- Australia
+- Austria
+- Bahamas
+- Bahrain
+- Bangladesh
+- Barbados
+- Belgium
+- Belize
+- Bermuda
+- Benin
+- Bhutan
+- Bolivia
+- Bonaire
+- Botswana
+- Brunei Darussalam
+- Bulgaria
+- Burundi
+- Cambodia
+- Cameroon
+- Canada
+- Cayman Islands
+- Chile
+- Colombia
+- Comoros
+- Costa Rica
+- Côte D'ivoire
+- Croatia
+- Curçao
+- Cyprus
+- Czech Republic
+- Denmark
+- Dominican Republic
+- Ecuador
+- Egypt
+- El Salvador
+- Estonia
+- Ethiopia
+- Faroe Islands
+- Fiji
+- Finland
+- France
+- French Guiana
+- French Polynesia
+- Germany
+- Ghana
+- Greece
+- Greenland
+- Guadeloupe
+- Guatemala
+- Honduras
+- Hong Kong SAR
+- Hungary
+- Iceland
+- Indonesia
+- Iraq
+- Ireland
+- Israel
+- Italy
+- Jamaica
+- Japan
+- Jersey
+- Jordan
+- Kenya
+- Kuwait
+- Laos
+- Latvia
+- Lebanon
+- Libya
+- Liechtenstein
+- Lithuania
+- Luxembourg
+- Macedonia
+- Madagascar
+- Malawi
+- Malaysia
+- Maldives
+- Mali
+- Malta
+- Marshall Islands
+- Martinique
+- Mauritius
+- Mayotte
+- Mexico
+- Mongolia
+- Montenegro
+- Morocco
+- Mozambique
+- Myanamar
+- Namibia
+- Nepal
+- Netherlands
+- New Caledonia
+- New Zealand
+- Nicaragua
+- Nigeria
+- Norway
+- Oman
+- Pakistan
+- Palestinian Authority
+- Panama
+- Papua New Guinea
+- Paraguay
+- Peru
+- Philippines
+- Poland
+- Portugal
+- Qatar
+- Republic of Cabo Verde
+- Reunion
+- Romania
+- Rwanda
+- Saint Kitts and Nevis
+- Saint Lucia
+- Saint Martin
+- Saint Vincent and the Grenadines
+- San marino
+- Saudi Arabia
+- Senegal
+- Serbia
+- Seychelles
+- Singapore
+- Sint Maarten
+- Slovakia
+- Slovenia
+- South Africa
+- Spain
+- Sri Lanka
+- Suriname
+- Sweden
+- Switzerland
+- Tanzania
+- Thailand
+- Timor-Leste
+- Togo
+- Tonga
+- Trinidad and Tobago
+- Tunisia
+- Turkey
+- Turks and Caicos Islands
+- Uganda
+- United Arab Emirates
+- United Kingdom
+- United States
+- Uruguay
+- Vatican City
+- Viet Nam
+- Virgin Islands, U.S.
+- Zambia
+- Zimbabwe
+
 
 ### Support for free apps
 Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 3983d8787c..0bfd675b91 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -24,56 +24,15 @@ Use the following procedure to configure the App-V for reporting.
 
 2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings:
 
-   
-   -   -   -   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
-   
                    



                    SettingDescription
                    ReportingEnabled
                    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
                    ReportingServerURL
                    Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
                    
-   
                    
-   Note
                    This is the port number that was assigned during the Reporting Server setup
                    
-   
                    
-   
                    
-
-   
                    Reporting Start Time
                    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
                    ReportingRandomDelay
                    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
                    ReportingInterval
                    Specifies the retry interval that the client will use to resend data to the reporting server.
                    ReportingDataCacheLimit
                    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
                    ReportingDataBlockSize
                    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
                    
-
-
+|Setting|Description|
+|--- |--- |
+|ReportingEnabled|Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.|
+|ReportingServerURL|Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
                     **Note:** 
                    This is the port number that was assigned during the Reporting Server setup|
+|Reporting Start Time|This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.|
+|ReportingRandomDelay|Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.|
+|ReportingInterval|Specifies the retry interval that the client will use to resend data to the reporting server.|
+|ReportingDataCacheLimit|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
+|ReportingDataBlockSize|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
 
 3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server.
 
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 88a684ce46..1582199d12 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -69,28 +69,10 @@ This topic explains the following procedures:
 
 2.  Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID):
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
                    



                    CmdletExamples
                    Enable-AppVClientConnectionGroup
                    Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
                    Disable-AppVClientConnectionGroup
                    Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
                    
+|Cmdlet|Examples|
+|--- |--- |
+|Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
+|Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
 
 ## To allow only administrators to enable connection groups
 
@@ -102,33 +84,9 @@ This topic explains the following procedures:
 
 2.  Run the following cmdlet and parameter:
 
-    
-    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
                    




                    CmdletParameter and valuesExample
                    Set-AppvClientConfiguration
                    -RequirePublishAsAdmin
                    
-    
                      
-    
                    • 0 - False
                      • 
-    
                    • 1 - True
                      • 
-    
                    Set-AppvClientConfiguration -RequirePublishAsAdmin 1
                    
-
- 
+|Cmdlet|Parameter and values|Example|
+|--- |--- |--- |
+|Set-AppvClientConfiguration|-RequirePublishAsAdmin
                  • 0 - False
                  • 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
                    1|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index bfbd7fe594..e51947b121 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -23,51 +23,16 @@ Connection groups enable the applications within a package to interact with each
 In some previous versions of App-V, connection groups were referred to as Dynamic Suite Composition.
 
 **In this section:**
-
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    About the Connection Group Virtual Environment
                    Describes the connection group virtual environment.
                    About the Connection Group File
                    Describes the connection group file.
                    How to Create a Connection Group
                    Explains how to create a new connection group.
                    How to Create a Connection Group with User-Published and Globally Published Packages
                    Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.
                    How to Delete a Connection Group
                    Explains how to delete a connection group.
                    How to Publish a Connection Group
                    Explains how to publish a connection group.
                    How to Make a Connection Group Ignore the Package Version
                    Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
                    How to Allow Only Administrators to Enable Connection Groups
                    Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.
                    
-
- 
-
-
-
+|||
+|--- |--- |
+|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|
+|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.|
+|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.|
+|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.|
+|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.|
+|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.|
+|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.|
+[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 894d080a23..7d268f0f29 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -26,35 +26,9 @@ You can now use the package converter to convert App-V 4.6 packages that contain
 
 You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files’ information is converted and placed within the new package.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    New in App-V for Windows clientPrior to App-V for Windows 10
                    New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
                    
-
                      
-
                    • environment variables
                      • 
-
                    • shortcuts
                      • 
-
                    • file type associations
                      • 
-
                    • registry information
                      • 
-
                    • scripts
                      • 
-
                    
-
                    You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.
                    Registry information and scripts included in .osd files associated with a package were not included in package converter output.
                    
-
                    The package converter would populate the new package with information from all of the .osd files in the source directory.
                    
-
- 
+|New in App-V for Windows client|Prior to App-V for Windows 10|
+|--- |--- |
+|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
                  • environment variables
                  • shortcuts
                  • file type associations
                  • registry information
                  • scripts
                     
                    You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.
                     
                    The package converter would populate the new package with information from all of the .osd files in the source directory.|
 
 ### Example conversion statement
 
@@ -102,65 +76,10 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\
 
 **In the above example:**
 
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    These Source directory files……are converted to these Destination directory files……and will contain these itemsDescription
                      
-
                    • X.osd
                      • 
-
                    • Y.osd
                      • 
-
                    • Z.osd
                      • 
-
                      
-
                    • X_Config.xml
                      • 
-
                    • Y_Config.xml
                      • 
-
                    • Z_Config.xml
                      • 
-
                      
-
                    • Environment variables
                      • 
-
                    • Shortcuts
                      • 
-
                    • File type associations
                      • 
-
                    • Registry information
                      • 
-
                    • Scripts
                      • 
-
                    Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
                    
-
                    In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.
                      
-
                    • X.osd
                      • 
-
                    • Y.osd
                      • 
-
                      
-
                    • ContosoApp.appv
                      • 
-
                    • ContosoApp_DeploymentConfig.xml
                      • 
-
                    • ContosoApp_UserConfig.xml
                      • 
-
                      
-
                    • Environment variables
                      • 
-
                    • Shortcuts
                      • 
-
                    • File type associations
                      • 
-
                    The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
                    
-
                    In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.
                    
-
- 
+|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description|
+|--- |--- |--- |--- |
+|
                  • X.osd
                  • Y.osd
                  • Z.osd|
                  • X_Config.xml
                  • Y_Config.xml
                  • Z_Config.xml|
                  • Environment variables:
                  • Shortcuts
                  • File type associations
                  • Registry information
                  • Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
                    In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.|
+|
                  • X.osd
                  • Y.osd|
                  • ContosoApp.appv 
                  • ContosoApp_DeploymentConfig.xml  
                  • ContosoApp_UserConfig.xml|
                  • Environment variables
                  • Shortcuts
                  • File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
                    In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.|
 
 ## Converting packages created using a prior version of App-V
 
@@ -175,34 +94,11 @@ After you convert an existing package you should test the package prior to deplo
 
 **What to know before you convert existing packages**
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    IssueWorkaround
                    Virtual packages using DSC are not linked after conversion.
                    Link the packages using connection groups. See Managing Connection Groups.
                    Environment variable conflicts are detected during conversion.
                    Resolve any conflicts in the associated .osd file.
                    Hard-coded paths are detected during conversion.
                    Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.
                    
-
- 
+|Issue|Workaround|
+|--- |--- |
+|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).|
+|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.|
+|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.|
 
 When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
 
@@ -218,39 +114,12 @@ If a converted package does not open after you convert it, it is also recommende
 
 There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    TaskMore Information
                    Review prerequisites.
                    App-V Server prerequisite software.
                    Enable the App-V client.
                    Enable the App-V desktop client.
                    Install App-V Server.
                    How to Deploy the App-V Server.
                    Migrate existing packages.
                    See Converting packages created using a prior version of App-V earlier in this topic.
                    
-
-
-
+|Task|More Information|
+|--- |--- |
+|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)|
+|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)|
+|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)|
+|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 

From 108c5724c5fd6d26532eafbad120bf75d92bca4a Mon Sep 17 00:00:00 2001
From: Meghana Athavale 
Date: Tue, 9 Nov 2021 16:49:19 +0530
Subject: [PATCH 023/104] review changes

---
 windows/configuration/wcd/wcd-connections.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index ac13c5b95d..5c59173b68 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -20,7 +20,7 @@ Use to configure settings related to various types of phone connections.
 ## Applies to
 
 | Setting groups  | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
+| --- | :---: | :---: | :---: | :---: | 
 | All settings  | ✔️ | ✔️ |  |  |
 
 

From 52274168c542308b214134e4ecae7f569272ca5b Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 16:55:31 +0530
Subject: [PATCH 024/104] Suggestions and fixes

---
 .../enterprise-mode-schema-version-1-guidance.md               | 3 ++-
 .../enterprise-mode-schema-version-2-guidance.md               | 2 +-
 education/windows/deploy-windows-10-in-a-school-district.md    | 2 +-
 .../app-v/appv-managing-connection-groups.md                   | 1 +
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index adf856e767..606544f58d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -64,6 +64,7 @@ The following is an example of the Enterprise Mode schema v.1. This schema can r
 
 ### Schema elements
 This table includes the elements used by the Enterprise Mode schema.
+
 |Element |Description  |Supported browser  |
 |---------|---------|---------|
 |<rules>   | Root node for the schema.
                    **Example** 
                    <rules version="205"> 
                      <emie> 
                       <domain>contoso.com</domain> 
                      </emie>
                     </rules> |Internet Explorer 11 and Microsoft Edge         |
@@ -78,7 +79,7 @@ This table includes the attributes used by the Enterprise Mode schema.
 |Attribute|Description|Supported browser|
 |--- |--- |--- |
 |version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element.|Internet Explorer 11 and Microsoft Edge|
-|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the  and  elements.
                     **Example** 
                    <emie>
                      <domain exclude="false">fabrikam.com 
                        <path exclude="true">/products</path>
                      </domain>
                    </emie> 
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
                     **Example** 
                    <emie>
                      <domain exclude="false">fabrikam.com 
                        <path exclude="true">/products</path>
                      </domain>
                    </emie> 
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
 |docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
                     **Example**
                    <docMode> 
                      <domain exclude="false">fabrikam.com 
                        <path docMode="9">/products</path>
                      </domain>
                    </docMode>|Internet Explorer 11|
 |doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
 |forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index d9e6edd663..a90c4220a3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -109,7 +109,7 @@ The <url> attribute, as part of the <site> element in the v.2 versio
 
 |Attribute|Description|Supported browser|
 |---------|---------|---------|
-|allow-redirect|A boolean attribute of the  element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
                    **Example**
                    <site url="contoso.com/travel">
                      <open-in allow-redirect="true">IE11 </open-in>
                    </site>
                     In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. 
                  • | Internet Explorer 11 and Microsoft Edge|
+|allow-redirect|A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
                    **Example**
                    <site url="contoso.com/travel">
                      <open-in allow-redirect="true">IE11 </open-in>
                    </site>
                     In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. 
                  • | Internet Explorer 11 and Microsoft Edge|
 |version     |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element.   | Internet Explorer 11 and Microsoft Edge|
 |url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
                     **Note**
                     Make sure that you don't specify a protocol. Using <site url="contoso.com">  applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). 
                     **Example**
                    <site url="contoso.com:8080">
                       <compat-mode>IE8Enterprise</compat-mode> 
                     <open-in>IE11</open-in>
                    </site>
                    In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 2572fe0140..0bff4be589 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -1256,7 +1256,7 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 |Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||x|x|
 |Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||x|x|
 |Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
-|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  •  [Deploy and manage apps by using Microsoft Endpoint Configuration Manager]((#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager))||x|x|
+|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
 |Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
 |Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
 |Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)
                  •  Remove licenses, [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index e51947b121..784f390319 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -23,6 +23,7 @@ Connection groups enable the applications within a package to interact with each
 In some previous versions of App-V, connection groups were referred to as Dynamic Suite Composition.
 
 **In this section:**
+
 |||
 |--- |--- |
 |[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|

From 7893f3048614984037eb0aee6cb2027c094d347f Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 17:01:44 +0530
Subject: [PATCH 025/104] Fixed suggestion

---
 .../app-v/appv-managing-connection-groups.md                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 784f390319..0f8cf76315 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -24,7 +24,7 @@ In some previous versions of App-V, connection groups were referred to as Dynami
 
 **In this section:**
 
-|||
+|Links|Description|
 |--- |--- |
 |[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|
 |[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.|

From 1b6e48eb727921568b53017ec167d343a1ee0034 Mon Sep 17 00:00:00 2001
From: Meghana Athavale 
Date: Tue, 9 Nov 2021 17:02:28 +0530
Subject: [PATCH 026/104] review changes

---
 windows/configuration/wcd/wcd-developersetup.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index 54acfa4e05..361aafb35e 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -19,7 +19,7 @@ Use to unlock developer mode on HoloLens devices and configure authentication to
 
 ## Applies to
 
-| Setting groups  | Windows client | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| Setting groups  | Windows client | Surface Hub | HoloLens | IoT Core |
 | --- | :---: | :---: | :---: | :---: |
 | [EnableDeveloperMode](#enabledevelopermode) |   |  | ✔️ |  |
 | [AuthenticationMode](#authenticationmode) |   |  | ✔️ |  |

From 08d1d63371827e50e75b826dbc74e59b254057a7 Mon Sep 17 00:00:00 2001
From: Meghana Athavale 
Date: Tue, 9 Nov 2021 17:36:03 +0530
Subject: [PATCH 027/104] self review changes

---
 windows/configuration/wcd/wcd-networkproxy.md | 2 +-
 windows/configuration/wcd/wcd-oobe.md         | 2 +-
 windows/configuration/wcd/wcd-policies.md     | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index 1208a335d7..957bc2abd1 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -18,7 +18,7 @@ Use for settings related to NetworkProxy.
 
 ## Applies to
 
-| Setting   | Windows client | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| Setting   | Windows client | Surface Hub | HoloLens | IoT Core |
 | --- | :---: | :---: | :---: | :---: |
 | All settings |   | ✔️ |  |  |
 
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index e7f5dac2de..23bd9ea316 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -19,7 +19,7 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa
 ## Applies to
 
 | Setting   | Windows client | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
+| --- | :---: | :---: | :---: | :---: | 
 | [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️  |  |  |  |
 | [Desktop > HideOobe](#hided) | ✔️  |  |  |  |
 | [Mobile > EnforceEnterpriseProvisioning](#nforce) |   |  |  |  |
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 9bb5dc2f45..5f2b24e7d5 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -43,12 +43,12 @@ This section describes the **Policies** settings that you can configure in [prov
 ## ApplicationManagement
 
 
-| Setting | Description | Windows client | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | 
 | [AllowAllTrustedApps](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | ✔️ |   |  | ✔️ |
 | [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate)  | Whether automatic update of apps from Microsoft Store is allowed  | ✔️  |   |   | ✔️ |
 | [AllowDeveloperUnlock](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock)  | Whether developer unlock of device is allowed  | ✔️  | ✔️  | ✔️  | ✔️ |
-| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr)  |Whether DVR and broadcasting is allowed   | ✔️  |  |   |   |  |
+| [AllowGameDVR](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr)  |Whether DVR and broadcasting is allowed   | ✔️  |  |   |   |  
 | [AllowSharedUserAppData](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata)  | Whether multiple users of the same app can share data  | ✔️  |   |   |  |
 | [AllowStore](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore)  | Whether app store is allowed at device  |   |    |   |  |
 | [ApplicationRestrictions](/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions)  | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc.  |   |   |  |  |

From 84c016bb73246d98e7f4322f67079af4f68a3733 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 20:00:33 +0530
Subject: [PATCH 028/104] Fixing the space issue

---
 .../collect-data-using-enterprise-site-discovery.md           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 488c893951..1d27b32519 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -205,24 +205,28 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
 You can use both the WMI and XML settings individually or together:
 
 **To turn off Enterprise Site Discovery**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|Off|
 |Turn on Site Discovery XML output|Blank|
 
 **Turn on WMI recording only**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|On|
 |Turn on Site Discovery XML output|Blank|
 
 **To turn on XML recording only**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|Off|
 |Turn on Site Discovery XML output|XML file path|
  
 **To turn on both WMI and XML recording**
+
 |Setting name|Option|
 |--- |--- |
 |Turn on Site Discovery WMI output|On|

From 3542e8beb96bc0fd83e7c58bc959ddd7f1617516 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 9 Nov 2021 10:08:29 -0500
Subject: [PATCH 029/104] Replaced 'X's in table with green checks

---
 ...ct-data-using-enterprise-site-discovery.md | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 1d27b32519..8cef068687 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -63,17 +63,17 @@ Data is collected on the configuration characteristics of IE and the sites it br
 
 |Data point              |IE11 |IE10 |IE9  |IE8  |Description                                                             |
 |------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
-|URL                     |  X  |  X  |  X  |  X  |URL of the browsed site, including any parameters included in the URL.  |
-|Domain                  |  X  |  X  |  X  |  X  |Top-level domain of the browsed site.                                   |
-|ActiveX GUID            |  X  |  X  |  X  |  X  |GUID of the ActiveX controls loaded by the site.                        |
-|Document mode           |  X  |  X  |  X  |  X  |Document mode used by IE for a site, based on page characteristics.     |
-|Document mode reason    |  X  |  X  |     |     |The reason why a document mode was set by IE.                           |
-|Browser state reason    |  X  |  X  |     |     |Additional information about why the browser is in its current state. Also called, browser mode.           |
-|Hang count              |  X  |  X  |  X  |  X  |Number of visits to the URL when the browser hung.                      |
-|Crash count             |  X  |  X  |  X  |  X  |Number of visits to the URL when the browser crashed.                   |
-|Most recent navigation failure (and count) |  X  |  X  |  X  |  X  |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened.  |
-|Number of visits        |  X  |  X  |  X  |  X  |Number of times a site has been visited.                                |
-|Zone                    |  X  |  X  |  X  |  X  |Zone used by IE to browse sites, based on browser settings.             |
+|URL                     |  ✔️  |  ✔️  |  ✔️  |  ✔️  |URL of the browsed site, including any parameters included in the URL.  |
+|Domain                  |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Top-level domain of the browsed site.                                   |
+|ActiveX GUID            |  ✔️  |  ✔️  |  ✔️  |  ✔️  |GUID of the ActiveX controls loaded by the site.                        |
+|Document mode           |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Document mode used by IE for a site, based on page characteristics.     |
+|Document mode reason    |  ✔️  |  ✔️  |     |     |The reason why a document mode was set by IE.                           |
+|Browser state reason    |  ✔️  |  ✔️  |     |     |Additional information about why the browser is in its current state. Also called, browser mode.           |
+|Hang count              |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Number of visits to the URL when the browser hung.                      |
+|Crash count             |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Number of visits to the URL when the browser crashed.                   |
+|Most recent navigation failure (and count) |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened.  |
+|Number of visits        |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Number of times a site has been visited.                                |
+|Zone                    |  ✔️  |  ✔️  |  ✔️  |  ✔️  |Zone used by IE to browse sites, based on browser settings.             |
 
 
 >**Important**
                    By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.

From ff56bb42494b29b0795774a369dd24b57d7cf526 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 9 Nov 2021 10:15:20 -0500
Subject: [PATCH 030/104] Replaced 'X's with checks

---
 .../windows/chromebook-migration-guide.md     | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index af0ea18ce1..a0e4bd59ee 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -356,12 +356,12 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
 
 |If you plan to...|On-premises AD DS|Azure AD|Hybrid|
 |--- |--- |--- |--- |
-|Use Office 365||X|X|
-|Use Intune for management||X|X|
-|Use Microsoft Endpoint Manager for management|X||X|
-|Use Group Policy for management|X||X|
-|Have devices that are domain-joined|X||X|
-|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||X|X|
+|Use Office 365||✔️|✔️|
+|Use Intune for management||✔️|✔️|
+|Use Microsoft Endpoint Manager for management|✔️||✔️|
+|Use Group Policy for management|✔️||✔️|
+|Have devices that are domain-joined|✔️||✔️|
+|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️|
 
 ### 
 
@@ -377,15 +377,15 @@ Table 6. Device, user, and app management products and technologies
 
 |Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services|
 |--- |--- |--- |--- |--- |--- |--- |
-|Deploy operating system images|X||X||X||
-|Deploy apps during operating system deployment|X||X||X||
-|Deploy apps after operating system deployment|X|X|X||||
-|Deploy software updates during operating system deployment|||X||X||
-|Deploy software updates after operating system deployment|X|X|X|X||X|
-|Support devices that are domain-joined|X|X|X|X|X||
-|Support devices that are not domain-joined|X|||X|X||
-|Use on-premises resources|X|X|X||X||
-|Use cloud-based services||||X|||
+|Deploy operating system images|✔️||✔️||✔️||
+|Deploy apps during operating system deployment|✔️||✔️||✔️||
+|Deploy apps after operating system deployment|✔️|✔️|✔️||||
+|Deploy software updates during operating system deployment|||✔️||✔️||
+|Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️|
+|Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️||
+|Support devices that are not domain-joined|✔️|||✔️|✔️||
+|Use on-premises resources|✔️|✔️|✔️||✔️||
+|Use cloud-based services||||✔️|||
 
 You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
 

From 8cb8ff422acbea62c0ca47d61409e466dd4ce30c Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Tue, 9 Nov 2021 21:08:05 +0530
Subject: [PATCH 031/104] Fixing spaces!

---
 education/windows/chromebook-migration-guide.md             | 3 +++
 education/windows/deploy-windows-10-in-a-school-district.md | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index a0e4bd59ee..66569c4674 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -135,6 +135,7 @@ Table 2. Settings in the Device Management node in the Google Admin Console
 Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
 
 Table 3. Settings in the Security node in the Google Admin Console
+
 |Section|Settings|
 |--- |--- |
 |Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
                     Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
@@ -463,6 +464,7 @@ It is important that you perform AD DS and Azure AD services deployment or remed
 In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
 
 Table 8. AD DS, Azure AD and deployment resources
+
 |Product or technology|Resources|
 |--- |--- |
 |AD DS| 
                  •  [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) 
                  • [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))|
@@ -497,6 +499,7 @@ In the [Plan for app migration or replacement](#plan-app-migrate-replace) sectio
 In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
 
 Table 10. Management systems and app deployment resources
+
 |Management system|Resources|
 |--- |--- |
 |Group Policy| 
                  •  [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) 
                  •  [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) 
                  •  [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 0bff4be589..63f897395a 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -838,6 +838,7 @@ This guide discusses thick image deployment. For information about thin image de
 
 ### Select a method to initiate deployment
 The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
+
 |Method|Description and reason to select this method|
 |--- |--- |
 |Windows Deployment Services|This method:
                  • Uses diskless booting to initiate LTI and ZTI deployments.
                  • Works only with devices that support PXE boot.
                  • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
                  • Deploys images more slowly than when you use local media.
                  • Requires that you deploy a Windows Deployment Services server.

                    Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
@@ -856,6 +857,7 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y
 ### Configure the MDT deployment share
 
 The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
+
 |Task|Description|
 |--- |--- |
 |1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
@@ -1247,6 +1249,7 @@ After the initial deployment, you need to perform certain tasks to maintain the
 - **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration.
 
 Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
+
 |Task and resources|Monthly|New semester or academic year|As required|
 |--- |--- |--- |--- |
 |Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|x|x|x|

From bbd31a4d71b0dacf37c50aefcb8eb173a718c978 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 9 Nov 2021 12:06:56 -0500
Subject: [PATCH 032/104] Updated links; Replaced 'x's with check marks

---
 .../deploy-windows-10-in-a-school-district.md | 48 +++++++++----------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 63f897395a..10787af567 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -83,7 +83,7 @@ This district configuration has the following characteristics:
 
 * If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
 
-* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
+* Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
 
 * Each device supports a one-student-per-device or multiple-students-per-device scenario.
 
@@ -128,7 +128,7 @@ Office 365 Education allows:
 
 * Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
 
-For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
+For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
 
 ### How to configure a district
 
@@ -439,7 +439,7 @@ Now that you have created your new Office 365 Education subscription, add the do
 To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
 
 > [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
 
@@ -451,7 +451,7 @@ You will always want faculty and students to join the Office 365 tenant that you
 > [!NOTE]
 > You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
 
-By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 |Action |Windows PowerShell command|
 |-------|--------------------------|
@@ -470,7 +470,7 @@ To reduce your administrative effort, automatically assign Office 365 Education
 > [!NOTE]
 > By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
 
-Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
 
 |Action |Windows PowerShell command|
 |-------|--------------------------|
@@ -691,7 +691,7 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
 
 The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
 
-For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Microsoft 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
 
 > [!NOTE]
 > If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
@@ -705,7 +705,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
 > [!NOTE]
 > If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
 
-For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
 
 You can add and remove users from security groups at any time.
 
@@ -722,7 +722,7 @@ You can create email distribution groups based on job role (such as teacher, adm
 > Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
 
 
-For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
 
 #### Summary
 
@@ -1252,21 +1252,21 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 
 |Task and resources|Monthly|New semester or academic year|As required|
 |--- |--- |--- |--- |
-|Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|x|x|x|
-|Verify that Windows Defender is active and current with malware Security intelligence.
                    For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|x|x|x|
-|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
                    For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|x|x|x|
-|Download and approve updates for Windows 10, apps, device driver, and other software.
                    For more information, see:
                  • [Manage updates by using Intune](#manage-updates-by-using-intune)
                  • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|x|x|x|
-|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||x|x|
-|Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||x|x|
-|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
-|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||x|x|
-|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
-|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US)||x|x|
-|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)
                  •  Remove licenses, [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
-|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                  • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).||x|x|
-|Create or modify security groups, and manage group membership in Office 365.
                    For more information about how to:
                  • Create or modify security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US)
                  • Manage group membership, see [Manage Group membership in the admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).||x|x|
-|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                    For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and[Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB).||x|x|
-|Install new student devices.
                     Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||x|
+|Verify that Windows Update is active and current with operating system and software updates.
                    For more information about completing this task when you have:
                  • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
                  • Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
                  • WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
                    Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
+|Verify that Windows Defender is active and current with malware Security intelligence.
                    For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️|
+|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
                    For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
+|Download and approve updates for Windows 10, apps, device driver, and other software.
                    For more information, see:
                  • [Manage updates by using Intune](#manage-updates-by-using-intune)
                  • [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
                    For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
+|Refresh the operating system and apps on devices.
                    For more information about completing this task, see the following resources:
                  • [Prepare for deployment](#prepare-for-deployment)
                  • [Capture the reference image](#capture-the-reference-image)
                  • [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum.
                    Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
                    You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. 
                    For more information, see:
                  • [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
                  • [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) 
                  • Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
                  • Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
                  •  Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
                    For more information about how to:
                  • Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
                  • Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Create or modify security groups, and manage group membership in Office 365.
                    For more information about how to:
                  • Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
                  • Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
+|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
                    For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️|
+|Install new student devices.
                     Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||✔️|
 
 *Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
 
@@ -1285,4 +1285,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
 * [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
 * [Reprovision devices at the end of the school year (video)](./index.md)
 * [Use MDT to deploy Windows 10 in a school (video)](./index.md)
-* [Use Microsoft Store for Business in a school environment (video)](./index.md)
\ No newline at end of file
+* [Use Microsoft Store for Business in a school environment (video)](./index.md)

From ae889384513822443bcc1ad6f99cef3453b74593 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Tue, 9 Nov 2021 11:55:47 -0800
Subject: [PATCH 033/104] Create whats-new-windows-10-2021.md

---
 .../ltsc/whats-new-windows-10-2021.md         | 659 ++++++++++++++++++
 1 file changed, 659 insertions(+)
 create mode 100644 windows/whats-new/ltsc/whats-new-windows-10-2021.md

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
new file mode 100644
index 0000000000..339e781039
--- /dev/null
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -0,0 +1,659 @@
+---
+title: What's new in Windows 10 Enterprise LTSC 2021
+ms.reviewer: 
+manager: dougeby
+ms.author: greglin
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: low
+ms.topic: article
+---
+
+# What's new in Windows 10 Enterprise LTSC 2021
+
+**Applies to**
+-   Windows 10 Enterprise LTSC 2021
+
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+
+>[!NOTE]
+>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 21H2. 
+
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
+- Advanced protection against modern security threats 
+- Full flexibility of OS deployment
+- Updating and support options
+- Comprehensive device and app management and control capabilities
+
+The Windows 10 Enterprise LTSC 2021 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
+
+>[!IMPORTANT]
+>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
+## Microsoft Intune
+
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+
+## Security
+
+This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
+
+### Threat protection
+
+#### Microsoft Defender for Endpoint
+
+The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
+
+![Microsoft Defender for Endpoint.](../images/wdatp.png)
+
+##### Attack surface reduction 
+
+Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
+
+- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+
+- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+
+###### Windows Defender Firewall 
+
+Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
+
+##### Windows Defender Device Guard
+
+[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: 
+- Software-based protection provided by code integrity policies 
+- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
+
+But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). 
+
+### Next-gen protection 
+
+### Endpoint detection and response 
+
+Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. 
+
+Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint.  Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). 
+
+We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
+
+- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
+- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
+- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
+- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
+- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
+
+Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus).
+
+New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
+
+- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
+- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
+- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+
+We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
+
+**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
+
+- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
+
+- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+
+- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
+
+- Upgraded detections of ransomware and other advanced attacks.
+
+- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
+
+**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
+
+- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
+
+Additional capabilities have been added to help you gain a holistic view on **investigations** include:
+
+- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+
+- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+
+- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+
+- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+
+- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
+
+- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
+
+Other enhanced security features include:
+
+- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
+
+- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+
+- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
+
+- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. 
+
+- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
+
+- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
+
+We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
+
+We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
+
+This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
+
+You can read more about ransomware mitigations and detection capability at:
+
+- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
+- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
+
+Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
+
+Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+
+
+### Information protection 
+
+Improvements have been added to Windows Information Protection and BitLocker. 
+
+#### Windows Information Protection
+
+Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
+
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
+
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
+
+This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
+
+### BitLocker
+
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
+
+#### Silent enforcement on fixed drives
+
+Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. 
+
+This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. 
+
+This feature will soon be enabled on Olympia Corp as an optional feature.
+
+#### Delivering BitLocker policy to AutoPilot devices during OOBE 
+
+You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 
+
+For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
+
+To achieve this:
+
+1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
+
+2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. 
+
+   > [!IMPORTANT]
+   > The encryption policy must be assigned to **devices** in the group, not users.
+
+3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
+
+   > [!IMPORTANT]
+   > If the ESP is not enabled, the policy will not apply before encryption starts.
+
+### Identity protection
+
+Improvements have been added are to Windows Hello for Business and Credential Guard.
+
+#### Windows Hello for Business
+
+New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when  you are not present.
+
+New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: 
+
+- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
+- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
+
+- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
+
+[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). 
+
+- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
+
+- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
+
+- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
+
+- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+
+- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+
+- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
+ 
+For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
+
+#### Windows Defender Credential Guard
+
+Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. 
+
+> [!NOTE]
+> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. 
+
+For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
+
+### Other security improvements
+
+#### Windows security baselines
+
+Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+
+**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+
+The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. 
+
+#### SMBLoris vulnerability
+
+An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
+
+#### Windows Security Center
+
+Windows Defender Security Center is now called **Windows Security Center**. 
+
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. 
+
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. 
+
+WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+
+![Security at a glance.](../images/defender.png "Windows Security Center")
+
+#### Group Policy Security Options
+
+The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+
+A new security policy setting
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+
+#### Windows 10 in S mode
+
+We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
+
+![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+
+## Deployment
+
+### Windows Autopilot
+
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
+
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
+
+#### Autopilot Reset	
+
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
+
+### MBR2GPT.EXE
+
+MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+
+Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+
+For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
+
+### DISM
+
+The following new DISM commands have been added to manage feature updates:
+
+- **DISM /Online /Initiate-OSUninstall**
+  - Initiates an OS uninstall to take the computer back to the previous installation of windows.
+
+- **DISM /Online /Remove-OSUninstall**
+  - Removes the OS uninstall capability from the computer.
+
+- **DISM /Online /Get-OSUninstallWindow**
+  - Displays the number of days after upgrade during which uninstall can be performed.
+
+- **DISM /Online /Set-OSUninstallWindow**
+  - Sets the number of days after upgrade during which uninstall can be performed.
+
+For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
+
+### Windows Setup
+
+You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
+
+Prerequisites:  
+- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
+- Windows 10 Enterprise or Pro
+
+For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
+
+It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
+
+`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]`
+
+For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21).
+
+New command-line switches are also available to control BitLocker:
+
+- **Setup.exe /BitLocker AlwaysSuspend**
+  - Always suspend BitLocker during upgrade.
+
+- **Setup.exe /BitLocker TryKeepActive**
+  - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade.
+
+- **Setup.exe /BitLocker ForceKeepActive**
+  - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade.
+
+For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33).
+
+### Feature update improvements
+
+Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+
+### SetupDiag
+
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
+
+SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+
+## Sign-in
+
+### Faster sign-in to a Windows 10 shared pc
+
+If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash!
+
+**To enable fast sign-in:**
+
+1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
+
+2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+   ![fast sign-in.](../images/fastsignin.png "fast sign-in")
+
+### Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. 
+
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+![Sign-in option.](../images/websignin.png "web sign-in")
+
+## Windows Analytics
+
+### Upgrade Readiness
+
+>[!IMPORTANT]
+>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+
+For more information about Upgrade Readiness, see the following topics:
+
+- [Windows Analytics blog](/archive/blogs/upgradeanalytics/)
+- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
+
+Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+### Update Compliance
+
+Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+
+Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+
+For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
+
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor).
+
+### Device Health
+
+Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
+
+## Accessibility and Privacy
+
+### Accessibility
+
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
+
+### Privacy
+
+In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. 
+
+## Configuration
+
+### Kiosk configuration
+
+The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10.  You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download).
+
+Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
+
+If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. 
+
+### Co-management
+
+Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+
+For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803).
+
+### OS uninstall period
+
+The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update.  With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
+
+### Azure Active Directory join in bulk
+
+Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
+
+![get bulk token action in wizard.](../images/bulk-token.png)
+
+### Windows Spotlight
+
+The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
+
+- **Turn off the Windows Spotlight on Action Center**
+- **Do not use diagnostic data for tailored experiences**
+- **Turn off the Windows Welcome Experience**
+
+[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
+
+### Start and taskbar layout
+
+Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
+
+[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
+
+- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
+
+- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
+
+- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
+
+## Windows Update
+
+### Windows Insider for Business
+
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
+
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
+
+
+### Optimize update delivery
+
+With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+
+>[!NOTE]
+> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
+
+Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
+
+Added policies include:
+- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
+- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
+- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
+- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
+- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
+
+To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization).
+
+### Uninstalled in-box apps no longer automatically reinstall
+
+Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
+
+Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019.
+
+## Management
+
+### New MDM capabilities
+
+Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
+
+Some of the other new CSPs are:
+
+- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+
+- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
+
+- The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
+
+- The [NetworkProxy CSP](/windows/client-management/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
+
+- The [Office CSP](/windows/client-management/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options).
+
+- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+
+IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
+
+[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
+
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
+
+Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
+
+### Mobile application management support for Windows 10
+
+The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise LTSC 2019.
+
+For more info, see [Implement server-side support for mobile application management on Windows](/windows/client-management/mdm/implement-server-side-mobile-application-management).
+
+### MDM diagnostics
+
+In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+
+### Application Virtualization for Windows (App-V)
+
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+
+For more info, see the following topics:
+- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
+- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
+- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
+- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+
+### Windows diagnostic data
+
+Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
+
+- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
+
+### Group Policy spreadsheet
+
+Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019.
+
+- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
+
+### Mixed Reality Apps
+
+This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality).
+
+## Networking
+
+### Network stack
+
+Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
+
+### Miracast over Infrastructure
+
+In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
+
+#### How it works
+
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+
+#### Miracast over Infrastructure offers a number of benefits
+
+- Windows automatically detects when sending the video stream over this path is applicable.
+- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
+- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- No changes to current wireless drivers or PC hardware are required.
+- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
+- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
+
+#### Enabling Miracast over Infrastructure
+
+If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+
+- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
+
+- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
+    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
+
+> [!IMPORTANT]
+> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+
+## Registry editor improvements
+
+We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
+
+![Reg editor.](../images/regeditor.png "Registry editor dropdown")
+
+## Remote Desktop with Biometrics
+
+Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
+
+- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
+
+- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
+
+See the following example:
+
+![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello")
+![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal")
+![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
+
+## See Also
+
+[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release.

From 3ac8fbe42eac3788266aa3a240ca3bb51091e92c Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Tue, 9 Nov 2021 13:56:31 -0800
Subject: [PATCH 034/104] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 694 ++++--------------
 1 file changed, 152 insertions(+), 542 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 339e781039..cf66abe26c 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -18,10 +18,10 @@ ms.topic: article
 **Applies to**
 -   Windows 10 Enterprise LTSC 2021
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 >[!NOTE]
->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 21H2. 
+>Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
 
 Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
 - Advanced protection against modern security threats 
@@ -29,630 +29,240 @@ Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding p
 - Updating and support options
 - Comprehensive device and app management and control capabilities
 
-The Windows 10 Enterprise LTSC 2021 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
+The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 
->[!IMPORTANT]
->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+> [!IMPORTANT]
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
 
-## Microsoft Intune
+## Lifecycle
 
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle. For more information, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
+
+## Microsoft Edge
+
+Microsoft Edge Browser support is now included in-box.
+
+### Microsoft Edge kiosk mode
+
+Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+
+Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
+
+Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
+
+## Windows Subsystem for Linux
+
+Windows Subsystem for Linux (WSL) is be available in-box.
+
+## Networking
+
+WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 ## Security
 
-This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
-
-### Threat protection
-
-#### Microsoft Defender for Endpoint
-
-The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
-
-![Microsoft Defender for Endpoint.](../images/wdatp.png)
-
-##### Attack surface reduction 
-
-Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders).
-
-- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
-
-- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
-
-###### Windows Defender Firewall 
-
-Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
-
-##### Windows Defender Device Guard
-
-[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: 
-- Software-based protection provided by code integrity policies 
-- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI)
-
-But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). 
-
-### Next-gen protection 
-
-### Endpoint detection and response 
-
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. 
-
-Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint.  Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). 
-
-We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on:
-
-- [Deploying and enabling AV protection](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus)
-- [Managing updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus)
-- [Reporting](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus)
-- [Configuring features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features)
-- [Troubleshooting](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)
-
-Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus).
-
-New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
-
-- [Updates to how the Block at First Sight feature can be configured](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
-- [The ability to specify the level of cloud-protection](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus)
-- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
-
-We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
-
-**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
-
-- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
-
-- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
-
-- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
-
-- Upgraded detections of ransomware and other advanced attacks.
-
-- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
-
-**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
-
-- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
-- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
-
-Additional capabilities have been added to help you gain a holistic view on **investigations** include:
-
-- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-
-- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
-
-- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
-
-- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
-
-- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
-
-- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
-
-Other enhanced security features include:
-
-- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
-
-- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-
-- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
-
-- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
-
-- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. 
-
-- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
-
-- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
-
-We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
-
-We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
-
-This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
-
-You can read more about ransomware mitigations and detection capability at:
-
-- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
-
-Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
-
-Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-
-
-### Information protection 
-
-Improvements have been added to Windows Information Protection and BitLocker. 
-
-#### Windows Information Protection
-
-Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
-
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune).
-
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs).
-
-This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234).
-
-### BitLocker
-
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
-
-#### Silent enforcement on fixed drives
-
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. 
-
-This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. 
-
-This feature will soon be enabled on Olympia Corp as an optional feature.
-
-#### Delivering BitLocker policy to AutoPilot devices during OOBE 
-
-You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 
-
-For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
-
-To achieve this:
-
-1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
-
-2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. 
-
-   > [!IMPORTANT]
-   > The encryption policy must be assigned to **devices** in the group, not users.
-
-3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
-
-   > [!IMPORTANT]
-   > If the ESP is not enabled, the policy will not apply before encryption starts.
-
-### Identity protection
-
-Improvements have been added are to Windows Hello for Business and Credential Guard.
-
-#### Windows Hello for Business
-
-New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when  you are not present.
-
-New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: 
-
-- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
-
-- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
-
-- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-
-[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). 
-
-- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
-
-- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
-
-- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
-
-- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
-
-- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
-
-- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
- 
-For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
+### Windows Hello
+
+- Windows Hello for Business introduces a new deployment method called cloud trust to support simplified passwordless deployments and achieve a deploy-to-run state within a few minutes.
+- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
+- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
+- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
+- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
+- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+### Windows Information Protection
 
 #### Windows Defender Credential Guard
 
-Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
 
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. 
+#### Microsoft Defender for Endpoint
 
-> [!NOTE]
-> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. 
+- [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). 
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
+    - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
 
-For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
+- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
+- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
 
-### Other security improvements
+Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
 
-#### Windows security baselines
+### Threat Protection
 
-Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
+- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
-**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
+#### Windows Defender Application Guard (WDAG)
 
-The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. 
+- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
+  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
+  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
-#### SMBLoris vulnerability
+    To try this extension: 
+    1. Configure WDAG policies on your device.
+    2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
+    3. Follow any additional configuration steps on the extension setup page.
+    4. Reboot the device.
+    5. Navigate to an untrusted site in Chrome and Firefox.
 
-An issue, known as _SMBLoris_, which could result in denial of service, has been addressed.
+  - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
-#### Windows Security Center
+WDAG performance is improved with optimized document opening times:
+- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
+- The performance of Robocopy is improved when copying files over 400 MB in size.
 
-Windows Defender Security Center is now called **Windows Security Center**. 
+[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
 
-You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. 
+Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
-The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. 
+- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
+    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
+    This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
+    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
 
-WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+#### Windows Defender System Guard
 
-![Security at a glance.](../images/defender.png "Windows Security Center")
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
 
-#### Group Policy Security Options
+This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
 
-The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+![System Guard.](images/system-guard.png "SMM Firmware Measurement")
 
-A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
-#### Windows 10 in S mode
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
 
-We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
+ ![System Guard.](images/system-guard2.png)
 
-![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+### Security management
+
+- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. 
+- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. 
+- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
+
+#### Microsoft BitLocker
+
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+
+#### Key-rolling and Key-rotation
+
+Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
+#### Transport Layer Security (TLS)
+
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/platform/status/tls13/).
 
 ## Deployment
 
 ### Windows Autopilot
 
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
 
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
+- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
+- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
+- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
+- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
 
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
+With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
 
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
 
-#### Autopilot Reset	
+Enhancements to Windows Autopilot since the last release of Windows 10 include:
+- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
+- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
+- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
 
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
+A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios.
 
-### MBR2GPT.EXE
+A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
 
-MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).  
 
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+## Microsoft Intune
 
-Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
 
-For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
-
-### DISM
-
-The following new DISM commands have been added to manage feature updates:
-
-- **DISM /Online /Initiate-OSUninstall**
-  - Initiates an OS uninstall to take the computer back to the previous installation of windows.
-
-- **DISM /Online /Remove-OSUninstall**
-  - Removes the OS uninstall capability from the computer.
-
-- **DISM /Online /Get-OSUninstallWindow**
-  - Displays the number of days after upgrade during which uninstall can be performed.
-
-- **DISM /Online /Set-OSUninstallWindow**
-  - Sets the number of days after upgrade during which uninstall can be performed.
-
-For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
-
-### Windows Setup
-
-You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
-
-Prerequisites:  
-- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
-- Windows 10 Enterprise or Pro
-
-For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
-
-It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
-
-`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]`
-
-For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21).
-
-New command-line switches are also available to control BitLocker:
-
-- **Setup.exe /BitLocker AlwaysSuspend**
-  - Always suspend BitLocker during upgrade.
-
-- **Setup.exe /BitLocker TryKeepActive**
-  - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade.
-
-- **Setup.exe /BitLocker ForceKeepActive**
-  - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade.
-
-For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33).
-
-### Feature update improvements
-
-Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/).
+For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
 ### SetupDiag
 
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.2107.27002 (downloadable version) is available.
 
-SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
 
-## Sign-in
+### Reserved storage
 
-### Faster sign-in to a Windows 10 shared pc
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash!
 
-**To enable fast sign-in:**
+#### Microsoft Endpoint Manager
 
-1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019.
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 
-2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in.
+An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
 
-3. Sign-in to a shared PC with your account. You'll notice the difference!
+Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
+        .
 
-   ![fast sign-in.](../images/fastsignin.png "fast sign-in")
+### Windows Assessment and Deployment Toolkit (ADK)
 
-### Web sign-in to Windows 10
+A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2.
 
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+### Microsoft Deployment Toolkit (MDT)
 
-**To try out web sign-in:**
+MDT version 8456 supports Windows 10 Enterprise LTSC 2021.
 
-1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
 
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. 
+### Windows Setup
 
-3. On the lock screen, select web sign-in under sign-in options.
-4. Click the “Sign in” button to continue.
+Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
 
-![Sign-in option.](../images/websignin.png "web sign-in")
+Improvements in Windows Setup with this release also include:
+- Reduced offline time during feature updates
+- Improved controls for reserved storage
+- Improved controls and diagnostics
+- New recovery options
 
-## Windows Analytics
+For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
 
-### Upgrade Readiness
 
->[!IMPORTANT]
->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release.
+## Device management
 
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
 
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
 
-For more information about Upgrade Readiness, see the following topics:
+Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
+- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
 
-- [Windows Analytics blog](/archive/blogs/upgradeanalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness)
 
-Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
 
-### Update Compliance
 
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
 
-Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
 
-For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor).
 
-New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor).
 
-### Device Health
 
-Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
 
-## Accessibility and Privacy
 
-### Accessibility
 
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post.
 
-### Privacy
-
-In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. 
-
-## Configuration
-
-### Kiosk configuration
-
-The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10.  You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download).
-
-Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
-
-If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. 
-
-### Co-management
-
-Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
-
-For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803).
-
-### OS uninstall period
-
-The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update.  With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
-
-### Azure Active Directory join in bulk
-
-Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
-![get bulk token action in wizard.](../images/bulk-token.png)
-
-### Windows Spotlight
-
-The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
-
-- **Turn off the Windows Spotlight on Action Center**
-- **Do not use diagnostic data for tailored experiences**
-- **Turn off the Windows Welcome Experience**
-
-[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight)
-
-### Start and taskbar layout
-
-Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-
-[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
-
-- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
-
-- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
-
-- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
-
-## Windows Update
-
-### Windows Insider for Business
-
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
-
-You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business).
-
-
-### Optimize update delivery
-
-With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
-
->[!NOTE]
-> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
-
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
-
-Added policies include:
-- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
-- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn)
-- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching)
-- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching)
-- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size)
-
-To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization).
-
-### Uninstalled in-box apps no longer automatically reinstall
-
-Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
-
-Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019.
-
-## Management
-
-### New MDM capabilities
-
-Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider).
-
-Some of the other new CSPs are:
-
-- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
-
-- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
-
-- The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives.
-
-- The [NetworkProxy CSP](/windows/client-management/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
-
-- The [Office CSP](/windows/client-management/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options).
-
-- The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
-
-IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
-
-[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
-
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
-
-Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
-
-### Mobile application management support for Windows 10
-
-The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise LTSC 2019.
-
-For more info, see [Implement server-side support for mobile application management on Windows](/windows/client-management/mdm/implement-server-side-mobile-application-management).
-
-### MDM diagnostics
-
-In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
-
-### Application Virtualization for Windows (App-V)
-
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
-
-For more info, see the following topics:
-- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
-- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
-- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
-- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
-
-### Windows diagnostic data
-
-Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level.
-
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703)
-
-### Group Policy spreadsheet
-
-Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019.
-
-- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
-
-### Mixed Reality Apps
-
-This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality).
-
-## Networking
-
-### Network stack
-
-Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
-
-### Miracast over Infrastructure
-
-In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
-
-#### How it works
-
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
-
-#### Miracast over Infrastructure offers a number of benefits
-
-- Windows automatically detects when sending the video stream over this path is applicable.
-- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
-- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
-- No changes to current wireless drivers or PC hardware are required.
-- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
-- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
-
-#### Enabling Miracast over Infrastructure
-
-If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
-
-- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS.
-
-- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
-    - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
-    - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
-
-- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-
-> [!IMPORTANT]
-> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
-
-## Registry editor improvements
-
-We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
-
-![Reg editor.](../images/regeditor.png "Registry editor dropdown")
-
-## Remote Desktop with Biometrics
-
-Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
-
-To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**.
-
-- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials.
-
-- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
-
-See the following example:
-
-![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello")
-![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal")
-![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
 
 ## See Also
 

From 4987b40908562d19827cbcf60c36ae4960883226 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Tue, 9 Nov 2021 19:57:07 -0500
Subject: [PATCH 035/104] ado5562520 - What's new in Win10 21H2

---
 windows/whats-new/TOC.yml                     |  2 +
 .../whats-new-windows-10-version-21H2.md      | 75 +++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 windows/whats-new/whats-new-windows-10-version-21H2.md

diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index b7b6b4220a..176668f48e 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -14,6 +14,8 @@
 - name: Windows 10
   expanded: true
   items:
+    - name: What's new in Windows 10, version 21H2
+      href: whats-new-windows-10-version-21H2.md
     - name: What's new in Windows 10, version 21H1
       href: whats-new-windows-10-version-21H1.md
     - name: What's new in Windows 10, version 20H2
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
new file mode 100644
index 0000000000..97ff81229b
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -0,0 +1,75 @@
+---
+title: What's new in Windows 10, version 21H2 for IT pros
+description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+ms.reviewer: 
+manager: dougeby
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+ms.author: mandia
+author: MandiOhlinger
+ms.localizationpriority: medium
+ms.topic: article
+---
+
+# What's new in Windows 10, version 21H2
+
+**Applies to**:
+
+- Windows 10, version 21H2
+
+Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1.
+
+Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule:
+
+- **Windows 10 Professional**: Serviced for 24 months from the release date.
+- **Windows 10 Enterprise**: Serviced for 36 months from the release date.
+
+Windows 10, version 21H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/2021/11/16/how-to-get-the-windows-10-november-2021-update/) and [IT tools to support Windows 10, version 21H2 blog](https://aka.ms/tools-for-21h2).
+
+Devices running Windows 10, versions 2004, 20H2, and 21H1 can update quickly to version 21H2 using an enablement package. For more information, see [Feature Update through Windows 10, version 21H2 Enablement Package](https://support.microsoft.com/help/5003791).
+
+To learn more about the status of the November 2021 Update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Updates and servicing
+
+Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel, like Windows 11. Previous feature updates were installed using the semi-annual channel. Quality updates are still installed monthly on patch Tuesday.
+
+For more information, see:
+
+- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions)
+- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels)
+
+For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
+
+## GPU compute support for the Windows Subsystem for Linux
+
+Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows.
+
+For more information, and what GPU compute support means for you, see the [GPU accelerated ML training inside the Windows Subsystem for Linux blog post](https://blogs.windows.com/windowsdeveloper/2020/06/17/gpu-accelerated-ml-training-inside-the-windows-subsystem-for-linux/).
+
+## Get the latest CSPs
+
+The [KB5005101  September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers.
+
+These CSPs are built in to Windows 10, version 21H2. These settings are available in Endpoint Manager in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis.
+
+For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
+
+## Apps appear local with Azure Virtual Desktop
+
+Azure virtual desktop is a Windows client OS hosted in the cloud, and it has virtual apps. The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+
+For more information, see:
+
+- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
+- [Set up MSIX app attach with the Azure portal](azure/virtual-desktop/app-attach-azure-portal)
+
+## Wi-Fi 6E support
+
+Also known as 802.11ax, Wi-Fi 6E support is built in to Windows 10, version 21H2. Wi-Fi 6E has new channel frequencies that are dedicated to 6E devices, and is more performant for apps that use more bandwidth.
+
+## Related articles
+
+- [Release notes for Microsoft Edge Stable Channel](/deployedge/microsoft-edge-relnote-stable-channel)

From 920c4d20e4509e9f0dae6b7c55ad7a632e24006d Mon Sep 17 00:00:00 2001
From: Meghana Athavale 
Date: Wed, 10 Nov 2021 15:16:20 +0530
Subject: [PATCH 036/104] review changes done

---
 windows/configuration/wcd/wcd-policies.md | 118 +++++++++++-----------
 1 file changed, 59 insertions(+), 59 deletions(-)

diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 5f2b24e7d5..0e11b80de9 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -321,13 +321,13 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store.
 
 | Setting | Description | Windows client |  Surface Hub | HoloLens | IoT Core |
 | --- | --- | :---: | :---: | :---: | :---: | 
-[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ |  |  |  |
-[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ |  |  |  |  |
-[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart.  | ✔️ |  |  |  |
-[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button.  | ✔️ |  |  |  |
-[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button.  | ✔️ |  |  |  |
-[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ |  |  |  |
-[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.  The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ |  |  |  |
+|[BlockedUrlExceptions](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | ✔️ |  |  |  |
+|[BlockedUrls](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | ✔️ |  |  |  |
+|[DefaultURL](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart.  | ✔️ |  |  |  |
+|[EnableEndSessionButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button.  | ✔️ |  |  |  |
+|[EnableHomeButton](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button.  | ✔️ |  |  |  |
+|[EnableNavigationButtons](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | ✔️ |  |  |  |
+|[RestartOnIdleTime](/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.  The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | ✔️ |  |  |  |
 
 To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
 
@@ -439,11 +439,11 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
 | [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu.  | ✔️ |  |  |  |
 | [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu.  | ✔️ |  |  |  |
 | [AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu.  | ✔️ |  |  |  |
-| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu.  | ✔️ |  |  |  |  |
+| [AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu.  | ✔️ |  |  |  |  
 | [AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu.  | ✔️ |  |  |  |
-| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu.  | ✔️ |  |  |  |  |
+| [AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu.  | ✔️ |  |  |  |  
 | [AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos)  |Control the visibility of the Videos shortcut on the Start menu.   | ✔️ |  |  |  |
-DisableContextMenus | Prevent context menus from being invoked in the Start menu.  | ✔️ |  |  |  |
+| DisableContextMenus | Prevent context menus from being invoked in the Start menu.  | ✔️ |  |  |  |
 | [ForceStartSize](/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | ✔️ |  |  |  |
 | [HideAppList](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | ✔️ |   |  |  |
 | [HideChangeAccountSettings](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | ✔️ |   |  |  |
@@ -496,7 +496,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
 | [AllowJapaneseUserDictionary](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | ✔️ |  |  |  |
 | [AllowKeyboardTextSuggestions](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | ✔️ |  |  |  |
 | [AllowLanguageFeaturesUninstall](/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | ✔️ |  |  |  |
-| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver)  |  |  |  |  |  |
+| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver)  |  |  |  |  |  
 | [ExcludeJapaneseIMEExceptISO208](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter.  | ✔️ |  |  |  |
 | [ExcludeJapaneseIMEExceptISO208andEUDC](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter.  | ✔️ |  |  |  |
 | [ExcludeJapaneseIMEExceptShiftJIS](/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | ✔️ |  |  |  |
@@ -511,54 +511,54 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
 
 ## Update
 
-|                                                                                                   Setting                                                                                                    |                                                                      Description                                                                      | Windows client |  Surface Hub | HoloLens | IoT Core |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:|
-|                                    [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend)                                    |                    Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled.                    |        ✔️         |            ✔️      |          |    ✔️     |
-|                               [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange)                               |                                                        Specify the maximum active hours range.                                                        |        ✔️         |              ✔️      |          |    ✔️     |
-|                                  [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart)                                  |                    Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled.                     |        ✔️         |             ✔️      |          |    ✔️     |
-|                                   [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate)                                   |                                      Configure automatic update behavior to scan, download, and install updates.                                      |        ✔️         |             ✔️      |    ✔️     |    ✔️     |
-|            [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)            |          Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed.           |        ✔️         |            ✔️      |          |    ✔️     |
-|                              [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice)                              |                                             Manage whether to scan for app updates from Microsoft Update.                                             |        ✔️         |           ✔️      |    ✔️     |    ✔️     |
-|                     [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate)                     |  Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location.  |        ✔️         |         ✔️      |          |    ✔️     |
-|                                [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice)                                |                    Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.                    |        ✔️         |          ✔️      |    ✔️     |    ✔️     |
-|                             [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays)                             |          Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending.           |        ✔️         |           ✔️      |          |    ✔️     |
-|            [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates)            |          Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending.           |        ✔️         |         ✔️      |          |    ✔️     |
-|                   [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule)                   |                                              Specify the period for auto-restart reminder notifications.                                              |        ✔️         |         ✔️      |          |    ✔️     |
-|          [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal)          |                                   Specify the method by which the auto-restart required notification is dismissed.                                    |        ✔️         |         ✔️      |          |    ✔️     |
-|                              [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel)                              |                                               Select which branch a device receives their updates from.                                               |        ✔️         |          ✔️      |    ✔️     |    ✔️     |
-|                   [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays)                   |                                                Defer Feature Updates for the specified number of days.                                                |        ✔️         |         ✔️      |          |    ✔️     |
-|                   [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays)                   |                                                Defer Quality Updates for the specified number of days.                                                |        ✔️         |         ✔️      |          |    ✔️     |
-|                                           [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod)                                           |                                                       Specify update delays for up to 4 weeks.                                                        |        ✔️         |              ✔️      |    ✔️     |    ✔️     |
-|                                          [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod)                                          |                                                      Specify upgrade delays for up to 8 months.                                                       |        ✔️         |        ✔️      |    ✔️     |    ✔️     |
-|                                [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency)                                |                                           Specify the frequency to scan for updates, from every 1-22 hours.                                           |        ✔️         |             ✔️      |    ✔️     |    ✔️     |
-|                                             [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan)                                             |                                     Do not allow update deferral policies to cause scans against Windows Update.                                      |        ✔️         |              ✔️      |          |    ✔️     |
-|                            [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline)                            |                 Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours.                 |        ✔️         |           ✔️      |          |    ✔️     |
-|           [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates)           |                 Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours.                 |        ✔️         |        ✔️     |         |    ✔️     |
-|                      [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule)                      |                                 Specify the number of days a user can snooze Engaged restart reminder notifications.                                  |        ✔️         |             ✔️      |          |    ✔️     |
-|     [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates)     |                                 Specify the number of days a user can snooze Engaged restart reminder notifications.                                  |        ✔️         |            ✔️      |          |    ✔️     |
-|                  [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule)                  | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. |        ✔️         |          ✔️      |          |    ✔️     |
-| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. |        ✔️         |           ✔️      |          |    ✔️     |
-|                   [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate)                   |                                              Exclude Windws Update (WU) drivers during quality updates.                                               |        ✔️         |      ✔️      |          |    ✔️     |
-|                              [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls)                              |                            Allow Windows Update Agent to determine the download URL when it is missing from the metadata.                             |        ✔️         |            ✔️      |          |    ✔️     |
-|                                                                                             ManagePreviewBuilds                                                                                              |                                                       Use to enable or disable preview builds.                                                        |        ✔️         |          ✔️      |    ✔️     |    ✔️     |
-|                                                                                           PhoneUpdateRestrictions                                                                                            |                                                                      Deprecated                                                                       |                  |        ✔️        |             |          |
-|                               [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade)                               |                                      Configure device to receive updates from Current Branch for Business (CBB).                                      |        ✔️         |            ✔️      |    ✔️     |    ✔️     |
-|                               [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday)                               |                                                       Schedule the day for update installation.                                                       |        ✔️         |          ✔️      |    ✔️     |    ✔️     |
-|                                   [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)                                   |                                           To schedule update installation every week, set the value as `1`.                                           |        ✔️         |        ✔️      |    ✔️     |    ✔️     |
-|                                   [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)                                   |                                  To schedule update installation the first week of the month, see the value as `1`.                                   |        ✔️         |             ✔️     |    ✔️     |  ✔️     |
-|                                  [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)                                  |                                  To schedule update installation the fourth week of the month, see the value as `1`.                                  |        ✔️         |            ✔️      |    ✔️     |    ✔️     |
-|                                  [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)                                  |                                  To schedule update installation the second week of the month, see the value as `1`.                                  |        ✔️         |    |      ✔️      |    ✔️     |    ✔️     |
-|                                   [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)                                   |                                  To schedule update installation the third week of the month, see the value as `1`.                                   |        ✔️         |        ✔️        |        ✔️     |    ✔️     |
-|                              [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime)                              |                                                      Schedule the time for update installation.                                                       |        ✔️         |          ✔️      |    ✔️     |    ✔️     |
-|                    [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning)                    |                                          Specify the period for auto-restart imminent warning notifications.                                          |        ✔️         |           ✔️      |          |    ✔️     |
-|                            [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning)                            |                                          Specify the period for auto-restart warning reminder notifications.                                          |        ✔️         |             ✔️      |          |    ✔️     |
-|                 [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable)                 |                                             Disable auto-restart notifications for update installations.                                              |        ✔️         |        ✔️        |                |    ✔️     |
-|                           [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess)                           |                                                        Disable access to scan Windows Update.                                                         |        ✔️         |             ✔️      |          |    ✔️     |
-|                              [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess)                              |                                                        Disable the **Pause updates** feature.                                                         |        ✔️         |           ✔️      |          |    ✔️     |
-|                                     [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart)                                     |                            Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.                            |        ✔️         |             ✔️      |          |    ✔️     |
-|                                                                                           UpdateNotificationLevel                                                                                            |                            Specify whether to enable or disable Windows Update notifications, including restart warnings.                             |        ✔️         |            ✔️      |          |    ✔️     |
-|                                  [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl)                                  |                               Configure the device to check for updates from a WSUS server instead of Microsoft Update.                               |        ✔️         |          ✔️      |    ✔️     |    ✔️     |
-|                         [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate)                         |                                      Specify an alternate intranet server to host updates from Microsoft Update.                                      |        ✔️         |          ✔️      |    ✔️     |    ✔️     |
+| Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
+|---------|-------------|:--------------:|:-----------:|:--------:|:--------:|
+| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
+| [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ |
+| [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
+| [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | ✔️ | ✔️ | | ✔️ |
+| [AllowMUUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | ✔️ | ✔️ | | ✔️ |
+| [AllowUpdateService](/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [AutoRestartDeadlinePeriodInDays](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartNotificationSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [AutoRestartRequiredNotificationDismissal](/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | ✔️ | ✔️ | | ✔️ |
+| [BranchReadinessLevel](/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
+| [DeferQualityUpdatesPeriodInDays](/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | ✔️ | ✔️ | | ✔️ |
+| [DeferUpdatePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DeferUpgradePeriod](/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DetectionFrequency](/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [DisableDualScan](/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartDeadline](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartSnoozeSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
+| [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
+| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ |
+| [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | | ✔️ |
+| ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ |
+| PhoneUpdateRestrictions | Deprecated | | ✔️ | | |
+| [RequireDeferUpgrade](/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallDay](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduledInstallTime](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | ✔️ | ✔️ | | ✔️ |
+| [ScheduleRestartWarning](/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | ✔️ | ✔️ | | ✔️ |
+| [SetAutoRestartNotificationDisable](/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | ✔️ | ✔️ | | ✔️ |
+| [SetDisablePauseUXAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | ✔️ | ✔️ | | ✔️ |
+| [SetDisableUXWUAccess](/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | ✔️ | ✔️ | | ✔️ |
+| [SetEDURestart](/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | ✔️ | ✔️ | | ✔️ |
+| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | ✔️ | ✔️ | | ✔️ |
+| [UpdateServiceUrl](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
+| [UpdateServiceUrlAlternate](/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | ✔️ | ✔️ | ✔️ | ✔️ |
 
 ## WiFi
 

From 365ef466a447ee111056df4a7197a5d790075b27 Mon Sep 17 00:00:00 2001
From: Meghana Athavale 
Date: Wed, 10 Nov 2021 15:24:54 +0530
Subject: [PATCH 037/104] review changes

---
 windows/configuration/wcd/wcd-kioskbrowser.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
index cbb31ac787..b8dc34d1e1 100644
--- a/windows/configuration/wcd/wcd-kioskbrowser.md
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -24,7 +24,7 @@ Use KioskBrowser settings to configure Internet sharing.
 | All settings |  |  |  | ✔️ |
 
 >[!NOTE]
->To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser).
+>To configure Kiosk Browser settings for Windows client, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser).
 
 Kiosk Browser settings | Use this setting to
 --- | ---

From b24dfc02f71cc5cc5c49bbf820345a11c58d243b Mon Sep 17 00:00:00 2001
From: Meghana Athavale 
Date: Wed, 10 Nov 2021 15:33:10 +0530
Subject: [PATCH 038/104] review changes

---
 windows/configuration/wcd/wcd-start.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index bebe2a9e3d..f07294f5b3 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -24,7 +24,7 @@ Use Start settings to apply a customized Start screen to devices.
 | StartLayout | ✔️  | |  |  |
 
 >[!IMPORTANT]
->The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but shouldn't be used. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start).
+>The StartLayout setting is available in the advanced provisioning for Windows 10 Windows client, but shouldn't be used. For Windows client, use [Policies > StartLayout](wcd-policies.md#start).
 
 ## StartLayout
 

From e5bb8ffad6823800bb57f013a00fd9ad8a32a748 Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan 
Date: Wed, 10 Nov 2021 12:38:08 +0000
Subject: [PATCH 039/104] 21h2 updates

---
 .../privacy/manage-windows-21h2-endpoints.md  | 157 ++++++++++++++++++
 windows/privacy/toc.yml                       |   2 +
 2 files changed, 159 insertions(+)
 create mode 100644 windows/privacy/manage-windows-21h2-endpoints.md

diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
new file mode 100644
index 0000000000..c6578dcc77
--- /dev/null
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -0,0 +1,157 @@
+---
+title: Connection endpoints for Windows 10 Enterprise, version 21H2
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2.
+keywords: privacy, manage connections to Microsoft, Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 10/04/2021
+---
+
+# Manage connection endpoints for Windows 10 Enterprise, version 21H2
+
+**Applies to**
+
+- Windows 10 Enterprise, version 21H2
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
+
+The following methodology was used to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 21H2 Enterprise connection endpoints
+
+|Area|Description|Protocol|Destination|
+|----------------|----------|----------|------------|
+|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|I-ring.msedge.net|
+|||HTTPS|s-ring.msedge.net|
+|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+||The following endpoint is used to authenticate a device. If you  turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
+|||HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. 
                    If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
+|||HTTPS|fs.microsoft.com|
+|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
+|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
+|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
+||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
+||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
+|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
+||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
+|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTP|share.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
+||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|www.office.com|
+|||HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS|officehomeblobs.blob.core.windows.net|
+|||HTTPS|self.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
+|||TLSv1.2/HTTPS/HTTP|g.live.com|
+|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
+|||HTTPS| logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
+|||HTTPS|settings.data.microsoft.com|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+|||HTTPS/TLSv1.2|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||HTTPS|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|emdl.ws.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+|||HTTP|*.windowsupdate.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|dlassets-ssl.xboxlive.com|
+
+
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+
+- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
+- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
+- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index 25fc676681..d4b8c28d4e 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -47,6 +47,8 @@
           href: essential-services-and-connected-experiences.md
         - name: Connection endpoints for Windows 11
           href: manage-windows-11-endpoints.md
+        - name: Connection endpoints for Windows 10, version 21H2
+          href: manage-windows-21h2-endpoints.md
         - name: Connection endpoints for Windows 10, version 21H1
           href: manage-windows-21H1-endpoints.md
         - name: Connection endpoints for Windows 10, version 20H2

From d2369518496d5763effd2446453db0d0f50bdc72 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT 
Date: Wed, 10 Nov 2021 09:11:58 -0800
Subject: [PATCH 040/104] Update advanced-security-auditing-faq.yml

---
 .../auditing/advanced-security-auditing-faq.yml                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index 73605a664a..8fc368965e 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -15,7 +15,7 @@ metadata:
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: conceptual
-  ms.date: 09/06/2021
+  ms.date: 11/10/2021
   ms.technology: mde
     
 title: Advanced security auditing FAQ

From fe5e69e3996ea58953105ed0097a39367ad1a334 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 09:38:56 -0800
Subject: [PATCH 041/104] draft

---
 windows/whats-new/ltsc/TOC.yml  |  2 ++
 windows/whats-new/ltsc/index.md | 12 +++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/windows/whats-new/ltsc/TOC.yml b/windows/whats-new/ltsc/TOC.yml
index aaabcc56ee..d7d88350ef 100644
--- a/windows/whats-new/ltsc/TOC.yml
+++ b/windows/whats-new/ltsc/TOC.yml
@@ -1,6 +1,8 @@
 - name: Windows 10 Enterprise LTSC
   href: index.md
   items: 
+    - name: What's new in Windows 10 Enterprise LTSC 2021
+      href: whats-new-windows-10-2021.md
     - name: What's new in Windows 10 Enterprise LTSC 2019
       href: whats-new-windows-10-2019.md
     - name: What's new in Windows 10 Enterprise LTSC 2016
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 7e088e312d..70c1f327ba 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 audience: itpro
 author: greg-lindsay
 ms.author: greglin
-manager: laurawi
+manager: dougeby
 ms.localizationpriority: low
 ms.topic: article
 ---
@@ -22,6 +22,7 @@ ms.topic: article
 
 This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. 
 
+[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
                    
 [What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
                    
 [What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
                    
 [What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
@@ -35,14 +36,15 @@ The following table summarizes equivalent feature update versions of Windows 10
 | Windows 10 Enterprise LTSC 2015  | Windows 10, Version 1507 | 7/29/2015 |
 | Windows 10 Enterprise LTSC 2016  | Windows 10, Version 1607 | 8/2/2016 |
 | Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/13/2018 |
+| Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/16/2021 |
 
->[!NOTE]
->The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
+> [!NOTE]
+> The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
 
 With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. 
 
->[!IMPORTANT]
->The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
+> [!IMPORTANT]
+> The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
  
 For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
 

From 9ad8b9ac6ee5b23cc6ff4d75d75a3333b9ecb5e5 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 10:09:29 -0800
Subject: [PATCH 042/104] draft

---
 windows/whats-new/ltsc/index.md                     |  2 +-
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 10 +++-------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 70c1f327ba..28bc3db429 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -36,7 +36,7 @@ The following table summarizes equivalent feature update versions of Windows 10
 | Windows 10 Enterprise LTSC 2015  | Windows 10, Version 1507 | 7/29/2015 |
 | Windows 10 Enterprise LTSC 2016  | Windows 10, Version 1607 | 8/2/2016 |
 | Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/13/2018 |
-| Windows 10 Enterprise LTSC 2019  | Windows 10, Version 1809 | 11/16/2021 |
+| Windows 10 Enterprise LTSC 2019  | Windows 10, Version 21H2 | 11/16/2021 |
 
 > [!NOTE]
 > The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index cf66abe26c..a9f5bb8a0a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -20,14 +20,10 @@ ms.topic: article
 
 This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
->[!NOTE]
->Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
+> [!NOTE]
+> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
 
-Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
-- Advanced protection against modern security threats 
-- Full flexibility of OS deployment
-- Updating and support options
-- Comprehensive device and app management and control capabilities
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 

From b58f748fd8275563e6982d8c8b5febc9e23d0fe2 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 11 Nov 2021 00:33:24 +0530
Subject: [PATCH 043/104] removed sentences and added correct sentences

as per user report #10054 , so i corrected the wrong sentences to correct sentences. i added after verifying with Windows 11 ADMX gpo.
---
 windows/client-management/mdm/policy-csp-userrights.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 65fb6facfd..dab6c7c86d 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1080,9 +1080,10 @@ GP Info:
 
 
 
-This security setting determines which service accounts are prevented from registering a process as a service.
+This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.
+
 > [!NOTE]
-> This security setting does not apply to the System, Local Service, or Network Service accounts.
+> If you apply this security policy to the Everyone group, no one will be able to log on locally.
 
 
 

From 529eb251a4a2dc5cd455b756538716bf2ed7cff8 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 11 Nov 2021 00:40:00 +0530
Subject: [PATCH 044/104] corrected word

as per user feedback #10038
---
 .../tpm/trusted-platform-module-overview.md                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index e401d19506..c5a7d50e68 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -32,7 +32,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a
 
 - Generate, store, and limit the use of cryptographic keys.
 
-- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself.
+- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it.
 
 - Help ensure platform integrity by taking and storing security measurements.
 

From 37e4ad909b96b9f66d017e373a4b3bbec7856b74 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 11:33:23 -0800
Subject: [PATCH 045/104] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 38 +++++++++----------
 1 file changed, 17 insertions(+), 21 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index a9f5bb8a0a..bf0312bdc1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -21,18 +21,22 @@ ms.topic: article
 This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 > [!NOTE]
-> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2. 
+> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
                    
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
 
-Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 
-> [!IMPORTANT]
-> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
+
+
 
 ## Lifecycle
 
-Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle. For more information, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
+> [!IMPORTANT]
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle.
+
+For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
 
 ## Microsoft Edge
 
@@ -80,7 +84,6 @@ WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 #### Microsoft Defender for Endpoint
 
-- [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files). 
 - [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
 - [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
     - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
@@ -168,31 +171,24 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
 
 [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
 
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- [Windows Autopilot for for pre-provisioned deployment](/windows/deployment/windows-autopilot/pre-provision) is now available. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
 - The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
 - [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
 - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
 - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-
-With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
-
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
-
-Enhancements to Windows Autopilot since the last release of Windows 10 include:
-- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
-- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
+- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot) is available. Co-management and Autopilot together can help you reduce cost and improve the end user experience.
 - Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
-
-A new [resolved issues](/mem/autopilot/resolved-issues) article is available that includes several new fixes for Windows Autopilot deployment scenarios.
-
-A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
-
-Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).  
+- You can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support.
+- If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
 
 ## Microsoft Intune
 
 Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
 
+A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
+
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). 
+
 For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
 ### SetupDiag

From 9f504d7ec7c81ed8deaf2fd984a92dbdcf0aaaaf Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 11:56:03 -0800
Subject: [PATCH 046/104] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 33 ++++---------------
 1 file changed, 6 insertions(+), 27 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index bf0312bdc1..a5e38f6b4e 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -28,9 +28,6 @@ Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding p
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 
-
-
-
 ## Lifecycle
 
 > [!IMPORTANT]
@@ -52,13 +49,7 @@ Digital/Interactive Signage experience - Displays a specific site in full-screen
 Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
 Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
 
-## Windows Subsystem for Linux
 
-Windows Subsystem for Linux (WSL) is be available in-box.
-
-## Networking
-
-WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 ## Security
 
@@ -193,15 +184,12 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
 
 ### SetupDiag
 
-[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.2107.27002 (downloadable version) is available.
-
-SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
 
 ### Reserved storage
 
 [**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-
 #### Microsoft Endpoint Manager
 
 Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
@@ -210,20 +198,17 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
 
 Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
         .
-
 ### Windows Assessment and Deployment Toolkit (ADK)
 
 A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2.
 
 ### Microsoft Deployment Toolkit (MDT)
 
-MDT version 8456 supports Windows 10 Enterprise LTSC 2021.
-
 For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
 
 ### Windows Setup
 
-Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
+Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have improved language handling.
 
 Improvements in Windows Setup with this release also include:
 - Reduced offline time during feature updates
@@ -233,7 +218,6 @@ Improvements in Windows Setup with this release also include:
 
 For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
 
-
 ## Device management
 
 Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
@@ -243,18 +227,13 @@ For more information about what's new in MDM, see [What's new in mobile device e
 Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
 - An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
 
+## Windows Subsystem for Linux
 
+Windows Subsystem for Linux (WSL) is be available in-box.
 
+## Networking
 
-
-
-
-
-
-
-
-
-
+WPA3 H2E standards are supported for enhanced Wi-Fi security.
 
 ## See Also
 

From 3e7c7891222bd0bca533a779c43b6378a43f2ac5 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 13:44:02 -0800
Subject: [PATCH 047/104] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 25 +++++++++++--------
 .../whats-new-windows-10-version-1903.md      | 12 ++-------
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index a5e38f6b4e..d7f40ea46a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -44,12 +44,9 @@ Microsoft Edge Browser support is now included in-box.
 Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
 
 Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
-
-Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
-Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
-Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
-
-
+- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+- Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
 
 ## Security
 
@@ -118,7 +115,7 @@ WDAG performance is improved with optimized document opening times:
 
 Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
-- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
+- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
     - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
     - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
@@ -130,13 +127,13 @@ Microsoft Defender Application Guard now supports Office: With [Microsoft Defend
 
 This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
 
-![System Guard.](images/system-guard.png "SMM Firmware Measurement")
+![System Guard.](../images/system-guard.png "SMM Firmware Measurement")
 
 In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
 With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
 
- ![System Guard.](images/system-guard2.png)
+ ![System Guard.](../images/system-guard2.png)
 
 ### Security management
 
@@ -160,7 +157,15 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
 
 ### Windows Autopilot
 
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
+[Windows Autopilot](/mem/autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019, LTSC 2021, and later versions. Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
+
+Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
+
+Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
+
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
+
+The following new Windows Autopilot features are available in Windows 10, version 1903 and later:
 
 - [Windows Autopilot for for pre-provisioned deployment](/windows/deployment/windows-autopilot/pre-provision) is now available. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
 - The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 74eb1725e2..d8febd294c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -35,21 +35,13 @@ This article lists new and updated features and content that are of interest to
 - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
 - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
 
-### Windows 10 Subscription Activation
-
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
-
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
-
 ### SetupDiag
 
-[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4.1 is available.
-
-SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
 
 ### Reserved storage
 
-[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
+[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
 ## Servicing
 

From 9d8b1febf59c5adaf409077e5e2d7f5276e5029e Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Wed, 10 Nov 2021 14:05:46 -0800
Subject: [PATCH 048/104] draft

---
 .../ltsc/whats-new-windows-10-2021.md         | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index d7f40ea46a..2755a7bb7a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -91,31 +91,31 @@ Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security
 - [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
 - [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
-#### Windows Defender Application Guard (WDAG)
+#### Microsoft Defender Application Guard
 
-- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
+- [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
   - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
-    1. Configure WDAG policies on your device.
+    1. Configure Application Guard policies on your device.
     2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
     3. Follow any additional configuration steps on the extension setup page.
     4. Reboot the device.
     5. Navigate to an untrusted site in Chrome and Firefox.
 
-  - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
-WDAG performance is improved with optimized document opening times:
-- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (WDAG) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could cause a WDAG container to use almost 1 GB of working set memory when the container is idle.
+Application Guard performance is improved with optimized document opening times:
+- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
 - The performance of Robocopy is improved when copying files over 400 MB in size.
 
-[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
+[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
 
 Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
-- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
+- [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
     - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
     - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.

From d2adee1dad0b862cc3783bd1ff3419d9c93ec762 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Wed, 10 Nov 2021 19:39:50 -0500
Subject: [PATCH 049/104] review updates

---
 windows/whats-new/whats-new-windows-10-version-21H2.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index 97ff81229b..d251c2b75a 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -34,15 +34,15 @@ To learn more about the status of the November 2021 Update rollout, known issues
 
 ## Updates and servicing
 
-Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel, like Windows 11. Previous feature updates were installed using the semi-annual channel. Quality updates are still installed monthly on patch Tuesday.
+Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the semi-annual channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
+
+Quality updates are still installed monthly on patch Tuesday.
 
 For more information, see:
 
 - [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions)
 - [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels)
 
-For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
-
 ## GPU compute support for the Windows Subsystem for Linux
 
 Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows.
@@ -64,7 +64,7 @@ Azure virtual desktop is a Windows client OS hosted in the cloud, and it has vir
 For more information, see:
 
 - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
-- [Set up MSIX app attach with the Azure portal](azure/virtual-desktop/app-attach-azure-portal)
+- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
 
 ## Wi-Fi 6E support
 

From 59de1f6826eee15f4bec032a5ca755961d18b423 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Wed, 10 Nov 2021 20:22:06 -0500
Subject: [PATCH 050/104] Removed  HTML; It messed up H2 formatting

---
 windows/configuration/wcd/wcd-developersetup.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index 361aafb35e..d943292fe7 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -25,16 +25,14 @@ Use to unlock developer mode on HoloLens devices and configure authentication to
 | [AuthenticationMode](#authenticationmode) |   |  | ✔️ |  |
 
 
-
 ## DeveloperSetupSettings: EnableDeveloperMode
 
 When this setting is configured as **True**, the device is unlocked for developer functionality.
 
-
 ## WindowsDevicePortalSettings: Authentication Mode
 
 When AuthenticationMode is set to **Basic Auth**, enter a user name and password to enable the device to connect to and authenticate with the Windows Device Portal.
 
 ## Related topics
 
-- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens)
\ No newline at end of file
+- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens)

From 513c5074b1ff1e01ec9fcf167d04165ddb7e4860 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Wed, 10 Nov 2021 20:27:29 -0500
Subject: [PATCH 051/104] Fixed links

---
 windows/configuration/wcd/wcd-developersetup.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index d943292fe7..eee860859f 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -21,8 +21,8 @@ Use to unlock developer mode on HoloLens devices and configure authentication to
 
 | Setting groups  | Windows client | Surface Hub | HoloLens | IoT Core |
 | --- | :---: | :---: | :---: | :---: |
-| [EnableDeveloperMode](#enabledevelopermode) |   |  | ✔️ |  |
-| [AuthenticationMode](#authenticationmode) |   |  | ✔️ |  |
+| [EnableDeveloperMode](#developersetupsettings-enabledevelopermode) |   |  | ✔️ |  |
+| [AuthenticationMode](#windowsdeviceportalsettings-authentication-mode) |   |  | ✔️ |  |
 
 
 ## DeveloperSetupSettings: EnableDeveloperMode

From 35a57fd866206383e44d24c49020a933dc33a766 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Wed, 10 Nov 2021 20:40:38 -0500
Subject: [PATCH 052/104] Removed HTML; It messed up H2 formatting

---
 windows/configuration/wcd/wcd-oobe.md | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index 23bd9ea316..3cf5af44e6 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -21,8 +21,8 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa
 | Setting   | Windows client | Surface Hub | HoloLens | IoT Core |
 | --- | :---: | :---: | :---: | :---: | 
 | [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️  |  |  |  |
-| [Desktop > HideOobe](#hided) | ✔️  |  |  |  |
-| [Mobile > EnforceEnterpriseProvisioning](#nforce) |   |  |  |  |
+| [Desktop > HideOobe](#hideoobe-for-desktop) | ✔️  |  |  |  |
+| [Mobile > EnforceEnterpriseProvisioning](#enforceenterpriseprovisioning) |   |  |  |  |
 | [Mobile > HideOobe](#hidem) |   |  |  |  |
 
 
@@ -32,21 +32,18 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa
 
 Use this setting to control whether Cortana voice-over is enabled during OOBE. The voice-over is disabled by default on Windows 10 Pro, Education, and Enterprise. The voice-over is enabled by default on Windows 10 Home. Select **True** to enable voice-over during OOBE, or **False** to disable voice-over during OOBE.
 
-
 ## HideOobe for desktop
 
 When set to **True**, it hides the interactive OOBE flow for Windows 10.
 
->[!NOTE]
->You must create a user account if you set the value to true or the device will not be usable.
+> [!NOTE]
+> You must create a user account if you set the value to true or the device will not be usable.
 
 When set to **False**, the OOBE screens are displayed.
 
-
 ## EnforceEnterpriseProvisioning
 
 When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting.
 
 When set to **False**, it does not force the OOBE flow to the enterprise provisioning page.
 
-

From e3be1b93cdb58c3ec1a0c454c6b3069b4efac510 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Wed, 10 Nov 2021 20:44:12 -0500
Subject: [PATCH 053/104] Removed Mobile settings

---
 windows/configuration/wcd/wcd-oobe.md | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index 3cf5af44e6..9110aeec1d 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -22,11 +22,6 @@ Use to configure settings for the [Out Of Box Experience (OOBE)](/windows-hardwa
 | --- | :---: | :---: | :---: | :---: | 
 | [Desktop > EnableCortanaVoice](#enablecortanavoice) | ✔️  |  |  |  |
 | [Desktop > HideOobe](#hideoobe-for-desktop) | ✔️  |  |  |  |
-| [Mobile > EnforceEnterpriseProvisioning](#enforceenterpriseprovisioning) |   |  |  |  |
-| [Mobile > HideOobe](#hidem) |   |  |  |  |
-
-
-
 
 ## EnableCortanaVoice
 
@@ -41,9 +36,3 @@ When set to **True**, it hides the interactive OOBE flow for Windows 10.
 
 When set to **False**, the OOBE screens are displayed.
 
-## EnforceEnterpriseProvisioning
-
-When set to **True**, it forces the OOBE flow into using the enterprise provisioning page without making the user interact with the Windows button. This is the default setting.
-
-When set to **False**, it does not force the OOBE flow to the enterprise provisioning page.
-

From 0cfc2beced99e3aa375b1b4bc33409e324e260fa Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Wed, 10 Nov 2021 21:10:09 -0500
Subject: [PATCH 054/104] Removed Mobile column

---
 windows/configuration/wcd/wcd-privacy.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index 5904abff0c..df4e5a7723 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -17,9 +17,9 @@ Use **Privacy** to configure settings for app activation with voice.
 
 ## Applies to
 
-| Setting   | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | ✔️  | ✔️ | ✔️ |  | ✔️ |
+| Setting   | Windows client | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: |
+| All settings | ✔️  | ✔️ |  | ✔️ |
 
 ## LetAppsActivateWithVoice
 
@@ -27,4 +27,4 @@ Select between **User is in control**, **Force allow**, or **Force deny**.
 
 ## LetAppsActivateWithVoiceAboveLock
 
-Select between **User is in control**, **Force allow**, or **Force deny**.
\ No newline at end of file
+Select between **User is in control**, **Force allow**, or **Force deny**.

From 6fe51b4ed5d3a81d49c765f22da30d47b0956492 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Wed, 10 Nov 2021 21:16:09 -0500
Subject: [PATCH 055/104] Fixed wording

---
 windows/configuration/wcd/wcd-start.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index f07294f5b3..b5e9674a75 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -24,7 +24,7 @@ Use Start settings to apply a customized Start screen to devices.
 | StartLayout | ✔️  | |  |  |
 
 >[!IMPORTANT]
->The StartLayout setting is available in the advanced provisioning for Windows 10 Windows client, but shouldn't be used. For Windows client, use [Policies > StartLayout](wcd-policies.md#start).
+>The StartLayout setting is available in the advanced provisioning for Windows 10, but shouldn't be used. For Windows client, use [Policies > StartLayout](wcd-policies.md#start).
 
 ## StartLayout
 

From 6fe235e54a56a319248bfe59b5b077240eb25bd3 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Thu, 11 Nov 2021 10:06:53 +0530
Subject: [PATCH 056/104] HTMLTableConversionToMD-batch 04

---
 windows/client-management/mdm/get-seats.md    | 118 +----
 .../mdm/healthattestation-csp.md              | 325 +++-----------
 windows/client-management/mdm/hotspot-csp.md  |  33 +-
 ...rver-side-mobile-application-management.md |  42 +-
 ...ent-tool-for-windows-store-for-business.md |  23 +-
 .../mdm/mobile-device-enrollment.md           | 147 +------
 windows/client-management/mdm/nap-csp.md      |  33 +-
 windows/client-management/mdm/napdef-csp.md   |  39 +-
 windows/client-management/mdm/office-csp.md   | 158 +------
 .../mdm/oma-dm-protocol-support.md            | 284 ++----------
 .../mdm/policy-csp-abovelock.md               |  61 +--
 .../mdm/policy-csp-accounts.md                | 150 ++-----
 .../mdm/policy-csp-activexcontrols.md         |  32 +-
 .../policy-csp-admx-activexinstallservice.md  |  33 +-
 .../mdm/policy-csp-admx-addremoveprograms.md  | 411 ++++--------------
 15 files changed, 308 insertions(+), 1581 deletions(-)

diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md
index a510b2460c..f58ed76669 100644
--- a/windows/client-management/mdm/get-seats.md
+++ b/windows/client-management/mdm/get-seats.md
@@ -1,6 +1,6 @@
 ---
 title: Get seats
-description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business.
+description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business.
 ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
 ms.reviewer: 
 manager: dansimp
@@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the
 
 ## Request
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    MethodRequest URI
                    GET
                    https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}
                    
+**GET:**
+
+```http
+https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}
+```
 
- 
 ### URI parameters
 
 The following parameters may be specified in the request URI.
 
-
-----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    




                    ParameterTypeDescription
                    productId
                    string
                    Required. Product identifier for an application that is used by the Store for Business.
                    skuId
                    string
                    Required. Product identifier that specifies a specific SKU of an application.
                    continuationToken
                    string
                    Optional.
                    maxResults
                    int32
                    Optional. Default = 25, Maximum = 100
                    
+|Parameter|Type|Description|
+|--- |--- |--- |
+|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
+|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
+|continuationToken|string|Optional.|
+|maxResults|int32|Optional. Default = 25, Maximum = 100|
 
- 
 ## Response
 
 ### Response body
 
 The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
 
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    Error codeDescriptionRetryData field
                    400
                    Invalid parameters
                    No
                    Parameter name
                    
-
                    Reason: Missing parameter or invalid parameter
                    
-
                    Details: String
                    404
                    Not found
                    409
                    Conflict
                    Reason: Not online
                    
-
- 
-
- 
-
-
+|Error code|Description|Retry|Data field|
+|--- |--- |--- |--- |
+|400|Invalid parameters|No|Parameter name 
                     Reason: Missing parameter or invalid parameter 
                     Details: String|
+|404|Not found|||
+|409|Conflict||Reason: Not online|
 
 
 
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 32bdbb1eca..b29bed482b 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -551,77 +551,16 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
 
 ![healthattestation service diagram.](images/healthattestation_2.png)
 
- 
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    DHA-Service typeDescriptionOperation cost
                    Device Health Attestation – Cloud 
                    (DHA-Cloud)
                    DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
                    
-
                      
-
                    • Available in Windows for free
                      • 
-
                    • Running on a high-availability and geo-balanced cloud infrastructure 
                      • 
-
                    • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
                      • 
-
                    • Accessible to all enterprise-managed devices via following:
-
                        
-
                      • FQDN = has.spserv.microsoft.com) port
                        • 
-
                      • Port = 443
                        • 
-
                      • Protocol = TCP
                        • 
-
                       
-
                      • 
-
                    
-                    		No cost
                    Device Health Attestation – On Premise
                    (DHA-OnPrem)
                    DHA-OnPrem refers to DHA-Service that is running on premises:
                    
-
                      
-
                    • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) 
                      • 
-
                    • Hosted on an enterprise owned and managed server device/hardware
                      • 
-
                    • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                      • 
-
                    • Accessible to all enterprise-managed devices via following:
                      
-
                        
-
                      • FQDN = (enterprise assigned)
                        • 
-
                      • Port = (enterprise assigned)
                        • 
-
                      • Protocol = TCP
                        • 
-
                      
-
                      • 
-
                    		The operation cost of running one or more instances of Server 2016 on-premises.
                    Device Health Attestation - Enterprise-Managed Cloud
                    (DHA-EMC)
                    DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
                    
-
                      
-
                    • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
                      • 
-
                    • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios 
                      • 
-
                    • Accessible to all enterprise-managed devices via following:
                      
-
                        
-
                      • FQDN = (enterprise assigned)
                        • 
-
                      • Port = (enterprise assigned)
                        • 
-
                      • Protocol = TCP
                        • 
-
                      
-
                      • 
-
                    		The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
                    
+|DHA-Service type|Description|Operation cost|
+|--- |--- |--- |
+|Device Health Attestation – Cloud (DHA-Cloud)|DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
                  • Available in Windows for free
                  • Running on a high-availability and geo-balanced cloud infrastructure 
                  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
                  • Accessible to all enterprise-managed devices via following:
                    • FQDN = has.spserv.microsoft.com port
                    • Port = 443
                    • Protocol = TCP|No cost
                    • |
+|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
                  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) 
                  • Hosted on an enterprise owned and managed server device/hardware
                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                  • Accessible to all enterprise-managed devices via following:
                    • FQDN = (enterprise assigned)
                    • Port = (enterprise assigned)
                    • Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
                    • |
+|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
                  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
                  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios 
                  • Accessible to all enterprise-managed devices via following:
                       
                    • FQDN = (enterprise assigned)
                    • Port = (enterprise assigned)
                    • Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
                    • |
 
 ### CSP diagram and node descriptions  
 
-
-The following shows the Device HealthAttestation configuration service provider in tree format.  
+The following shows the Device HealthAttestation configuration service provider in tree format. 
+ 
 ```
 ./Vendor/MSFT
 HealthAttestation
@@ -1263,214 +1202,48 @@ Each of these are described in further detail in the following sections, along w
 
 ### **Device HealthAttestation CSP status and error codes**
 
-
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-    
-        
-        
-        
-    
-
-
                    Error codeError nameDescription
                    0HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZEDThis is the initial state for devices that have never participated in a DHA-Session. 
                    1HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTEDThis state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
                    2HEALTHATTESTATION_CERT_RETRIEVAL_FAILEDThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
                    3HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETEThis state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
                    4HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAILDeprecated in Windows 10, version 1607.
                    5HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAILDHA-CSP failed to get a claim quote.
                    6HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READYDHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
                    7HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAILDHA-CSP failed in retrieving Windows AIK
                    8HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAILDeprecated in Windows 10, version 1607.
                    9HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSIONInvalid TPM version (TPM version is not 1.2 or 2.0)
                    10HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAILNonce was not found in the registry.
                    11HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAILCorrelation ID was not found in the registry.
                    12HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAILDeprecated in Windows 10, version 1607.
                    13HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAILDeprecated in Windows 10, version 1607.
                    14HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAILFailure in Encoding functions. (Extremely unlikely scenario)
                    15HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAILDeprecated in Windows 10, version 1607.
                    16HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XMLDHA-CSP failed to load the payload it received from DHA-Service 
                    17HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XMLDHA-CSP received a corrupted response from DHA-Service.
                    18HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XMLDHA-CSP received an empty response from DHA-Service.
                    19HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EKDHA-CSP failed in decrypting the AES key from the EK challenge.
                    20HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EKDHA-CSP failed in decrypting the health cert with the AES key.
                    21HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUBDHA-CSP failed in exporting the AIK Public Key.
                    22HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLYDHA-CSP failed in trying to create a claim with AIK attestation data.
                    23HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUBDHA-CSP failed in appending the AIK Pub to the request blob.
                    24HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERTDHA-CSP failed in appending the AIK Cert to the request blob.
                    25HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLEDHA-CSP failed to obtain a Session handle.
                    26HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLEDHA-CSP failed to connect to the DHA-Service.
                    27HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLEDHA-CSP failed to create an HTTP request handle.
                    28HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTIONDHA-CSP failed to set options.
                    29HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERSDHA-CSP failed to add request headers.
                    30HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUESTDHA-CSP failed to send the HTTP request.
                    31HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSEDHA-CSP failed to receive a response from the DHA-Service.
                    32HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERSDHA-CSP failed to query headers when trying to get HTTP status code.
                    33HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSEDHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
                    34HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSEDHA-CSP received an empty response along with an HTTP error code from DHA-Service.
                    35HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USERDHA-CSP failed to impersonate user.
                    36HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATORDHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
                    0xFFFFHEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWNDHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
                    400Bad_Request_From_ClientDHA-CSP has received a bad (malformed) attestation request.
                    404Endpoint_Not_ReachableDHA-Service is not reachable by DHA-CSP
                    
+|Error code|Error name|Description|
+|--- |--- |--- |
+|0|HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED|This is the initial state for devices that have never participated in a DHA-Session.|
+|1|HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED|This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.|
+|2|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED|This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.|
+|3|HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE|This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.|
+|4|HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL|Deprecated in Windows 10, version 1607.|
+|5|HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL|DHA-CSP failed to get a claim quote.|
+|6|HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY|DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.|
+|7|HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL|DHA-CSP failed in retrieving Windows AIK|
+|8|HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL|Deprecated in Windows 10, version 1607.|
+|9|HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION|Invalid TPM version (TPM version is not 1.2 or 2.0)|
+|10|HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL|Nonce was not found in the registry.|
+|11|HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL|Correlation ID was not found in the registry.|
+|12|HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL|Deprecated in Windows 10, version 1607.|
+|13|HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL|Deprecated in Windows 10, version 1607.|
+|14|HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL|Failure in Encoding functions. (Extremely unlikely scenario)|
+|15|HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL|Deprecated in Windows 10, version 1607.|
+|16|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML|DHA-CSP failed to load the payload it received from DHA-Service|
+|17|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML|DHA-CSP received a corrupted response from DHA-Service.|
+|18|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML|DHA-CSP received an empty response from DHA-Service.|
+|19|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK|DHA-CSP failed in decrypting the AES key from the EK challenge.|
+|20|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK|DHA-CSP failed in decrypting the health cert with the AES key.|
+|21|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB|DHA-CSP failed in exporting the AIK Public Key.|
+|22|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY|DHA-CSP failed in trying to create a claim with AIK attestation data.|
+|23|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB|DHA-CSP failed in appending the AIK Pub to the request blob.|
+|24|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT|DHA-CSP failed in appending the AIK Cert to the request blob.|
+|25|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE|DHA-CSP failed to obtain a Session handle.|
+|26|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE|DHA-CSP failed to connect to the DHA-Service.|
+|27|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE|DHA-CSP failed to create an HTTP request handle.|
+|28|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION|DHA-CSP failed to set options.|
+|29|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS|DHA-CSP failed to add request headers.|
+|30|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST|DHA-CSP failed to send the HTTP request.|
+|31|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE|DHA-CSP failed to receive a response from the DHA-Service.|
+|32|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS|DHA-CSP failed to query headers when trying to get HTTP status code.|
+|33|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE|DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.|
+|34|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE|DHA-CSP received an empty response along with an HTTP error code from DHA-Service.|
+|35|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER|DHA-CSP failed to impersonate user.|
+|36|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR|DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.|
+|0xFFFF|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN|DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.|
+|400|Bad_Request_From_Client|DHA-CSP has received a bad (malformed) attestation request.|
+|404|Endpoint_Not_Reachable|DHA-Service is not reachable by DHA-CSP|
 
 ### DHA-Report V3 schema
 
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index 0672037cf9..ab23f17606 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -186,34 +186,11 @@ The DLL must be code signed in a specific way, see [Sign binaries and packages](
 
 During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    ValueDescription
                    ENTITLEMENT_SUCCESS
                    The device is allowed to connect to the server.
                    ENTITLEMENT_FAILED
                    The device is not allowed to connect to the server
                    ENTITLEMENT_UNAVAILABLE
                    The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.
                    
-
- 
+|Value|Description|
+|--- |--- |
+|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.|
+|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server|
+|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.|
 
 The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit.
 
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 68633b48af..65f11b56b4 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -129,40 +129,8 @@ If the MAM device is properly configured for MDM enrollment, then the Enroll onl
 
 We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
 
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    Update channelPrimary purposeLOB Tattoo availabilityDefault update channel for the products
                    Current channelProvide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. March 9 2017
                    Visio Pro for Office 365
                    
-
                    Project Desktop Client
                    
-
                    Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)
                    Deferred channelProvide users with new features of Office only a few times a year.October 10 2017Microsoft 365 Apps for enterprise
                    First release for Deferred channelProvide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017
                    
\ No newline at end of file
+|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products|
+|--- |--- |--- |--- |
+|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365
                    Project Desktop Client
                    Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)|
+|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise|
+|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017||
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index f2da07d4e2..af0d01f75e 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -34,26 +34,11 @@ For additional information about Store for Business, see the TechNet topics in [
 
 The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
                    



                    Application data
                    The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
                    Licensing models
                    Offline vs. Online
                    
-
                    Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
                    
-
                    Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
                    
+- **Application data**:The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
 
- 
+- **Licensing models**:
+     - **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
+     - **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
 
 ### Offline-licensed application distribution
 
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index d1ada9afe6..8b9380767e 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -110,75 +110,15 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
 
 ```
 
-
-------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    






                    NamespaceSubcodeErrorDescriptionHRESULT
                    s:
                    MessageFormat
                    MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
                    Invalid message from the Mobile Device Management (MDM) server.
                    80180001
                    s:
                    Authentication
                    MENROLL_E_DEVICE_AUTHENTICATION_ERROR
                    The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.
                    80180002
                    s:
                    Authorization
                    MENROLL_E_DEVICE_AUTHORIZATION_ERROR
                    The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
                    80180003
                    s:
                    CertificateRequest
                    MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR
                    The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.
                    80180004
                    s:
                    EnrollmentServer
                    MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
                    		The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.
                    80180005
                    a:
                    InternalServiceFault
                    MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
                     There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.
                    80180006
                    a:
                    InvalidSecurity
                    MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
                    The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
                    80180007
                    
+|Namespace|Subcode|Error|Description|HRESULT|
+|--- |--- |--- |--- |--- |
+|s:|MessageFormat|MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|Invalid message from the Mobile Device Management (MDM) server.|80180001|
+|s:|Authentication|MENROLL_E_DEVICE_AUTHENTICATION_ERROR|The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.|80180002|
+|s:|Authorization|MENROLL_E_DEVICE_AUTHORIZATION_ERROR|The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.|80180003|
+|s:|CertificateRequest|MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR|The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.|80180004|
+|s:|EnrollmentServer|MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.|80180005|
+|a:|InternalServiceFault|MENROLL_E_DEVICE_INTERNALSERVICE_ERROR|There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.|80180006|
+|a:|InvalidSecurity|MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.|80180007|
 
 In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
 
@@ -212,66 +152,15 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
 
 ```
 
-
------
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    





                    SubcodeErrorDescriptionHRESULT
                    DeviceCapReached
                    MENROLL_E_DEVICECAPREACHED
                    The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.
                    80180013
                    DeviceNotSupported
                    MENROLL_E_DEVICENOTSUPPORTED
                    The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.
                    80180014
                    NotSupported
                    MENROLL_E_NOT_SUPPORTED
                    Mobile Device Management (MDM) is generally not supported for this device.
                    80180015
                    NotEligibleToRenew
                    MENROLL_E_NOTELIGIBLETORENEW
                    The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.
                    80180016
                    InMaintenance
                    MENROLL_E_INMAINTENANCE
                    The Mobile Device Management (MDM) server states your account is in maintenance, try again later.
                    80180017
                    UserLicense
                    MENROLL_E_USER_LICENSE
                    There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.
                    80180018
                    InvalidEnrollmentData
                    MENROLL_E_ENROLLMENTDATAINVALID
                    The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
                    80180019
                    
+|Subcode|Error|Description|HRESULT|
+|--- |--- |--- |--- |
+|DeviceCapReached|MENROLL_E_DEVICECAPREACHED|The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.|80180013|
+|DeviceNotSupported|MENROLL_E_DEVICENOTSUPPORTED|The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.|80180014|
+|NotSupported|MENROLL_E_NOT_SUPPORTED|Mobile Device Management (MDM) is generally not supported for this device.|80180015|
+|NotEligibleToRenew|MENROLL_E_NOTELIGIBLETORENEW|The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.|80180016|
+|InMaintenance|MENROLL_E_INMAINTENANCE|The Mobile Device Management (MDM) server states your account is in maintenance, try again later.|80180017|
+|UserLicense|MENROLL_E_USER_LICENSE|There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.|80180018|
+|InvalidEnrollmentData|MENROLL_E_ENROLLMENTDATAINVALID|The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.|80180019|
 
 TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
 
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index 89d18c8eff..a46cce0ddf 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -87,34 +87,11 @@ Required. Specifies the type of address used to identify the destination network
 
 The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    ADDRTYPE ValueConnection Type
                    E164
                    RAS connections
                    APN
                    GPRS connections
                    ALPHA
                    Wi-Fi-based connections
                    
-
- 
+|ADDRTYPE Value|Connection Type|
+|--- |--- |
+|E164|RAS connections|
+|APN|GPRS connections|
+|ALPHA|Wi-Fi-based connections|
 
 ***NAPX*/AuthInfo**  
 Optional node. Specifies the authentication information, including the protocol, user name, and password.
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index bf9a0bc281..2c7ac27df6 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -127,39 +127,12 @@ The name of the *NAPID* element is the same as the value passed during initial b
 
 The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    ElementsAvailable
                    Parm-query
                    Yes
                    
-
                    Note that some GPRS parameters will not necessarily contain the exact same value as was set.
                    Noparm
                    Yes
                    Nocharacteristic
                    Yes
                    Characteristic-query
                    Yes
                    
-
- 
+|Elements|Available|
+|--- |--- |
+|Parm-query|Yes 
                    Note that some GPRS parameters will not necessarily contain the exact same value as was set.|
+|Noparm|Yes|
+|Nocharacteristic|Yes|
+|Characteristic-query|Yes|
 
 ## Related topics
 
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 7516e3c411..e6f3f66cd6 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -151,140 +151,24 @@ To get the current status of Office 365 on the device.
 
 ## Status code
 
-
-----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    




                    StatusDescriptionComment
                    0Installation succeededOK
                    997Installation in progress
                    13ERROR_INVALID_DATA 
-
                    Cannot verify signature of the downloaded Office Deployment Tool (ODT)
                    		Failure
                    1460ERROR_TIMEOUT 
-
                    Failed to download ODT
                    		Failure
                    1602 ERROR_INSTALL_USEREXIT 
-
                    User cancelled the installation 
                    		Failure
                    1603ERROR_INSTALL_FAILURE
-
                    Failed any pre-req check.
                    
-
                      
-
                    • SxS (Tried to install when 2016 MSI is installed)
                      • 
-
                    • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)
                      • 
-
                    
-                    		Failure
                    17000ERROR_PROCESSPOOL_INITIALIZATION 
-
                    Failed to start C2RClient 
                    		Failure
                    17001ERROR_QUEUE_SCENARIO 
-
                    Failed to queue installation scenario in C2RClient
                    		Failure
                    17002ERROR_COMPLETING_SCENARIO 
-
                    Failed to complete the process. Possible reasons:
                    
-
                      
-
                    • Installation cancelled by user
                      • 
-
                    • Installation cancelled by another installation
                      • 
-
                    • Out of disk space during installation 
                      • 
-
                    • Unknown language ID
                      • 
-
                    		Failure
                    17003ERROR_ANOTHER_RUNNING_SCENARIO 
-
                    Another scenario is running
                    		Failure
                    17004ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
-
                    Possible reasons:
                    
-
                       
-
                    • Unknown SKUs
                      • 
-
                    • Content does't exist on CDN
-
                      • such as trying to install an unsupported LAP, like zh-sg
                        • 
-
                      • CDN issue that content is not available
                      
-
                      • 
-
                    • Signature check issue, such as failed the signature check for Office content
                      • 
-
                    • User cancelled
-
                    
-                    		Failure
                    17005ERROR_SCENARIO_CANCELLED_AS_PLANNEDFailure
                    17006ERROR_SCENARIO_CANCELLED
-
                    Blocked update by running apps
                    		Failure
                    17007ERROR_REMOVE_INSTALLATION_NEEDED
-
                    The client is requesting client clean up in a "Remove Installation" scenario
                    		Failure
                    17100ERROR_HANDLING_COMMAND_LINE
-
                    C2RClient command line error 
                    		Failure
                    0x80004005E_FAIL 
-
                    ODT cannot be used to install Volume license
                    		Failure
                    0x8000ffff E_UNEXPECTED
-
                    Tried to uninstall when there is no C2R Office on the machine.
                    		Failure
                    
\ No newline at end of file
+|Status|Description|Comment|
+|--- |--- |--- |
+|0|Installation succeeded|OK|
+|997|Installation in progress||
+|13|ERROR_INVALID_DATA 
                    Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure|
+|1460|ERROR_TIMEOUT 
                    Failed to download ODT|Failure|
+|1602|ERROR_INSTALL_USEREXIT 
                    User cancelled the installation|Failure|
+|1603|ERROR_INSTALL_FAILURE
                    Failed any pre-req check.
                  • SxS (Tried to install when 2016 MSI is installed)
                  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
+|17000|ERROR_PROCESSPOOL_INITIALIZATION 
+Failed to start C2RClient|Failure|
+|17001|ERROR_QUEUE_SCENARIO 
+Failed to queue installation scenario in C2RClient|Failure|
+|17002|ERROR_COMPLETING_SCENARIO 
                    Failed to complete the process. Possible reasons:
                  • Installation cancelled by user
                  • Installation cancelled by another installation
                  • Out of disk space during installation 
                  • Unknown language ID|Failure|
+|17003|ERROR_ANOTHER_RUNNING_SCENARIO 
                    Another scenario is running|Failure|
+|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
                    Possible reasons:
                  • Unknown SKUs
                  • Content does't exist on CDN
                    • such as trying to install an unsupported LAP, like zh-sg
                    • CDN issue that content is not available
                  • Signature check issue, such as failed the signature check for Office content
                  • User cancelled|Failure|
+|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
+|17006|ERROR_SCENARIO_CANCELLED
                    Blocked update by running apps|Failure|
+|17007|ERROR_REMOVE_INSTALLATION_NEEDED
                    The client is requesting client clean up in a "Remove Installation" scenario|Failure|
+|17100|ERROR_HANDLING_COMMAND_LINE
                    C2RClient command line error|Failure|
+|0x80004005|E_FAIL 
                    ODT cannot be used to install Volume license|Failure|
+|0x8000ffff|E_UNEXPECTED
                    Tried to uninstall when there is no C2R Office on the machine.|Failure|
diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index 5e8ad6957f..8fac08e56a 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -35,113 +35,17 @@ The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA
 
 The following table shows the OMA DM standards that Windows uses.
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    General areaOMA DM standard that is supported
                    Data transport and session
                      
-
                    • Client-initiated remote HTTPS DM session over SSL.
                      • 
-
                    • Remote HTTPS DM session over SSL.
                      • 
-
                    • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
                      • 
-
                    • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.
                      • 
-
                    Bootstrap XML
                      
-
                    • OMA Client Provisioning XML.
                      • 
-
                    DM protocol commands
                    The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
                    
-
                      
-
                    • Add (Implicit Add supported)
                      • 
-
                    • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                      • 
-
                    • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                      • 
-
                    • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                      • 
-
                    • Exec: Invokes an executable on the client device
                      • 
-
                    • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                      • 
-
                    • Replace: Overwrites data on the client device
                      • 
-
                    • Result: Returns the data results of a Get command to the DM server
                      • 
-
                    • Sequence: Specifies the order in which a group of commands must be processed
                      • 
-
                    • Status: Indicates the completion status (success or failure) of an operation
                      • 
-
                    
-
                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                    
-
                      
-
                    • SyncBody
                      • 
-
                    • Atomic
                      • 
-
                    • Sequence
                      • 
-
                    
-
                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
                    
-
                    If Atomic elements are nested, the following status codes are returned:
                    
-
                      
-
                    • The nested Atomic command returns 500.
                      • 
-
                    • The parent Atomic command returns 507.
                      • 
-
                    
-
                    For more information about the Atomic command, see OMA DM protocol common elements.
                    
-
                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
                    
-
                    LocURI cannot start with "/".
                    
-
                    Meta XML tag in SyncHdr is ignored by the device.
                    OMA DM standard objects
                      
-
                    • DevInfo
                      • 
-
                    • DevDetail
                      • 
-
                    • OMA DM DMS account objects (OMA DM version 1.2)
                      • 
-
                    Security
                      
-
                    • Authenticate DM server initiation notification SMS message (not used by enterprise management)
                      • 
-
                    • Application layer Basic and MD5 client authentication
                      • 
-
                    • Authenticate server with MD5 credential at application level
                      • 
-
                    • Data integrity and authentication with HMAC at application level
                      • 
-
                    • SSL level certificate based client/server authentication, encryption, and data integrity check
                      • 
-
                    Nodes
                    In the OMA DM tree, the following rules apply for the node name:
                    
-
                      
-
                    • "." can be part of the node name.
                      • 
-
                    • The node name cannot be empty.
                      • 
-
                    • The node name cannot be only the asterisk (*) character.
                      • 
-
                    Provisioning Files
                    Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
                    
-
                    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                    
-
                    
-Note
                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                    
-
                    
-
                    
-
-
                    WBXML support
                    Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
                    Handling of large objects
                    In Windows 10, version 1511, client support for uploading large objects to the server was added.
                    
+|General area|OMA DM standard that is supported|
+|--- |--- |
+|Data transport and session|
                  • Client-initiated remote HTTPS DM session over SSL.
                  • Remote HTTPS DM session over SSL.
                  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
                  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
+|Bootstrap XML|OMA Client Provisioning XML.|
+|DM protocol commands|The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                  • Add (Implicit Add supported)
                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                  • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                  • Exec: Invokes an executable on the client device
                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                  • Replace: Overwrites data on the client device
                  • Result: Returns the data results of a Get command to the DM server
                  • Sequence: Specifies the order in which a group of commands must be processed
                  • Status: Indicates the completion status (success or failure) of an operation
                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                  • SyncBody
                  • Atomic
                  • Sequence
                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
                    If Atomic elements are nested, the following status codes are returned:
                  • The nested Atomic command returns 500.
                  • The parent Atomic command returns 507.
                    For more information about the Atomic command, see OMA DM protocol common elements.
                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
                    LocURI cannot start with "/".
                    Meta XML tag in SyncHdr is ignored by the device.|
+|OMA DM standard objects|DevInfo
                  • DevDetail
                  • OMA DM DMS account objects (OMA DM version 1.2)|
+|Security|
                  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
                  • Application layer Basic and MD5 client authentication
                  • Authenticate server with MD5 credential at application level
                  • Data integrity and authentication with HMAC at application level
                  • SSL level certificate based client/server authentication, encryption, and data integrity check|
+|Nodes|In the OMA DM tree, the following rules apply for the node name:
                  • "" can be part of the node name.
                  • The node name cannot be empty.
                  • The node name cannot be only the asterisk (*) character.|
+|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
                    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                    **Note**
                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                    |
+|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
+|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
 
 
 
@@ -149,99 +53,26 @@ The following table shows the OMA DM standards that Windows uses.
 
 Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    ElementDescription
                    Chal
                    Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
                    Cmd
                    Specifies the name of an OMA DM command referenced in a Status element.
                    CmdID
                    Specifies the unique identifier for an OMA DM command.
                    CmdRef
                    Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
                    Cred
                    Specifies the authentication credential for the originator of the message.
                    Final
                    Indicates that the current message is the last message in the package.
                    LocName
                    Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
                    LocURI
                    Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
                    MsgID
                    Specifies a unique identifier for an OMA DM session message.
                    MsgRef
                    Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
                    RespURI
                    Specifies the URI that the recipient must use when sending a response to this message.
                    SessionID
                    Specifies the identifier of the OMA DM session associated with the containing message.
                    
-
                    
-Note  If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
-
                    
-
                    
-
-
                    Source
                    Specifies the message source address.
                    SourceRef
                    Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
                    Target
                    Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
                    TargetRef
                    Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
                    VerDTD
                    Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
                    VerProto
                    Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
                    
-
+|Element|Description|
+|--- |--- |
+|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.|
+|Cmd|Specifies the name of an OMA DM command referenced in a Status element.|
+|CmdID|Specifies the unique identifier for an OMA DM command.|
+|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.|
+|Cred|Specifies the authentication credential for the originator of the message.|
+|Final|Indicates that the current message is the last message in the package.|
+|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.|
+|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.|
+|MsgID|Specifies a unique identifier for an OMA DM session message.|
+|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
+|RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
+|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
                    **Note**
                      If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
                    |
+|Source|Specifies the message source address.|
+|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
+|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|
+|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.|
+|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.|
+|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.|
 
 ## Device management session
 
@@ -257,52 +88,13 @@ A DM session can be divided into two phases:
 
 The following table shows the sequence of events during a typical DM session.
 
-
-----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    




                    StepActionDescription
                    1
                    DM client is invoked to call back to the management server
                    
-
                    Enterprise scenario – The device task schedule invokes the DM client.
                    The MO server sends a server trigger message to invoke the DM client.
                    
-
                    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
                    
-
                    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
                    2
                    The device sends a message, over an IP connection, to initiate the session.
                    This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
                    3
                    The DM server responds, over an IP connection (HTTPS).
                    The server sends initial device management commands, if any.
                    4
                    The device responds to server management commands.
                    This message includes the results of performing the specified device management operations.
                    5
                    The DM server terminates the session or sends another command.
                    The DM session ends, or Step 4 is repeated.
                    
-
-
+|Step|Action|Description|
+|--- |--- |--- |
+|1|DM client is invoked to call back to the management server

                    Enterprise scenario – The device task schedule invokes the DM client.|The MO server sends a server trigger message to invoke the DM client.

                    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

                    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.|
+|2|The device sends a message, over an IP connection, to initiate the session.|This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.|
+|3|The DM server responds, over an IP connection (HTTPS).|The server sends initial device management commands, if any.|
+|4|The device responds to server management commands.|This message includes the results of performing the specified device management operations.|
+|5|The DM server terminates the session or sends another command.|The DM session ends, or Step 4 is repeated.|
 
 The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
 
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index c3d8c37963..b1b74f16be 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -38,33 +38,13 @@ manager: dansimp
 **AboveLock/AllowCortanaAboveLock**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
 
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProYesYes
                    EnterpriseYesYes
                    EducationYesYes
                    
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -105,28 +85,13 @@ The following list shows the supported values:
 **AboveLock/AllowToasts**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-
-
-    
-    
-
-
-    
-    
-
-
-    
-    
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProYes, starting in Windows 10, version 1607Yes
                    EnterpriseYes, starting in Windows 10, version 1607Yes
                    EducationYes, starting in Windows 10, version 1607Yes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes, starting in Windows 10, version 1607|Yes|
+|Enterprise|Yes, starting in Windows 10, version 1607|Yes|
+|Education|Yes, starting in Windows 10, version 1607|Yes|
 
 
 
                    
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index ed466fe64a..795f89e92c 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -40,43 +40,15 @@ manager: dansimp
 **Accounts/AllowAddingNonMicrosoftAccountsManually**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProYesYes
                    EnterpriseYesYes
                    EducationYesYes
                    MobileYesYes
                    Mobile EnterpriseYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|Yes|Yes|
+|Mobile Enterprise|Yes|Yes|
 
 
 
                    
@@ -114,48 +86,16 @@ The following list shows the supported values:
 **Accounts/AllowMicrosoftAccountConnection**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProYesYes
                    BusinessYesYes
                    EnterpriseYesYes
                    EducationYesYes
                    MobileYesYes
                    Mobile EnterpriseYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|Yes|Yes|
+|Mobile Enterprise|Yes|Yes|
 
 
 
                    
@@ -190,48 +130,16 @@ The following list shows the supported values:
 **Accounts/AllowMicrosoftAccountSignInAssistant**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProYesYes
                    BusinessYesYes
                    EnterpriseYesYes
                    EducationYesYes
                    MobileYesYes
                    Mobile EnterpriseYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+|Mobile|Yes|Yes|
+|Mobile Enterprise|Yes|Yes|
 
 
 
                    
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 95c9e7d80b..60248d3ecc 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -40,31 +40,13 @@ manager: dansimp
 **ActiveXControls/ApprovedInstallationSites**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProYesYes
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
index c574952e31..0b63ffc56d 100644
--- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -40,31 +40,14 @@ manager: dansimp
 **ADMX_ActiveXInstallService/AxISURLZonePolicies**  
 
 
-
-
-    
-    
-    
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProYesYes
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
 
 
 
                    
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index dfb1da857f..de3506d5e5 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -70,20 +70,10 @@ manager: dansimp
 **ADMX_AddRemovePrograms/DefaultCategory**  
 
 
-
-
-    
-    
-    
-
-
-    
-     
-     
-
 
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
 
 
 
                    
@@ -135,34 +125,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoAddFromCDorFloppy**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-
-
-    
-    
-    
-
-
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    Business
                    EnterpriseYesYes
                    Education
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|||
+|Enterprise|Yes|Yes|
+|Education|||
 
 
 
                    
@@ -212,38 +182,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoAddFromInternet**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -294,38 +240,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoAddFromNetwork**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -377,38 +299,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoAddPage**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -456,38 +354,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoAddRemovePrograms**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -535,38 +409,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoChooseProgramsPage**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -615,37 +465,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoRemovePage**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -693,38 +520,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoServices**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -775,38 +578,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoSupportInfo**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    
@@ -856,38 +635,14 @@ ADMX Info:
 **ADMX_AddRemovePrograms/NoWindowsSetupPage**  
 
 
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
-    
-    
-    
-
-
                    EditionWindows 10Windows 11
                    HomeNoNo
                    ProNoNo
                    BusinessNoNo
                    EnterpriseYesYes
                    EducationYesYes
                    
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|No|No|
+|Business|No|No|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
 
 
 
                    

From 3dde25d7423a6bc50f00997cc8506643f45b71a5 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Thu, 11 Nov 2021 10:17:52 +0530
Subject: [PATCH 057/104] Fixing Acrolinx score

---
 windows/client-management/mdm/office-csp.md        | 14 +++++++-------
 .../mdm/oma-dm-protocol-support.md                 | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index e6f3f66cd6..d505f71d74 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -18,7 +18,7 @@ The Office configuration service provider (CSP) enables a Microsoft Office clien
 
 This CSP was added in Windows 10, version 1703.
 
-For additional information, see [Office DDF](office-ddf.md).
+For more information, see [Office DDF](office-ddf.md).
 
 The following shows the Office configuration service provider in tree format.
 ```
@@ -78,7 +78,7 @@ Behavior:
 -  When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
 -  When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:  
     - When status = 0: 70 (succeeded)
-    - When status != 0: 60 (failed)
+    - When status!= 0: 60 (failed)
 
 **Installation/CurrentStatus**  
 Returns an XML of current Office 365 installation status on the device.
@@ -157,18 +157,18 @@ To get the current status of Office 365 on the device.
 |997|Installation in progress||
 |13|ERROR_INVALID_DATA 
                    Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure|
 |1460|ERROR_TIMEOUT 
                    Failed to download ODT|Failure|
-|1602|ERROR_INSTALL_USEREXIT 
                    User cancelled the installation|Failure|
+|1602|ERROR_INSTALL_USEREXIT 
                    User canceled the installation|Failure|
 |1603|ERROR_INSTALL_FAILURE
                    Failed any pre-req check.
                  • SxS (Tried to install when 2016 MSI is installed)
                  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
 |17000|ERROR_PROCESSPOOL_INITIALIZATION 
 Failed to start C2RClient|Failure|
 |17001|ERROR_QUEUE_SCENARIO 
 Failed to queue installation scenario in C2RClient|Failure|
-|17002|ERROR_COMPLETING_SCENARIO 
                    Failed to complete the process. Possible reasons:
                  • Installation cancelled by user
                  • Installation cancelled by another installation
                  • Out of disk space during installation 
                  • Unknown language ID|Failure|
+|17002|ERROR_COMPLETING_SCENARIO 
                    Failed to complete the process. Possible reasons:
                  • Installation canceled by user
                  • Installation canceled by another installation
                  • Out of disk space during installation 
                  • Unknown language ID|Failure|
 |17003|ERROR_ANOTHER_RUNNING_SCENARIO 
                    Another scenario is running|Failure|
-|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
                    Possible reasons:
                  • Unknown SKUs
                  • Content does't exist on CDN
                    • such as trying to install an unsupported LAP, like zh-sg
                    • CDN issue that content is not available
                  • Signature check issue, such as failed the signature check for Office content
                  • User cancelled|Failure|
+|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
                    Possible reasons:
                  • Unknown SKUs
                  • Content does't exist on CDN
                    • Such as trying to install an unsupported LAP, like zh-sg
                    • CDN issue that content is not available
                  • Signature check issue, such as failed the signature check for Office content
                  • User canceled|Failure|
 |17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
 |17006|ERROR_SCENARIO_CANCELLED
                    Blocked update by running apps|Failure|
-|17007|ERROR_REMOVE_INSTALLATION_NEEDED
                    The client is requesting client clean up in a "Remove Installation" scenario|Failure|
-|17100|ERROR_HANDLING_COMMAND_LINE
                    C2RClient command line error|Failure|
+|17007|ERROR_REMOVE_INSTALLATION_NEEDED
                    The client is requesting client clean-up in a "Remove Installation" scenario|Failure|
+|17100|ERROR_HANDLING_COMMAND_LINE
                    C2RClient command-line error|Failure|
 |0x80004005|E_FAIL 
                    ODT cannot be used to install Volume license|Failure|
 |0x8000ffff|E_UNEXPECTED
                    Tried to uninstall when there is no C2R Office on the machine.|Failure|
diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index 8fac08e56a..e0f5141f02 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -39,9 +39,9 @@ The following table shows the OMA DM standards that Windows uses.
 |--- |--- |
 |Data transport and session|
                  • Client-initiated remote HTTPS DM session over SSL.
                  • Remote HTTPS DM session over SSL.
                  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
                  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
 |Bootstrap XML|OMA Client Provisioning XML.|
-|DM protocol commands|The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                  • Add (Implicit Add supported)
                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                  • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                  • Exec: Invokes an executable on the client device
                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                  • Replace: Overwrites data on the client device
                  • Result: Returns the data results of a Get command to the DM server
                  • Sequence: Specifies the order in which a group of commands must be processed
                  • Status: Indicates the completion status (success or failure) of an operation
                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                  • SyncBody
                  • Atomic
                  • Sequence
                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
                    If Atomic elements are nested, the following status codes are returned:
                  • The nested Atomic command returns 500.
                  • The parent Atomic command returns 507.
                    For more information about the Atomic command, see OMA DM protocol common elements.
                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
                    LocURI cannot start with "/".
                    Meta XML tag in SyncHdr is ignored by the device.|
+|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                  • Add (Implicit Add supported)
                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                  • Exec: Invokes an executable on the client device
                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                  • Replace: Overwrites data on the client device
                  • Result: Returns the data results of a Get command to the DM server
                  • Sequence: Specifies the order in which a group of commands must be processed
                  • Status: Indicates the completion status (success or failure) of an operation
                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                  • SyncBody
                  • Atomic
                  • Sequence
                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
                    If Atomic elements are nested, the following status codes are returned:
                  • The nested Atomic command returns 500.
                  • The parent Atomic command returns 507.
                    For more information about the Atomic command, see OMA DM protocol common elements.
                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
                    LocURI cannot start with "/".
                    Meta XML tag in SyncHdr is ignored by the device.|
 |OMA DM standard objects|DevInfo
                  • DevDetail
                  • OMA DM DMS account objects (OMA DM version 1.2)|
-|Security|
                  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
                  • Application layer Basic and MD5 client authentication
                  • Authenticate server with MD5 credential at application level
                  • Data integrity and authentication with HMAC at application level
                  • SSL level certificate based client/server authentication, encryption, and data integrity check|
+|Security|
                  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
                  • Application layer Basic and MD5 client authentication
                  • Authenticate server with MD5 credential at application level
                  • Data integrity and authentication with HMAC at application level
                  • SSL level certificate-based client/server authentication, encryption, and data integrity check|
 |Nodes|In the OMA DM tree, the following rules apply for the node name:
                  • "" can be part of the node name.
                  • The node name cannot be empty.
                  • The node name cannot be only the asterisk (*) character.|
 |Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
                    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                    **Note**
                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                    |
 |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
@@ -96,7 +96,7 @@ The following table shows the sequence of events during a typical DM session.
 |4|The device responds to server management commands.|This message includes the results of performing the specified device management operations.|
 |5|The DM server terminates the session or sends another command.|The DM session ends, or Step 4 is repeated.|
 
-The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
+The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
 
 During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
 
@@ -111,9 +111,9 @@ For CSPs and policies that support per user configuration, the MDM server can se
 
 The data part of this alert could be one of following strings:
 
--   user – the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
--   others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device.
--   none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login).
+-   User – the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
+-   Others – another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
+-   None – no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login).
 
 Below is an alert example:
 
@@ -148,7 +148,7 @@ When using SyncML in OMA DM, there are standard response status codes that are r
 | 200         | The SyncML command completed successfully.                                                                                                                                                                                        |
 | 202         | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application.                                                                                                |
 | 212         | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. |
-| 214         | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session.                                                                                                        |
+| 214         | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session.                                                                                                        |
 | 215         | Not executed. A command was not executed as a result of user interaction to cancel the command.                                                                                                                                   |
 | 216         | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully.                                                                                                   |
 | 400         | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed.                                             |

From d4bfd44bf4d09184c092c5cf292335be641c8120 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 11 Nov 2021 14:21:42 +0530
Subject: [PATCH 058/104] Update
 windows/client-management/mdm/policy-csp-userrights.md

Accepted

Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 windows/client-management/mdm/policy-csp-userrights.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index dab6c7c86d..831904f3c7 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1083,7 +1083,7 @@ GP Info:
 This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.
 
 > [!NOTE]
-> If you apply this security policy to the Everyone group, no one will be able to log on locally.
+> If you apply this security policy to the **Everyone** group, no one will be able to log on locally.
 
 
 

From c1044532188ff3d396b9536493c726615218c5cc Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 11 Nov 2021 14:23:04 +0530
Subject: [PATCH 059/104] Update
 windows/client-management/mdm/policy-csp-userrights.md

Accepted

Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 windows/client-management/mdm/policy-csp-userrights.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 831904f3c7..8959c2173e 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -1080,7 +1080,7 @@ GP Info:
 
 
 
-This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.
+This security setting determines which users are prevented from logging on to the computer. This policy setting supersedes the **Allow log on locally** policy setting if an account is subject to both policies.
 
 > [!NOTE]
 > If you apply this security policy to the **Everyone** group, no one will be able to log on locally.

From 4f9c427fe1879a16e1960551843da11a4bd7f25f Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 11 Nov 2021 22:12:06 +0530
Subject: [PATCH 060/104]  added windows 11 specification link

after reading this article, i found the windows 11 specification link is missing because TPM 2.0 is required for windows 11. So i added Windows 11 link.
---
 .../information-protection/tpm/how-windows-uses-the-tpm.md       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 038e7da093..02e4ee6bff 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -23,6 +23,7 @@ The Windows operating system improves most existing security features in the ope
 
 
 **See also:**
+- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications)
 
 - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
 

From 62186164766c1157e7fb0076b2f8fbf2a53d14c0 Mon Sep 17 00:00:00 2001
From: Diana Hanson 
Date: Thu, 11 Nov 2021 09:42:54 -0700
Subject: [PATCH 061/104] Update wcd-policies.md

Fix Acro spelling issues
---
 windows/configuration/wcd/wcd-policies.md | 24 +++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 0e11b80de9..f7629487bb 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -168,7 +168,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
 | [AllowConnectedDevices](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | ✔️ | ✔️ |  | ✔️ |
 | [AllowNFC](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. |  |   |  | ✔️ |
 | [AllowUSBConnection](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. |  |   |  | ✔️ |
-| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |✔️ |  ✔️ |  | ✔️ |
+| [AllowVPNOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlying connections VPN is allowed to use. |✔️ |  ✔️ |  | ✔️ |
 | [AllowVPNRoamingOverCellular](/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | ✔️ | ✔️ |  | ✔️ |
 | HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | ✔️ | ✔️ |  | ✔️ |
 | HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences.  | ✔️ |  ✔️ |  | ✔️ |
@@ -203,11 +203,11 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
 | [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files.  | ✔️ |   |  |  |
 | [AllowScriptScanning](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | ✔️ |   |  |  |
 | [AllowUserUIAccess](/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess)  | Allow or disallow user access to the Windows Defender UI.  |  ✔️ |   |   |  |
-| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | ✔️ |  |  |  |
+| [AvgCPULoadFactor](/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defender scan (in percent). | ✔️ |  |  |  |
 | [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware)  | Specify time period (in days) that quarantine items will be stored on the system.  |  ✔️ |   |   |  |
-| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | ✔️ |  |  |  |
+| [ExcludedExtensions](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore during a scan. Separate each file type in the list by using \|. | ✔️ |  |  |  |
 | [ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths)  | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|.  |  ✔️ |   |   |  |
-| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ |  |  |  |
+| [ExcludedProcesses](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore during a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | ✔️ |  |  |  |
 | [RealTimeScanDirection](/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection)  | Control which sets of files should be monitored.  |  ✔️ |   |   |  |
 | [ScanParameter](/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | ✔️ |  |  |  |
 | [ScheduleQuickScanTime](/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime)  | Specify the time of day that Windows Defender quick scan should run.  |  ✔️ |   |   |  |
@@ -231,12 +231,12 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
 | [DOMaxCacheAge](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | ✔️ |   |  |  |
 | [DOMaxCacheSize](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | ✔️ |   |  |  |
 | [DOMaxDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | ✔️ |  |  |  |
-| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization.  | ✔️ |  |  |  |
+| [DOMaxUploadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity using Delivery Optimization.  | ✔️ |  |  |  |
 | [DOMinBackgroundQos](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | ✔️ |  |  |  |
 | [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | ✔️ |  |  |  |
-| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | ✔️ |  |  |  |
+| [DOMinDiskSizeAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capacity in GB) for the device to use Peer Caching. | ✔️ |  |  |  |
 | [DOMinFileSizeToCache](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | ✔️ |  |  |  |
-| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | ✔️ |  |  |  |
+| [DOMinRAMAllowedToPeer](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB required to use Peer Caching. | ✔️ |  |  |  |
 | [DOModifyCacheDrive](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | ✔️ |  |  |  |
 | [DOMonthlyUploadDataCap](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | ✔️ |   |  |  |
 | [DOPercentageMaxBackDownloadBandwidth](/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | ✔️ |   |  |  |
@@ -294,7 +294,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
 | [AllowTaskSwitcher](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. |  |   |  |  |
 | [AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | ✔️ |  |  |  |
 | [AllowVoiceRecording](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. |  |   |  |  |
-| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ |  |  |  |
+| [AllowWindowsConsumerFeatures](/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggestions, membership notifications, post-OOBE app install, and redirect tiles. | ✔️ |  |  |  |
 | [AllowWindowsSpotlight](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once.  | ✔️ |  |  |  |
 | [AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | ✔️ | |  |  |
 | [AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | ✔️ |  |  |  |
@@ -396,7 +396,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
 | [AllowIndexingEncryptedStoresOrItems](/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | ✔️ |   |  |  |
 | [AllowSearchToUseLocation](/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | ✔️ |   | ✔️ |  |
 | [AllowUsingDiacritics](/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | ✔️ |   |  |  |
-| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

                    - **Off** setting disables Windows indexer
                    - **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
                    - **Enterprise** setting reduces potential network loads for enterprises
                    - **Standard** setting is appropriate for consuemrs | ✔️ |   |  |  |
+| [AllowWindowsIndexer](/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

                    - **Off** setting disables Windows indexer
                    - **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
                    - **Enterprise** setting reduces potential network loads for enterprises
                    - **Standard** setting is appropriate for consumers | ✔️ |   |  |  |
 | [AlwaysUseAutoLangDetection](/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | ✔️ |  |  |  |
 | [DoNotUseWebResults](/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | ✔️ |   |  |  |
 | [DisableBackoff](/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | ✔️ |   |  |  |
@@ -434,7 +434,7 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
 | Setting | Description | Windows client |  Surface Hub | HoloLens | IoT Core |
 | --- | --- | :---: |  :---: | :---: | :---: |
 | [AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | ✔️ |  |  |  |
-| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu.  | ✔️ |  |  |  |
+| [AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloads shortcut on the Start menu.  | ✔️ |  |  |  |
 | [AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu.  | ✔️ |   |  |  |
 | [AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu.  | ✔️ |  |  |  |
 | [AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu.  | ✔️ |  |  |  |
@@ -513,7 +513,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
 
 | Setting | Description | Windows client | Surface Hub | HoloLens | IoT Core |
 |---------|-------------|:--------------:|:-----------:|:--------:|:--------:|
-| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
+| [ActiveHoursEnd](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
 | [ActiveHoursMaxRange](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | ✔️ | ✔️ | | ✔️ |
 | [ActiveHoursStart](/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | ✔️ | ✔️ | | ✔️ |
 | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | ✔️ | ✔️ | ✔️ | ✔️ |
@@ -538,7 +538,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
 | [EngagedRestartSnoozeScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | ✔️ | ✔️ | | ✔️ |
 | [EngagedRestartTransitionSchedule](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
 | [EngagedRestartTransitionScheduleForFeatureUpdates](/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | ✔️ | ✔️ | | ✔️ |
-| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ |
+| [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windows Update (WU) drivers during quality updates. | ✔️ | ✔️ | | ✔️ |
 | [FillEmptyContentUrls](/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | ✔️ | ✔️ | | ✔️ |
 | ManagePreviewBuilds | Use to enable or disable preview builds. | ✔️ | ✔️ | ✔️ | ✔️ |
 | PhoneUpdateRestrictions | Deprecated | | ✔️ | | |

From b1ecb865569b6f1535c94b69bbaa180bd5c386e9 Mon Sep 17 00:00:00 2001
From: Diana Hanson 
Date: Thu, 11 Nov 2021 10:53:14 -0700
Subject: [PATCH 062/104] Update
 windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml

---
 .../auditing/advanced-security-auditing-faq.yml                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index 8fc368965e..8cce54444d 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -25,7 +25,7 @@ summary: This topic for the IT professional lists questions and answers about un
 
   -   [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-)
 
-  -   [What is the interasction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
+  -   [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-)
 
   -   [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-)
 

From 29502634788456431a41f18530c0387e6a63be7d Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT 
Date: Thu, 11 Nov 2021 11:43:21 -0800
Subject: [PATCH 063/104] Update policy-csp-userrights.md

---
 windows/client-management/mdm/policy-csp-userrights.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 8959c2173e..be84a95bca 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 11/11/2021
 ms.reviewer: 
 manager: dansimp
 ---

From 198c3dc60915e19487dc851203c10bdf489b0605 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Thu, 11 Nov 2021 18:10:20 -0500
Subject: [PATCH 064/104] Replacing semi-annual channel with general
 availability channel

---
 .../windows-10-deployment-considerations.md   |  47 +---
 .../windows-10-enterprise-faq-itpro.yml       |   2 +-
 windows/deployment/update/WIP4Biz-intro.md    |  10 +-
 .../get-started-updates-channels-tools.md     |   6 +-
 .../update/waas-manage-updates-wsus.md        |   2 +-
 windows/deployment/update/waas-overview.md    |  10 +-
 windows/deployment/update/waas-quick-start.md |  11 +-
 ...s-servicing-channels-windows-10-updates.md |   2 +-
 .../upgrade/windows-10-upgrade-paths.md       | 208 +++---------------
 windows/deployment/windows-10-media.md        |  33 +--
 .../windows-10-subscription-activation.md     |  43 +---
 .../demonstrate-deployment-on-vm.md           |   2 +-
 .../whats-new-windows-10-version-21H2.md      |   7 +-
 windows/whats-new/windows-11-whats-new.md     |   2 +-
 14 files changed, 75 insertions(+), 310 deletions(-)

diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 90d0c547cb..86d46e0b81 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -36,46 +36,13 @@ Windows 10 also introduces two additional scenarios that organizations should c
 
     So how do you choose? At a high level:
 
-
----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                    



                    Consider ...For these scenarios
                    In-place upgrade
                      
-
                    • When you want to keep all (or at least most) existing applications
                      • 
-
                    • When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
                      • 
-
                    • To migrate from Windows 10 to a later Windows 10 release
                      • 
-
                    Traditional wipe-and-load
                      
-
                    • When you upgrade significant numbers of applications along with the new Windows OS
                      • 
-
                    • When you make significant device or operating system configuration changes
                      • 
-
                    • When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
                      • 
-
                    • When you migrate from Windows Vista or other previous operating system versions
                      • 
-
                    Dynamic provisioning
                      
-
                    • For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required
                      • 
-
                    • When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps
                      • 
-
                    
+| Consider ... | For these scenarios  |
+|---|---|
+| In-place upgrade  | - When you want to keep all (or at least most) existing applications
                    - When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
                    - To migrate from Windows 10 to a later Windows 10 release |
+| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS
                    - When you make significant device or operating system configuration changes
                    - When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
                    - When you migrate from Windows Vista or other previous operating system versions |
+| Dynamic provisioning | - For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required. 
                    - When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
+
 
- 
 ## Migration from previous Windows versions
 
 For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
@@ -105,7 +72,7 @@ In either of these scenarios, you can make a variety of configuration changes to
 
 ## Stay up to date
 
-For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will be deployed two times per year. You can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/get-started-updates-channels-tools.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
 -   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). 
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 8ca699331f..a8e1aa8c67 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -103,7 +103,7 @@ sections:
       - question: |
           What are the servicing channels?
         answer: |
-          To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
+          To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
           
       - question: |
           What tools can I use to manage Windows as a service updates?
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index ae8c69d273..66aea9952b 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -1,7 +1,7 @@
 ---
 title: Introduction to the Windows Insider Program for Business
 description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
 ms.custom: seo-marvel-apr2020
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -22,7 +22,7 @@ ms.topic: article
 
 > **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
-For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
+For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in theGeneral Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
 
 The Windows Insider Program for Business gives you the opportunity to:
  
@@ -35,7 +35,7 @@ The Windows Insider Program for Business gives you the opportunity to:
 
 Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. 
 
-The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
 
 [![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
                    
 Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. 
@@ -56,8 +56,8 @@ Along with exploring new features, you also have the option to validate your app
 - Get a head start on your Windows validation process 
 - Identify issues sooner to accelerate your Windows deployment 
 - Engage Microsoft earlier for help with potential compatibility issues 
-- Deploy Windows 10 Semi-Annual releases faster and more confidently 
-- Maximize the 18-month support Window that comes with each Semi-Annual release. 
+- Deploy Windows 10 General Availability Channel releases faster and more confidently 
+- Maximize the support Window that comes with each General Availability Channel release. 
 
 |Objective |Feature exploration|
 |---------|---------|
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index f1d6c2488e..a9cda4ed31 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,7 +1,7 @@
 ---
 title: Windows client updates, channels, and tools
 description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
@@ -35,7 +35,7 @@ version of the software.
 
 We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. 
 
-- **Feature updates:** Released as soon as they become available. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
+- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
 - **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
 - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
 - **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
@@ -51,7 +51,7 @@ The first step of controlling when and how devices install updates is assigning
 
 ### General Availability Channel
 
-In the General Availability Channel, feature updates are available as soon as Microsoft releases them. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
+In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release.
 
 
 ### Windows Insider Program for Business
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 8bfab4700e..ff3a2e85bf 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -239,7 +239,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
 For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
 
 >[!NOTE]
->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel (or General Availability Channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](get-started-updates-channels-tools.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
 
 
 **To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring**
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 5947bdc897..543f0e96db 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Overview of Windows as a service
 description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
@@ -90,9 +90,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
 
 ### General Availability Channel
 
-In the General Availability Channel, feature updates are available as soon as Microsoft releases them. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
+In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
 
-When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
 
 
 > [!NOTE]
@@ -120,7 +120,7 @@ The Long-term Servicing Channel is available only in the Windows 10 Enterprise L
 
 ### Windows Insider
 
-For many IT pros, gaining visibility into feature updates early--before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
+For many IT pros, gaining visibility into feature updates early--before they’re available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft.
 
 Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started).
 
@@ -130,7 +130,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled
 
 There are many tools you can use to service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
 
-- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device.
+- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the General Availability Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device.
 - **Windows Update for Business** includes control over update deferment and provides centralized management using Group Policy or MDM. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the General Availability Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Microsoft Intune.
 - **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. 
 - **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. 
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index f9c793095d..9f6df39c19 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -1,14 +1,14 @@
 ---
 title: Quick guide to Windows as a service (Windows 10)
 description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
-keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools
 ms.prod: w10
 ms.mktglfcycl: manage
 author: jaimeo
 ms.localizationpriority: high
 ms.author: jaimeo
 ms.reviewer: 
-manager: laurawi
+manager: dougeby
 ms.topic: article
 ---
 
@@ -25,12 +25,13 @@ Here is a quick guide to the most important concepts in Windows as a service. Fo
 ## Definitions
 
 Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
-- **Feature updates** are released twice per year, around March and September. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
+
+- **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
 - **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
 - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
 - **Servicing channels** allow organizations to choose when to deploy new features. 
-    - The **General Availability Channel** receives feature updates as they become available. 
-    - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
+  - The **General Availability Channel** receives feature updates as they become available. 
+  - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
 - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. 
 
 See [Overview of Windows as a service](waas-overview.md) for more information.
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index cbf9133ff3..65880f7388 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -43,7 +43,7 @@ The General Availability Channel is the default servicing channel for all Window
 >The LTSC edition is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
 >[!NOTE]
->Devices will automatically receive updates from the Semi-Annual Channel, unless they are configured to receive preview updates through the Windows Insider Program.
+>Devices will automatically receive updates from the General Availability Channel, unless they are configured to receive preview updates through the Windows Insider Program.
 
 
 ## Enroll devices in the Windows Insider Program
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index c50df27515..6e3a9935de 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -15,6 +15,7 @@ ms.topic: article
 ---
 
 # Windows 10 upgrade paths
+
 **Applies to**
 
 -   Windows 10
@@ -25,9 +26,9 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
 
 If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded.
 
-> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
+> **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
 > 
-> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
+> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
 > 
 > **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
 > 
@@ -36,180 +37,37 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi
 ✔ = Full upgrade is supported including personal data, settings, and applications.
                    
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
 
-
                    
-
-    
-        
-        
-        
-        
-        
-        
-        
-    
-    
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
-        
-        
-        
-        
-        
-        
-    
-    
                           Windows 10 HomeWindows 10 ProWindows 10 Pro EducationWindows 10 EducationWindows 10 Enterprise
                    Windows 7
                    Starter
                    Home Basic
                    Home Premium
                    ProfessionalD
                    UltimateD
                    Enterprise
                    Windows 8.1
                    (Core)
                    Connected
                    ProD
                    Pro StudentD
                    Pro WMCD
                    Enterprise
                    Embedded Industry
                    Windows RT
                    Windows Phone 8.1
                    Windows 10
                    Home
                    ProD
                    EducationD
                    Enterprise
                    
+### Windows 10
 
+| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
+|---|---|---|---|---|---|
+| Home  | | ✔  | ✔  | ✔  | |
+| Pro   | D | | ✔   | ✔  | ✔  |
+| Education  | | | | | D  |
+| Enterprise  | | | | ✔ | |
+
+### Windows 8.1
+
+|  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
+|---|---|---|---|---|---|
+| (Core)  | ✔  | ✔  | ✔  | ✔  | |
+| Connected   | ✔  | ✔  | ✔  | ✔  | |
+| Pro  | D   | ✔  | ✔   | ✔  | ✔  |
+| Pro Student  | D | ✔  | ✔  | ✔  | ✔  |
+| Pro WMC  | D  | ✔  | ✔  | ✔  | ✔  |
+| Enterprise  | | | | ✔  | ✔  |
+| Embedded Industry | | | | | ✔  |
+
+### Windows 7
+
+|  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
+|---|---|---|---|---|---|
+| Starter   | ✔  | ✔  | ✔  | ✔  | |
+| Home Basic  | ✔  | ✔  | ✔  | ✔  | |
+| Home Premium  | ✔  | ✔  | ✔  | ✔  | |
+| Professional  | D  | ✔  | ✔ | ✔  | ✔  |
+| Ultimate  | D  | ✔   | ✔   | ✔  | ✔  |
+| Enterprise  |  |  |  | ✔  | ✔  |
 
 ## Related Topics
 
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 0e160f2943..3595e295f0 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -34,43 +34,12 @@ When you select a product, for example “Windows 10 Enterprise” or “Windows
 > [!NOTE]
 > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
 
-In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change.
-
-### Windows 10, version 1709
-
-Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available.
-
-For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
-
-![Images.](images/table01.png)
-
-When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
-
-For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package:
-
-
                    
-
-| Title | Classification | Description |
-| --- | --- | --- |
-| Feature update to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 10 Pro (VL), Windows 10 Enterprise, or Windows 10 Education to version 1709 |
-| Windows 7 and 8.1 upgrade to Windows 10, version 1709, \ | Upgrades | Package to upgrade Windows 7 Professional (VL), Windows 7 Enterprise, Windows 8.1 Professional (VL), or Windows 8.1 Enterprise to Windows 10 1709 |
-
-
                    
-
-When you approve one of these packages, it applies to all of the editions.
-
-This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology.  For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](./update/index.md).
-
+Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. 
 
 ### Language packs
 
-- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads. 
 - **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages.
 
-See the following example for Windows 10, version 1709:
-
-![Windows 10, version 1709 lang pack.](images/lang-pack-1709.png)
-
 ### Features on demand
 
 [Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 4d6d62258a..3f0e709435 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -23,7 +23,7 @@ Applies to:
 - Windows 10
 - Windows 11
 
-Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
+Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
 
 With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
 
@@ -44,9 +44,10 @@ For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11
 
 ## Subscription Activation for Windows 10/11 Enterprise
 
-With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots.
+Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots.
 
  If you are running Windows 10, version 1703 or later:
+
 - Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively.
 - Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions.
 
@@ -109,8 +110,6 @@ An issue has been identified with Hybrid Azure AD joined devices that have enabl
 
 To resolve this issue:
 
-If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
-
 If the device is running Windows 10, version 1809 or later:
 
 - Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
@@ -166,7 +165,7 @@ The IT administrator assigns Windows 10 Enterprise to a user. See the following
 
 When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
 
-Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
+Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
 
 The following figures summarize how the Subscription Activation model works:
 
@@ -190,19 +189,7 @@ You are using Windows 10, version 1803 or above, and just purchased Windows 10 E
 
 All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
 
-#### Scenario #2 
-
-You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
-
-To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
-
-```console
-cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
-```
-
-The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
-
-#### Scenario #3
+#### Scenario #2
 
 Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
 
@@ -229,26 +216,6 @@ If you are running Windows 10, version 1803 or later, Subscription Activation wi
 > [!CAUTION]
 > Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
 
-If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
-
-If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
-
-```console
-@echo off
-FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  (
-SET "ProductKey=%%A"
-goto InstallKey
-)
-
-:InstallKey
-IF [%ProductKey%]==[] (
-echo No key present
-) ELSE (
-echo Installing %ProductKey%
-changepk.exe /ProductKey %ProductKey%
-)
-```
-
 ### Obtaining an Azure AD license
 
 Enterprise Agreement/Software Assurance (EA/SA):
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index b47dd4d0f2..ac69de04a3 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -47,7 +47,7 @@ These are the things you'll need to complete this lab:
 
 |    | Description |
 |:---|:---|
-|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.|
+|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, General Availability Channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.|
 |**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.|
 |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
 |**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index d251c2b75a..2640bff4c6 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -34,7 +34,7 @@ To learn more about the status of the November 2021 Update rollout, known issues
 
 ## Updates and servicing
 
-Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the semi-annual channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
+Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the Semi-Annual Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473).
 
 Quality updates are still installed monthly on patch Tuesday.
 
@@ -59,11 +59,14 @@ For more information on the CSPs, see the [Configuration service provider refere
 
 ## Apps appear local with Azure Virtual Desktop
 
-Azure virtual desktop is a Windows client OS hosted in the cloud, and it has virtual apps. The benefit is to use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+Azure virtual desktop is a Windows client OS hosted in the cloud, and runs virtual apps. You use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally.
+
+You can create Azure virtual desktops that run Windows 10 version 21H2.
 
 For more information, see:
 
 - [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview)
+- [What's new in Azure Virtual Desktop?](/azure/virtual-desktop/whats-new)
 - [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal)
 
 ## Wi-Fi 6E support
diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md
index 4eafe42218..af406cd7e7 100644
--- a/windows/whats-new/windows-11-whats-new.md
+++ b/windows/whats-new/windows-11-whats-new.md
@@ -149,7 +149,7 @@ For more information on the security features you can configure, manage, and enf
 
 - Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues.
 
-  You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
+  You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10).
 
   In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.
 

From cd70c8fe952093bfe313603b6629f9a824c50138 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Thu, 11 Nov 2021 18:58:00 -0500
Subject: [PATCH 065/104] review updates and suggestions

---
 .../windows-10-deployment-considerations.md   |  2 +-
 windows/deployment/update/WIP4Biz-intro.md    |  2 +-
 .../update/waas-manage-updates-wsus.md        | 40 +++++++++----------
 windows/deployment/update/waas-quick-start.md |  4 +-
 .../upgrade/windows-10-upgrade-paths.md       | 34 ++++++++--------
 5 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 86d46e0b81..4d8bf0ff3e 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -72,7 +72,7 @@ In either of these scenarios, you can make a variety of configuration changes to
 
 ## Stay up to date
 
-For computers using the [General Availability Channel](../update/get-started-updates-channels-tools.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
 
 -   Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
 -   Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). 
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 66aea9952b..c5e07f7751 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -22,7 +22,7 @@ ms.topic: article
 
 > **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
-For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in theGeneral Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
+For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the General Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available.
 
 The Windows Insider Program for Business gives you the opportunity to:
  
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index ff3a2e85bf..bb91408f6f 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -60,7 +60,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
 
-   ![Example of UI.](images/waas-wsus-fig3.png) 
+   ![Create a GPO in this domain example in the UI.](images/waas-wsus-fig3.png) 
     
    >[!NOTE]
    >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
@@ -73,13 +73,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
 
-   ![Example of UI.](images/waas-wsus-fig4.png)
+   ![Configure Automatic Updates in the UI.](images/waas-wsus-fig4.png)
     
 8. In the **Configure Automatic Updates** dialog box, select **Enable**.
 
 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
 
-   ![Example of UI.](images/waas-wsus-fig5.png)
+   ![Select Auto download and notify for install in the UI.](images/waas-wsus-fig5.png)
    
    >[!IMPORTANT]
    > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
@@ -91,12 +91,12 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
 
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**.
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type `http://Your_WSUS_Server_FQDN:PortNumber`, and then select **OK**.
 
     >[!NOTE]
     >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
     
-     ![Example of UI.](images/waas-wsus-fig6.png)
+     ![Set the intranet statistics server in the UI.](images/waas-wsus-fig6.png)
      
      >[!NOTE]
      >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
@@ -116,7 +116,7 @@ You can use computer groups to target a subset of devices that have specific qua
 
 2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. 
 
-    ![Example of UI.](images/waas-wsus-fig7.png)
+    ![Add Computer Group in the WSUS Administration UI.](images/waas-wsus-fig7.png)
     
 3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
 
@@ -144,7 +144,7 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
 
 2. Select both computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI.](images/waas-wsus-fig8.png)
+    ![Select Change Membership in the UI.](images/waas-wsus-fig8.png)
 
 3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
 
@@ -162,7 +162,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
 
 3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI.](images/waas-wsus-fig9.png)
+    ![Select Change Membership to search for multiple computers in the UI.](images/waas-wsus-fig9.png)
     
 4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
 
@@ -179,7 +179,7 @@ The WSUS Administration Console provides a friendly interface from which you can
 
 1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
 
-     ![Example of UI.](images/waas-wsus-fig10.png)
+     ![Select Comptuers in the WSUS Administration Console.](images/waas-wsus-fig10.png)
      
 2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
 
@@ -203,7 +203,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
 
-    ![Example of UI.](images/waas-wsus-fig11.png)
+    ![Select the WSUS ring 4 and edit in group policy.](images/waas-wsus-fig11.png)
     
 6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
 
@@ -213,7 +213,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
 
-    ![Example of UI.](images/waas-wsus-fig12.png)
+    ![Enter the WSUS deployment ring name.](images/waas-wsus-fig12.png)
 
 > [!WARNING]
 > The target group name must match the computer group name.
@@ -230,7 +230,7 @@ Now you’re ready to deploy this GPO to the correct computer security group for
 
 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
 
-    ![Example of UI.](images/waas-wsus-fig13.png)
+    ![Remove the default AUTHENTICATED USERS security group in group policy.](images/waas-wsus-fig13.png)
     
 The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. 
 
@@ -239,7 +239,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
 For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
 
 >[!NOTE]
->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](get-started-updates-channels-tools.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
 
 
 **To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring**
@@ -251,7 +251,7 @@ This example uses Windows 10, but the process is the same for Windows 11.
 
 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
 
-     ![Example of UI.](images/waas-wsus-fig14.png)
+     ![Select the update and deadline check boxes in the WSUS Administration Console.](images/waas-wsus-fig14.png)
      
 4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
 
@@ -265,7 +265,7 @@ This example uses Windows 10, but the process is the same for Windows 11.
 
 8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
 
-    ![Example of UI.](images/waas-wsus-fig15.png)
+    ![Enter the ring 3 deployment name.](images/waas-wsus-fig15.png)
     
 9. In the **Automatic Approvals** dialog box, click **OK**.
 
@@ -300,7 +300,7 @@ To simplify the manual approval process, start by creating a software update vie
     
 5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
 
-     ![Example of UI.](images/waas-wsus-fig16.png)
+     ![Enter All Windows 10 Upgrades for the name in the WSUS admin console.](images/waas-wsus-fig16.png)
 
 Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
 
@@ -308,21 +308,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
 2. Right-click the feature update you want to deploy, and then click **Approve**.
 
-      ![Example of UI.](images/waas-wsus-fig17.png)  
+      ![Approve the feature you want to deploy in WSUS admin console.](images/waas-wsus-fig17.png)  
       
 3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
 
-      ![Example of UI.](images/waas-wsus-fig18.png) 
+      ![Select Approve for install in the WSUS admin console.](images/waas-wsus-fig18.png) 
       
 4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. 
 
-      ![Example of UI.](images/waas-wsus-fig19.png) 
+      ![Select a one week deadline in the WSUS admin console.](images/waas-wsus-fig19.png) 
       
 5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
 
     If the deployment is successful, you should receive a successful progress report.
     
-    ![Example of UI.](images/waas-wsus-fig20.png) 
+    ![A sample successful deployment.](images/waas-wsus-fig20.png) 
 
 6. In the **Approval Progress** dialog box, click **Close**.
 
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 9f6df39c19..59bb0e9b9a 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -30,7 +30,7 @@ Some new terms have been introduced as part of Windows as a service, so you shou
 - **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
 - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
 - **Servicing channels** allow organizations to choose when to deploy new features. 
-  - The **General Availability Channel** receives feature updates as they become available. 
+  - The **General Availability Channel** receives feature updates annually.
   - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
 - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. 
 
@@ -52,6 +52,6 @@ To stay up to date, deploy feature updates at an appropriate time after their re
 
 Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
 
-This process repeats with each new feature update as they become available. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.
+This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.
 
 Other technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 6e3a9935de..e1cd089600 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -41,33 +41,33 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 
 | | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
-| Home  | | ✔  | ✔  | ✔  | |
-| Pro   | D | | ✔   | ✔  | ✔  |
-| Education  | | | | | D  |
-| Enterprise  | | | | ✔ | |
+| **Home**  | | ✔  | ✔  | ✔  | |
+| **Pro**   | D | | ✔   | ✔  | ✔  |
+| **Education**  | | | | | D  |
+| **Enterprise**  | | | | ✔ | |
 
 ### Windows 8.1
 
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
-| (Core)  | ✔  | ✔  | ✔  | ✔  | |
-| Connected   | ✔  | ✔  | ✔  | ✔  | |
-| Pro  | D   | ✔  | ✔   | ✔  | ✔  |
-| Pro Student  | D | ✔  | ✔  | ✔  | ✔  |
-| Pro WMC  | D  | ✔  | ✔  | ✔  | ✔  |
-| Enterprise  | | | | ✔  | ✔  |
-| Embedded Industry | | | | | ✔  |
+| **(Core)**  | ✔  | ✔  | ✔  | ✔  | |
+| **Connected**   | ✔  | ✔  | ✔  | ✔  | |
+| **Pro**  | D   | ✔  | ✔   | ✔  | ✔  |
+| **Pro Student**  | D | ✔  | ✔  | ✔  | ✔  |
+| **Pro WMC**  | D  | ✔  | ✔  | ✔  | ✔  |
+| **Enterprise**  | | | | ✔  | ✔  |
+| **Embedded Industry** | | | | | ✔  |
 
 ### Windows 7
 
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
-| Starter   | ✔  | ✔  | ✔  | ✔  | |
-| Home Basic  | ✔  | ✔  | ✔  | ✔  | |
-| Home Premium  | ✔  | ✔  | ✔  | ✔  | |
-| Professional  | D  | ✔  | ✔ | ✔  | ✔  |
-| Ultimate  | D  | ✔   | ✔   | ✔  | ✔  |
-| Enterprise  |  |  |  | ✔  | ✔  |
+| **Starter**   | ✔  | ✔  | ✔  | ✔  | |
+| **Home Basic**  | ✔  | ✔  | ✔  | ✔  | |
+| **Home Premium**  | ✔  | ✔  | ✔  | ✔  | |
+| **Professional**  | D  | ✔  | ✔ | ✔  | ✔  |
+| **Ultimate**  | D  | ✔   | ✔   | ✔  | ✔  |
+| **Enterprise**  |  |  |  | ✔  | ✔  |
 
 ## Related Topics
 

From 7026162d2168316ed583262a75000729d702c3c6 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Thu, 11 Nov 2021 19:09:27 -0800
Subject: [PATCH 066/104] Fix formatting by replacing bullet characters with
 proper markup

---
 .../tpm/how-windows-uses-the-tpm.md           | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 038e7da093..2b05343896 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -80,12 +80,11 @@ The adoption of new authentication technology requires that identity providers a
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
-•	**Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
 
-•	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
+- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
 ![TPM Capabilities.](images/tpm-capabilities.png)
-
 *Figure 1:  TPM Cryptographic Key Management*
 
 For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
@@ -96,9 +95,9 @@ BitLocker provides full-volume encryption to protect data at rest. The most comm
 
 In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
 
-•	**Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
 
-•	**Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
+- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
 
 Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
 
@@ -122,7 +121,7 @@ TPM measurements are designed to avoid recording any privacy-sensitive informati
 
 The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot:
 
-•	**Remote Attestation**.  Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
+- **Remote Attestation**.  Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
 
 When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
 
@@ -149,17 +148,18 @@ The resulting solution provides defense in depth, because even if malware runs i
 
 The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
 
+
                    
 
 |Feature | Benefits when used on a system with a TPM|
 |---|---|
-| Platform Crypto Provider |  •      If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
                    •	        The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
-| Virtual Smart Card | 	•      Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
-| Windows Hello for Business | 	•      Credentials provisioned on a device cannot be copied elsewhere.  
                     •	         Confirm a device’s TPM before credentials are provisioned. |
-| BitLocker Drive Encryption | 	•      Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
-|Device Encryption | 	•     With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
-| Measured Boot | 	•      A hardware root of trust contains boot measurements that help detect malware during remote attestation.
-| Health Attestation | 	•      MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
-| Credential Guard | 	•      Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
+| Platform Crypto Provider | 
                    • If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
                    • The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
                     |
+| Virtual Smart Card | 
                    • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
                     |
+| Windows Hello for Business | 
                    • Credentials provisioned on a device cannot be copied elsewhere.
                    • Confirm a device’s TPM before credentials are provisioned.
                     |
+| BitLocker Drive Encryption | 
                    • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
                     |
+|Device Encryption | 
                    • With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
                     |
+| Measured Boot | 
                    • A hardware root of trust contains boot measurements that help detect malware during remote attestation.
                     |
+| Health Attestation | 
                    • MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. 
                     |
+| Credential Guard | 
                    • Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
                     |
 
 
                    
 

From e0ab8e7007f0cb6086d73c07f6dada177ab189dd Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Thu, 11 Nov 2021 20:05:22 -0800
Subject: [PATCH 067/104] Added lightbox to help with readability

---
 .../information-protection/tpm/how-windows-uses-the-tpm.md   | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 2b05343896..b1380dfb2e 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client
 
 - **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
-![TPM Capabilities.](images/tpm-capabilities.png)
+:::image type="content" alt-text="TPM Capabilities." source="images/tpm-capabilities.png" lightbox="images/tpm-capabilities.png":::
 *Figure 1:  TPM Cryptographic Key Management*
 
 For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned.
@@ -125,8 +125,7 @@ The TPM provides the following way for scenarios to use the measurements recorde
 
 When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
 
-![Process to Create Evidence of Boot Software and Configuration Using TPM.](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
-
+:::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png":::
 *Figure 2:  Process used to create evidence of boot software and configuration using a TPM*
 
 

From 1661c8f2c8fb2179a5875f9d468e3442cb57bf28 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Thu, 11 Nov 2021 20:13:57 -0800
Subject: [PATCH 068/104] Corrected two more bullets

---
 .../information-protection/tpm/how-windows-uses-the-tpm.md    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index b1380dfb2e..01438ca9f3 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -58,9 +58,9 @@ Although CNG sounds like a mundane starting point, it illustrates some of the ad
 
 The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:
 
-•	**Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
+- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
 
-•	**Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
+- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
 
 These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
 

From 8918004a2d6823e2e3674fa0d18138ebe9f6ffeb Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi 
Date: Fri, 12 Nov 2021 09:44:35 +0530
Subject: [PATCH 069/104] Minor fix

---
 .../enterprise-mode-schema-version-1-guidance.md              | 4 ++--
 .../enterprise-mode-schema-version-2-guidance.md              | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
index 606544f58d..8ee8fbf055 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
@@ -71,7 +71,7 @@ This table includes the elements used by the Enterprise Mode schema.
 |<emie>     |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. 
                     **Example** 
                    <rules version="205"> 
                     <emie> 
                       <domain>contoso.com</domain> 
                     </emie>
                    </rules>  
                     
                     **or** 
                     For IPv6 ranges: 

                    <rules version="205"> 
                     <emie> 
                      <domain>[10.122.34.99]:8080</domain> 
                     </emie>
                    </rules> 
                     
                     **or**
                     For IPv4 ranges:
                    <rules version="205"> 
                     <emie> 
                      <domain>[10.122.34.99]:8080</domain> 
                     </emie>
                    </rules> | Internet Explorer 11 and Microsoft Edge       |
 |<docMode>     |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.  
                     **Example** 
                     
                    <rules version="205"> 
                     <docmode> 
                       <domain docMode="7">contoso.com</domain> 
                     </docmode>
                    </rules>     |Internet Explorer 11         |
 |<domain>     |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element. 
                     **Example** 
                     
                    <emie> 
                     <domain>contoso.com:8080</domain>
                    </emie>       |Internet Explorer 11 and Microsoft Edge         |
-|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
                     **Example**  
                     
                    <emie> 
                     <domain exclude="false">fabrikam.com 
                       <path exclude="true">/products</path>
                     </domain>
                    </emie>
                     
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
+|<path>    |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
                     **Example**  
                     
                    <emie> 
                     <domain exclude="true">fabrikam.com 
                       <path exclude="false">/products</path>
                     </domain>
                    </emie>
                     
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.   |Internet Explorer 11 and Microsoft Edge         |
 
 ### Schema attributes
 This table includes the attributes used by the Enterprise Mode schema.
@@ -82,7 +82,7 @@ This table includes the attributes used by the Enterprise Mode schema.
 |exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.
                     **Example** 
                    <emie>
                      <domain exclude="false">fabrikam.com 
                        <path exclude="true">/products</path>
                      </domain>
                    </emie> 
                     Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
 |docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
                     **Example**
                    <docMode> 
                      <domain exclude="false">fabrikam.com 
                        <path docMode="9">/products</path>
                      </domain>
                    </docMode>|Internet Explorer 11|
 |doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
-|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
                     **Example**
                    <emie>
                     <domain doNotTransition="false">fabrikam.com 
                       <path doNotTransition="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
+|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. 
                     **Example**
                    <emie>
                     <domain exclude="true">fabrikam.com 
                       <path forcecompatview="true">/products</path>
                     </domain>
                    </emie>
                    Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
 
 ### Using Enterprise Mode and document mode together
 If you want to use both Enterprise Mode and document mode together, you need to be aware that  <emie> entries override <docMode> entries for the same domain. 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
index a90c4220a3..825646b237 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
@@ -121,7 +121,7 @@ These v.1 version schema attributes have been deprecated in the v.2 version of t
 |forceCompatView|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>|
 |docMode|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>|
 |doNotTransition|<open-in>|Replace:
                     <doNotTransition="true"> with <open-in>none</open-in>|
-|<domain> and <path>|<site>|Replace:
                    <emie>
                     <domain exclude="false">contoso.com</domain>
                    </emie>
                    With:
                    <site url="contoso.com"/> 
                      <compat-mode>IE8Enterprise</compat-mode>
                    </site>
                    **-AND-** 
                    Replace:
                    <emie> 
                      <domain exclude="true">contoso.com 
                     <path exclude="false" forceCompatView="true">/about</path>
                     </domain>
                    </emie>

                     With:
                    <site url="contoso.com/about">
                     <compat-mode>IE7Enterprise</compat-mode>
                     <open-in>IE11</open-in>
                    </site>|
+|<domain> and <path>|<site>|Replace:
                    <emie>
                     <domain>contoso.com</domain>
                    </emie>
                    With:
                    <site url="contoso.com"/> 
                      <compat-mode>IE8Enterprise</compat-mode>
                      <open-in>IE11</open-in>
                    </site>
                    **-AND-** 
                    Replace:
                    <emie> 
                      <domain exclude="true"  donotTransition="true">contoso.com 
                     <path forceCompatView="true">/about</path>
                     </domain>
                    </emie>

                     With:
                    <site url="contoso.com/about">
                     <compat-mode>IE7Enterprise</compat-mode>
                     <open-in>IE11</open-in>
                    </site>|
 
 While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.
 

From bb8d6e76a73a584955acffae83be0648c8ac2286 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 14:11:57 -0800
Subject: [PATCH 070/104] draft

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 2755a7bb7a..750e5dc02d 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -149,10 +149,6 @@ BitLocker and Mobile Device Management (MDM) with Azure Active Directory work to
 
 Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
 
-#### Transport Layer Security (TLS)
-
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/platform/status/tls13/).
-
 ## Deployment
 
 ### Windows Autopilot

From b7296b9471f3d86b80c71116fddb81a60e76841b Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 15:17:01 -0800
Subject: [PATCH 071/104] draft

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 750e5dc02d..854aa465a5 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -52,7 +52,6 @@ Microsoft Edge kiosk mode offers two lockdown experiences of the browser so orga
 
 ### Windows Hello
 
-- Windows Hello for Business introduces a new deployment method called cloud trust to support simplified passwordless deployments and achieve a deploy-to-run state within a few minutes.
 - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
 - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
@@ -115,6 +114,8 @@ Application Guard performance is improved with optimized document opening times:
 
 Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
+#### Windows Defender Application Control
+
 - [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
     - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
     - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    

From d364303afb15cd30b6c0e12620edd3d8002d534c Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 17:15:38 -0800
Subject: [PATCH 072/104] update system guard

---
 .../ltsc/whats-new-windows-10-2021.md         | 42 ++++---------------
 1 file changed, 8 insertions(+), 34 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 854aa465a5..7d95ecfaed 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -3,7 +3,7 @@ title: What's new in Windows 10 Enterprise LTSC 2021
 ms.reviewer: 
 manager: dougeby
 ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021.
 keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"]
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -124,17 +124,13 @@ Microsoft Defender Application Guard now supports Office: With [Microsoft Defend
 
 #### Windows Defender System Guard
 
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
 
-This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
-![System Guard.](../images/system-guard.png "SMM Firmware Measurement")
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
 
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
-
-With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
-
- ![System Guard.](../images/system-guard2.png)
+There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon.
 
 ### Security management
 
@@ -150,30 +146,6 @@ BitLocker and Mobile Device Management (MDM) with Azure Active Directory work to
 
 Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
 
-## Deployment
-
-### Windows Autopilot
-
-[Windows Autopilot](/mem/autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019, LTSC 2021, and later versions. Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
-
-The following new Windows Autopilot features are available in Windows 10, version 1903 and later:
-
-- [Windows Autopilot for for pre-provisioned deployment](/windows/deployment/windows-autopilot/pre-provision) is now available. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
-- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​.
-- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
-- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot) is available. Co-management and Autopilot together can help you reduce cost and improve the end user experience.
-- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
-- You can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support.
-- If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages.  In previous versions, this was only supported with self-deploying profiles.
-
 ## Microsoft Intune
 
 Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
@@ -184,6 +156,8 @@ Intune has also added capabilities to [Role-based access control](/mem/intune/fu
 
 For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
+## Deployment
+
 ### SetupDiag
 
 [SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. 
@@ -192,7 +166,7 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
 
 [**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-#### Microsoft Endpoint Manager
+### Microsoft Endpoint Manager
 
 Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 

From b418f947aa914332f4f252ca2056c45b29cc7305 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Fri, 12 Nov 2021 17:33:01 -0800
Subject: [PATCH 073/104] remove Autopilot from LTSC 2019 since it is not in
 the test matrix

---
 .../ltsc/whats-new-windows-10-2019.md         | 36 +------------------
 1 file changed, 1 insertion(+), 35 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 256dad7a3a..deb9fbb6e5 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
 
 ## Microsoft Intune
 
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later.  This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
 
 ## Security
 
@@ -188,26 +188,6 @@ This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocke
 
 This feature will soon be enabled on Olympia Corp as an optional feature.
 
-#### Delivering BitLocker policy to AutoPilot devices during OOBE 
-
-You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. 
-
-For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
-
-To achieve this:
-
-1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. 
-
-2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. 
-
-   > [!IMPORTANT]
-   > The encryption policy must be assigned to **devices** in the group, not users.
-
-3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. 
-
-   > [!IMPORTANT]
-   > If the ESP is not enabled, the policy will not apply before encryption starts.
-
 ### Identity protection
 
 Improvements have been added are to Windows Hello for Business and Credential Guard.
@@ -292,20 +272,6 @@ We’ve continued to work on the **Current threats** area in  [Virus & threat pr
 
 ## Deployment
 
-### Windows Autopilot
-
-[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. 
-
-Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information.
-
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. 
-
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
-
-#### Autopilot Reset	
-
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
-
 ### MBR2GPT.EXE
 
 MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).

From 7482dfc0e128b83a422c972b3c732187a2d75bfe Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Sat, 13 Nov 2021 08:53:23 -0800
Subject: [PATCH 074/104] reword lifecycle statement

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 7d95ecfaed..e970e0e279 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -31,7 +31,7 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements
 ## Lifecycle
 
 > [!IMPORTANT]
-> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle (except for IoT). It is not a direct replacement for LTSC 2019, which continues to have a 10 year lifecycle.
+> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2) continues to have a [10 year lifecycle](/windows/iot/product-family/product-lifecycle?tabs=2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle.
 
 For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
 

From be6ac5a4be4e73b8fd6adf4a81e40fe6caeaadb6 Mon Sep 17 00:00:00 2001
From: Andrei-George Stoica 
Date: Mon, 15 Nov 2021 13:07:39 +0200
Subject: [PATCH 075/104] Adding PowerShell alternative since WMIC is not
 supported on Win11

---
 windows/deployment/windows-10-subscription-activation.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 4d6d62258a..77ecc22723 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -249,6 +249,11 @@ changepk.exe /ProductKey %ProductKey%
 )
 ```
 
+Since [WMIC was deprecated](https://docs.microsoft.com/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, run this PowerShell alternative:
+```console
+$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;.\changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
+```
+
 ### Obtaining an Azure AD license
 
 Enterprise Agreement/Software Assurance (EA/SA):

From cf92087da30e30811da2899367d7bb2782d65120 Mon Sep 17 00:00:00 2001
From: MandiOhlinger 
Date: Mon, 15 Nov 2021 09:43:53 -0500
Subject: [PATCH 076/104] Fixed issues

---
 .../upgrade/windows-10-upgrade-paths.md       | 52 +++++++++++++------
 1 file changed, 37 insertions(+), 15 deletions(-)

diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index e1cd089600..600631905f 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -26,19 +26,23 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
 
 If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded.
 
-> **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
-> 
-> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported.  **Note**: Windows 10 LTSC 2015 did not block this upgrade path.  This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
-> 
-> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
-> 
-> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
+- **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
+
+- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
+
+  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+
+- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+
+- **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
+
+## Windows 10
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
 
-✔ = Full upgrade is supported including personal data, settings, and applications.
                    
 D = Edition downgrade; personal data is maintained, applications and settings are removed.
 
-### Windows 10
-
+---
 | | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
 | **Home**  | | ✔  | ✔  | ✔  | |
@@ -46,8 +50,15 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 | **Education**  | | | | | D  |
 | **Enterprise**  | | | | ✔ | |
 
-### Windows 8.1
+---
 
+## Windows 8.1
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
+
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+---
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
 | **(Core)**  | ✔  | ✔  | ✔  | ✔  | |
@@ -58,8 +69,15 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 | **Enterprise**  | | | | ✔  | ✔  |
 | **Embedded Industry** | | | | | ✔  |
 
-### Windows 7
+---
 
+## Windows 7
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
+
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+---
 |  | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise |
 |---|---|---|---|---|---|
 | **Starter**   | ✔  | ✔  | ✔  | ✔  | |
@@ -69,8 +87,12 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 | **Ultimate**  | D  | ✔   | ✔   | ✔  | ✔  |
 | **Enterprise**  |  |  |  | ✔  | ✔  |
 
+---
+
 ## Related Topics
 
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
                    
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
                    
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
\ No newline at end of file
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)

From cc8f21a8efd04b898ec124ae6fe8c7d84fffa76e Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Mon, 15 Nov 2021 09:48:26 -0500
Subject: [PATCH 077/104] Fixed link

---
 windows/deployment/windows-10-subscription-activation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 77ecc22723..82a034b94b 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -249,7 +249,7 @@ changepk.exe /ProductKey %ProductKey%
 )
 ```
 
-Since [WMIC was deprecated](https://docs.microsoft.com/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, run this PowerShell alternative:
+Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, run this PowerShell alternative:
 ```console
 $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;.\changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
 ```

From eef2624f5ab1ccf0f9b4137b067314e0d528b609 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Mon, 15 Nov 2021 09:51:15 -0500
Subject: [PATCH 078/104] Updated wording

---
 windows/deployment/windows-10-subscription-activation.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 82a034b94b..b1ac84715b 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -231,7 +231,7 @@ If you are running Windows 10, version 1803 or later, Subscription Activation wi
 
 If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
 
-If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
+If the computer has never been activated with a Pro key, run the following script. Copy the text below into a `.cmd` file, and run the file from an elevated command prompt:
 
 ```console
 @echo off
@@ -249,8 +249,9 @@ changepk.exe /ProductKey %ProductKey%
 )
 ```
 
-Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, run this PowerShell alternative:
-```console
+Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, you can use the following Windows PowerShell script instead:
+
+```powershell
 $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;.\changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
 ```
 

From 2f5cbef11963d053562b91b481f5dc3c2c669891 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 13:48:04 -0800
Subject: [PATCH 079/104] major revision

---
 .../ltsc/whats-new-windows-10-2021.md         | 215 ++++++++++--------
 1 file changed, 121 insertions(+), 94 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index e970e0e279..7fd18584e1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -35,22 +35,103 @@ The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements
 
 For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232).
 
-## Microsoft Edge
+## Hardware security
 
-Microsoft Edge Browser support is now included in-box.
+### System Guard
 
-### Microsoft Edge kiosk mode
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
 
-Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
 
-Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
-- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
-- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
-- Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
+With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
 
-## Security
+There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon.
 
-### Windows Hello
+## Operating system security
+
+### System security
+
+[Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. 
+
+### Encryption and data protection
+
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+
+### Network security
+
+#### Windows Defender Firewall
+
+Windows Defender Firewall now offers the following benefits: 
+
+**Reduce risk**: Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. 
+
+**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. 
+
+**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). 
+
+The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows. 
+
+Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on other tools.
+
+Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](/windows/wsl/); You can add rules for WSL process, just like for Windows processes. For more information, see [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97).
+
+### Virus and threat protection
+
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
+    - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+
+- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
+- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+
+Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
+
+## Application security
+
+### App isolation
+
+[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
+
+#### Microsoft Defender Application Guard
+
+[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
+  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
+  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+
+    To try this extension: 
+    1. Configure Application Guard policies on your device.
+    2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
+    3. Follow any additional configuration steps on the extension setup page.
+    4. Reboot the device.
+    5. Navigate to an untrusted site in Chrome and Firefox.
+
+  Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+
+Application Guard performance is improved with optimized document opening times:
+- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
+- The performance of Robocopy is improved when copying files over 400 MB in size.
+
+[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
+
+Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
+
+### Application Control
+
+[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
+    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
+    This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
+    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+
+## Identity and privacy
+
+### Secured identity
 
 - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
@@ -63,90 +144,27 @@ Microsoft Edge kiosk mode offers two lockdown experiences of the browser so orga
 - Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
 - [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
 
-### Windows Information Protection
+### Credential protection
 
 #### Windows Defender Credential Guard
 
 [Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
 
-#### Microsoft Defender for Endpoint
+### Privacy controls
 
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
-    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
-    - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
-
-- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
-- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
-- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
-
-Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
-
-### Threat Protection
-
-- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
 - [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
-#### Microsoft Defender Application Guard
+## Cloud Services
 
-- [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
-  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+### Microsoft Endpoint Manager
 
-    To try this extension: 
-    1. Configure Application Guard policies on your device.
-    2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
-    3. Follow any additional configuration steps on the extension setup page.
-    4. Reboot the device.
-    5. Navigate to an untrusted site in Chrome and Firefox.
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
 
-  - Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+### Configuration Manager
 
-Application Guard performance is improved with optimized document opening times:
-- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
-- The performance of Robocopy is improved when copying files over 400 MB in size.
+An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
 
-[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
-
-Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
-
-#### Windows Defender Application Control
-
-- [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
-    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
-    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
-    This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
-    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
-
-#### Windows Defender System Guard
-
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
-
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
-
-With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
-
-There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon.
-
-### Security management
-
-- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes. 
-- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. 
-- [Tamper Protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
-
-#### Microsoft BitLocker
-
-BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
-
-#### Key-rolling and Key-rotation
-
-Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
-
-## Microsoft Intune
+#### Microsoft Intune
 
 Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles.
 
@@ -156,6 +174,19 @@ Intune has also added capabilities to [Role-based access control](/mem/intune/fu
 
 For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
 
+### Mobile Device Management
+
+Mobile Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
+
+For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
+
+Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
+- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
+
+#### Key-rolling and Key-rotation
+
+This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+
 ## Deployment
 
 ### SetupDiag
@@ -166,14 +197,6 @@ For a full list of what's new in Microsoft Intune, see [What's new in Microsoft
 
 [**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space.  Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs.  It will not be enabled when updating from a previous version of Windows 10. 
 
-### Microsoft Endpoint Manager
-
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
-
-An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
-
-Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
-        .
 ### Windows Assessment and Deployment Toolkit (ADK)
 
 A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2.
@@ -194,14 +217,18 @@ Improvements in Windows Setup with this release also include:
 
 For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464).
 
-## Device management
+## Microsoft Edge
 
-Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
+Microsoft Edge Browser support is now included in-box.
 
-For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
+### Microsoft Edge kiosk mode
 
-Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios:
-- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report.
+Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2).
+
+Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
+- Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
+- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
+- Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
 
 ## Windows Subsystem for Linux
 

From 8cb882d1d13df8768718a49627ee634462aefa16 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 13:59:45 -0800
Subject: [PATCH 080/104] formatting

---
 .../ltsc/whats-new-windows-10-2021.md         | 44 +++++++++++--------
 1 file changed, 25 insertions(+), 19 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 7fd18584e1..816d0993de 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -77,19 +77,24 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 ### Virus and threat protection
 
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
-- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
-    - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
-    - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+  - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
+  - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
 
-- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
-- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
-- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
-- **Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+**Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
 
-Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
+**Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+
+**Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
+
+**Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+
+**Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+
+> [!NOTE]
+> The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
 
 ## Application security
 
@@ -99,8 +104,8 @@ Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security
 
 #### Microsoft Defender Application Guard
 
-[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
-  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
+[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: 
+  - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
   - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
@@ -110,7 +115,7 @@ Note: [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security
     4. Reboot the device.
     5. Navigate to an untrusted site in Chrome and Firefox.
 
-  Application Guard allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  **Dynamic navigation**: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
 Application Guard performance is improved with optimized document opening times:
 - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
@@ -119,20 +124,21 @@ Application Guard performance is improved with optimized document opening times:
 
 [Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
 
-Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
+**Application Guard now supports Office**: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
 
 ### Application Control
 
 [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
-    - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
-    - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
+  - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+  - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
-    - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+  - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
 
 ## Identity and privacy
 
 ### Secured identity
 
+Windows Hello enhancements include:
 - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
 - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
@@ -152,7 +158,7 @@ Microsoft Defender Application Guard now supports Office: With [Microsoft Defend
 
 ### Privacy controls
 
-- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
+[Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
 
 ## Cloud Services
 

From 659e2f23689e35db2592cbb685d4a1cbc5d4d4fd Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 14:06:55 -0800
Subject: [PATCH 081/104] grammar

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 816d0993de..c9b5348cd7 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -18,7 +18,7 @@ ms.topic: article
 **Applies to**
 -   Windows 10 Enterprise LTSC 2021
 
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
 
 > [!NOTE]
 > Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
                    
@@ -41,7 +41,7 @@ For more information about the lifecycle for this release, see [The next Windows
 
 [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
 
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO.
 
 With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. 
 
@@ -55,7 +55,7 @@ There are already devices in the market today that offer SMM Firmware Protection
 
 ### Encryption and data protection
 
-BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
+BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive.
 
 ### Network security
 
@@ -119,7 +119,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 Application Guard performance is improved with optimized document opening times:
 - An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
-- A memory issue is fixed that could cause a Application Guard container to use almost 1 GB of working set memory when the container is idle.
+- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle.
 - The performance of Robocopy is improved when copying files over 400 MB in size.
 
 [Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
@@ -129,7 +129,7 @@ Application Guard performance is improved with optimized document opening times:
 ### Application Control
 
 [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
-  - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+  - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
   - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
                    
     This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
   - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
@@ -191,7 +191,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
 
 #### Key-rolling and Key-rotation
 
-This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
 
 ## Deployment
 

From 0aa7b1210dac25d3bf66e5cb352034f13b28fe2e Mon Sep 17 00:00:00 2001
From: Dan Pandre <54847950+DanPandre@users.noreply.github.com>
Date: Mon, 15 Nov 2021 17:40:12 -0500
Subject: [PATCH 082/104] Document 32-bit png limitation

---
 windows/client-management/mdm/surfacehub-csp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index ad67b668bb..147c460f3b 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -295,7 +295,7 @@ SurfaceHub
 
                    The data type is boolean. Supported operation is Get and Replace.
 
 **InBoxApps/Welcome/CurrentBackgroundPath**
-
                    Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
+
                    Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
 
 
                    The data type is string. Supported operation is Get and Replace.
 

From b614cfa7fc3124ccfa519f48757854b187f05ba8 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 14:52:29 -0800
Subject: [PATCH 083/104] apologies, a minor correction

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index c9b5348cd7..dd77d477f7 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -24,7 +24,7 @@ This article lists new and updated features and content that is of interest to I
 > Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
                    
 > The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
 
-Windows 10 Enterprise LTSC 2021 builds on Windows 10 Pro, version 21H2, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
+Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
 
 The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
 

From a1d1143670eaff5d48a72e2dc30179d009ba56dc Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 14:53:50 -0800
Subject: [PATCH 084/104] second minor correction

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index dd77d477f7..03d6ae1367 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -26,7 +26,7 @@ This article lists new and updated features and content that is of interest to I
 
 Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
 
-The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, and 21H1. Details about these enhancements are provided below. 
+The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, 21H1, and 21H2. Details about these enhancements are provided below. 
 
 ## Lifecycle
 

From 84dbc8fb9eda95ba46fa31269ffca9f757769847 Mon Sep 17 00:00:00 2001
From: greg-lindsay 
Date: Mon, 15 Nov 2021 15:06:32 -0800
Subject: [PATCH 085/104] removing consumer feature

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 03d6ae1367..60fa7af555 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -147,7 +147,6 @@ Windows Hello enhancements include:
 - Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
 - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
 - [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
 - [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
 
 ### Credential protection

From 9a2c4eb57b19baf5e5660d6f36349e388b90f2af Mon Sep 17 00:00:00 2001
From: David Strome 
Date: Mon, 15 Nov 2021 15:13:49 -0800
Subject: [PATCH 086/104] archive test

---
 windows/manage/TOC.yml |  2 ++
 windows/manage/test.md | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 windows/manage/TOC.yml
 create mode 100644 windows/manage/test.md

diff --git a/windows/manage/TOC.yml b/windows/manage/TOC.yml
new file mode 100644
index 0000000000..892ce64421
--- /dev/null
+++ b/windows/manage/TOC.yml
@@ -0,0 +1,2 @@
+- name: Test
+  href: test.md
diff --git a/windows/manage/test.md b/windows/manage/test.md
new file mode 100644
index 0000000000..36d16a3f6b
--- /dev/null
+++ b/windows/manage/test.md
@@ -0,0 +1,19 @@
+---
+title: Test
+description: Test
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: dstrome
+ms.author: dstrome
+ms.reviewer: 
+manager: dstrome
+ms.topic: article
+---
+
+# Test
+
+## Deployment planning
+
+This article provides guidance to help you plan for Windows 11 in your organization.
+

From 6d53fc73049fed5890a928f2b3f44127604aa483 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:34:56 -0800
Subject: [PATCH 087/104] Acrolinx: "navigations"

---
 windows/whats-new/ltsc/whats-new-windows-10-2021.md    | 2 +-
 windows/whats-new/whats-new-windows-10-version-1903.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index 60fa7af555..6364bc3fd1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -106,7 +106,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: 
   - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
     1. Configure Application Guard policies on your device.
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index d8febd294c..e3e4fd0740 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -94,7 +94,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
 
 - [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: 
   - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
-  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+  - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
 
     To try this extension: 
     1. Configure WDAG policies on your device.

From 411b642e1e965416ef2681c673d21a9b0af7b3b0 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:39:28 -0800
Subject: [PATCH 088/104] Add lightbox for readability

---
 windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index deb9fbb6e5..8bdcb44218 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection,
 
 The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
 
-![Microsoft Defender for Endpoint.](../images/wdatp.png)
+[ ![Microsoft Defender for Endpoint.](../images/wdatp.png) ](../images/wdatp.png#lightbox)
 
 ##### Attack surface reduction 
 

From 5b1ed1d178087b0e35b0bbb6ee5b7a8c32b52703 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:41:38 -0800
Subject: [PATCH 089/104] Consolidate alt text

---
 windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 8bdcb44218..aadeb278f7 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -268,7 +268,7 @@ A new security policy setting
 
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
-![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+![Virus & threat protection settings in Windows S mode.](../images/virus-and-threat-protection.png)
 
 ## Deployment
 

From d1926ea12acb7b892a45aaed961a8320f85ca4cb Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Mon, 15 Nov 2021 16:42:52 -0800
Subject: [PATCH 090/104] Add automatic border

---
 windows/whats-new/ltsc/whats-new-windows-10-2019.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index aadeb278f7..4568258c47 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -268,7 +268,8 @@ A new security policy setting
 
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
-![Virus & threat protection settings in Windows S mode.](../images/virus-and-threat-protection.png)
+> [!div class="mx-imgBorder"]
+> ![Virus & threat protection settings in Windows S mode.](../images/virus-and-threat-protection.png)
 
 ## Deployment
 

From 4d06c3098078b304175bb2de8ca436410d5be5c5 Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Tue, 16 Nov 2021 09:43:01 -0800
Subject: [PATCH 091/104] Update
 appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md

indent table in step
---
 ...tion-groups-on-a-stand-alone-computer-with-powershell.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 1582199d12..8c9cc3e533 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -84,9 +84,9 @@ This topic explains the following procedures:
 
 2.  Run the following cmdlet and parameter:
 
-|Cmdlet|Parameter and values|Example|
-|--- |--- |--- |
-|Set-AppvClientConfiguration|-RequirePublishAsAdmin
                  • 0 - False
                  • 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
                    1|
+    |Cmdlet|Parameter and values|Example|
+    |--- |--- |--- |
+    |Set-AppvClientConfiguration|-RequirePublishAsAdmin
                  • 0 - False
                  • 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
                    1|
 
 
                    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 

From 537e775accddcb6db3f35a9d986dc4d0c558b6fc Mon Sep 17 00:00:00 2001
From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com>
Date: Tue, 16 Nov 2021 09:49:35 -0800
Subject: [PATCH 092/104] Update
 appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md

indent other table
---
 ...on-groups-on-a-stand-alone-computer-with-powershell.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 8c9cc3e533..ab5b11444d 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -69,10 +69,10 @@ This topic explains the following procedures:
 
 2.  Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID):
 
-|Cmdlet|Examples|
-|--- |--- |
-|Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
-|Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
+    |Cmdlet|Examples|
+    |--- |--- |
+    |Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
+    |Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
 
 ## To allow only administrators to enable connection groups
 

From 2f78e4e3175eb4f8b05d6d2ee16e4ae9eb8c1e2b Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 16 Nov 2021 13:55:40 -0500
Subject: [PATCH 093/104] Removed HTML; Formatting

---
 .../mdm/healthattestation-csp.md              | 1074 +++++++++--------
 1 file changed, 578 insertions(+), 496 deletions(-)

diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index b29bed482b..3f2e38b93b 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -30,48 +30,42 @@ Windows 11 introduces an update to the device health attestation feature. This h
 The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device.
 
 ### Terms
-**TPM (Trusted Platform Module)**
-
                    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
                    
 
-**DHA (Device HealthAttestation) feature**
-
                    The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
                    
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
 
-**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**
-
                    The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
                    
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
 
-**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**
-
                    The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.
                    
-
                    The following list of operations is performed by MAA-CSP:
                    
-
                      
-
                    • Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
                      • 
-
                    • The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.
                      • 
-
                    • Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.
                      • 
-
                    • Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
                      • 
-
                    
+- **MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)**: The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
 
-**MAA endpoint**
-Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint.
+- **MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)**: The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.
 
-**JWT (JSON Web Token)**
-JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
+  The following list of operations is performed by MAA-CSP:
+
+  - Receives attestation trigger requests from a HealthAttestation enabled MDM provider.
+  - The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device.
+  - Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider.
+  - Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device.
+
+- **MAA endpoint**: Microsoft Azure attestation service is an Azure resource, and every instance of the service gets administrator configured URL. The URI generated is unique in nature and for the purposes of device health attestation is known as the MAA endpoint.
+
+- **JWT (JSON Web Token)**: JSON Web Token (JWT) is an open standard RFC7519 method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
 
 ### Attestation Flow with Microsoft Azure Attestation Service
 
 ![Attestation Flow with Microsoft Azure Attestation Service](./images/maa-attestation-flow.png)
 
-
                    
-
                    Attestation flow can be broadly in three main steps:
                    
-
                      
-    
                    • An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
                      • 
-    
                    • The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
                      • 
-    
                    • The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
                      • 
-
                    
+Attestation flow can be broadly in three main steps:
 
-The protocol implemented can be found here:  Attestation Protocol.
+- An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features.
+- The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved.
+- The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device.
+
+For more information, see [Attestation Protocol](/azure/attestation/virtualization-based-security-protocol).
 
 ### Configuration Service Provider Nodes
 Windows 11 introduces additions to the HealthAttestation CSP node to integrate with Microsoft Azure Attestation service.
-```
+
+```console
 ./Vendor/MSFT
 HealthAttestation
 ----...
@@ -92,16 +86,17 @@ HealthAttestation
 ----MaxSupportedProtocolVersion
 ```
 
-
 **./Vendor/MSFT/HealthAttestation**  
-
                    The root node for the device HealthAttestation configuration service provider.
                    
+
+The root node for the device HealthAttestation configuration service provider.
 
 **TriggerAttestation** (Required)  
-
                    Node type: EXECUTE
-This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.
-
                    
 
-
                    Templated SyncML Call:
                    
+Node type: EXECUTE
+
+This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned.
+
+Templated SyncML Call:
 
 ```xml
 
@@ -127,16 +122,15 @@ This node will trigger attestation flow by launching an attestation process. If
 
 ```
 
-
                    Data fields:
                    
-
                      
-
                    • rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
                      • 
-
                    • serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
                      • 
-
                    • nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
                      • 
-
                    • aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.
                      • 
-
                    • cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
                      • 
-
                    
+Data fields:
 
-
                    Sample Data:
                    
+- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
+- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
+- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
+- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service.
+- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes.
+
+Sample Data:
 
 ```json
 
@@ -151,12 +145,13 @@ This node will trigger attestation flow by launching an attestation process. If
 ```
 
 **AttestStatus**
-
                    Node type: GET
+
+Node type: GET
+
 This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step.
 The status is always cleared prior to making the attest service call.
-
                    
 
-
                    Templated SyncML Call:
                    
+Templated SyncML Call:
 
 ```xml
 
@@ -175,20 +170,21 @@ The status is always cleared prior to making the attest service call.
 
 ```
 
-
                    Sample Data:
                    
+Sample Data:
 
-```
+```console
 If Successful: 0
 If Failed: A corresponding HRESULT error code
 Example: 0x80072efd,  WININET_E_CANNOT_CONNECT
 ```
 
 **GetAttestReport**
-
                    Node type: GET
-This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
-
                    
 
-
                    Templated SyncML Call:
                    
+Node type: GET
+
+This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store.
+
+Templated SyncML Call:
 
 ```xml
 
@@ -207,9 +203,9 @@ This node will retrieve the attestation report per the call made by the TriggerA
 
 ```
 
-
                    Sample data:
                    
+Sample data:
 
-```
+```console
 If Success:
 JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc
 If failed:
@@ -218,10 +214,12 @@ OR Sync ML 404 error if not cached report available.
 ```
 
 **GetServiceCorrelationIDs**
-
                    Node type: GET
+
+Node type: GET
+
 This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by “;” in the string.
-
                    
-
                    Templated SyncML Call:
                    
+
+Templated SyncML Call:
 
 ```xml
 
@@ -240,226 +238,220 @@ This node will retrieve the service-generated correlation IDs for the given MDM
 
 ```
 
-
                    Sample data:
                    
+Sample data:
 
-> If success:
-> GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
-> If Trigger Attestation call failed and no previous data is present. The field remains empty.
-> Otherwise, the last service correlation id will be returned. In a successful attestation there are two 
-> calls between client and MAA and for each call the GUID is separated by semicolon.
+```console
+If success:
+GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
+If Trigger Attestation call failed and no previous data is present. The field remains empty.
+Otherwise, the last service correlation id will be returned. In a successful attestation there are two 
+calls between client and MAA and for each call the GUID is separated by semicolon.
+```
 
-> **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported.
+> [!NOTE]
+> > MAA CSP nodes are available on arm64 but is not currently supported.
 
 
 ### MAA CSP Integration Steps
-
                      
-
                    1. Set up a MAA provider instance:
                      
-MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
                      2. 
-
                    2. Update the provider with an appropriate policy:
                      
-The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs
-
                      A Sample attestation policy:
 
-```
-version=1.2;
+1. Set up a MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal].
 
-configurationrules{
-};
+2. Update the provider with an appropriate policy: The MAA instance should be updated with an appropriate policy. For more information, see [How to author an Azure Attestation policy](/azure/attestation/claim-rule-grammar).
 
-authorizationrules { 
+    A Sample attestation policy:
+
+    ```console
+    version=1.2;
+
+    configurationrules{
+    };
+
+    authorizationrules { 
     => permit();
-};
+    };
 
-issuancerules{
+    issuancerules{
 
-// SecureBoot enabled 
-c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
-c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
-![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
+    // SecureBoot enabled 
+    c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
+    c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
+    ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
 
-// Retrieve bool properties
-c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));
-c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));
-![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);
+    // Retrieve bool properties
+    c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));
+    c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));
+    ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);
 
-// Bitlocker Boot Status, The first non zero measurement or zero.
-c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
-c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));
-[type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true);
-![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false);
+    // Bitlocker Boot Status, The first non zero measurement or zero.
+    c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+    c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]")));
+    [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true);
+    ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false);
 
-// Elam Driver (windows defender) Loaded
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
-[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true);
-![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false);
+    // Elam Driver (windows defender) Loaded
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`")));
+    [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true);
+    ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false);
 
-// Boot debugging
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));
-c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
-![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);
+    // Boot debugging
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));
+    c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
+    ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);
 
-// Kernel Debugging
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));
-c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
-![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);
+    // Kernel Debugging
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));
+    c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));
+    ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);
 
-// DEP Policy
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]")));
-![type=="depPolicy"] => issue(type="depPolicy", value=0);
+    // DEP Policy
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]")));
+    ![type=="depPolicy"] => issue(type="depPolicy", value=0);
 
-// Test Signing
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));
-c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));
-![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);
+    // Test Signing
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING")));
+    c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false));
+    ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);
 
-// Flight Signing
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING")));
-c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));
-![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);
+    // Flight Signing
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING")));
+    c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));
+    ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);
 
-// VSM enabled
-c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
-c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED")));
-c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));
-c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true));
-![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false);
-c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);
+    // VSM enabled
+    c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));
+    c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED")));
+    c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));
+    c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true));
+    ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false);
+    c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);
 
-// HVCI
-c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));
-c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));
-![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);
+    // HVCI
+    c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));
+    c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));
+    ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);
 
-// IOMMU
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));
-c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));
-![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);
+    // IOMMU
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));
+    c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));
+    ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);
 
-// Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements
-// Find the first EV_SEPARATOR in PCR 12, 13, Or 14
-c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
-c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
-[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); 
+    // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements
+    // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
+    c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
+    c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
+    [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); 
 
-// Find the first EVENT_APPLICATION_SVN. 
-c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
-c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
-c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
+    // Find the first EVENT_APPLICATION_SVN. 
+    c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
+    c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
+    c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
 
-// The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN
-c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
+    // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN
+    c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
 
-// OS Rev List Info
-c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]")));
+    // OS Rev List Info
+    c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]")));
 
-// Safe mode
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));
-c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));
-![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);
+    // Safe mode
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));
+    c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));
+    ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);
 
-// Win PE
-c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE")));
-c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));
-![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);
+    // Win PE
+    c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE")));
+    c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));
+    ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);
 
-// CI Policy
-c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));
+    // CI Policy
+    c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));
 
-// Secure Boot Custom Policy
-c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]")));
+    // Secure Boot Custom Policy
+    c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]")));
 
-// Find the first EV_SEPARATOR in PCR 12, 13, Or 14
-c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
-c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
-[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present
+    // Find the first EV_SEPARATOR in PCR 12, 13, Or 14
+    c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
+    c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
+    [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present
 
-//Finding the Boot App SVN
-// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
-c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));
-c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq"));
-c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));
+    //Finding the Boot App SVN
+    // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR
+    c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));
+    c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq"));
+    c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));
 
-// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.
-c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
-c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
-c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
+    // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.
+    c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
+    c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
+    c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
 
-// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. 
-c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
-c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
-c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
+    // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. 
+    c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
+    c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
+    c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
 
-// Finding the Boot Rev List Info
-c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]")));
+    // Finding the Boot Rev List Info
+    c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]")));
 
-};
-```
+    };
+    ```
 
-
                      3. 
-
                    3. Call TriggerAttestation with your rpid, AAD token and the attestURI:
                      
-Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs
                      4. 
-
                    4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
                      
-GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy.
-
                      
+3. Call TriggerAttestation with your rpid, AAD token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm).
 
-```json
-    {
-      "typ": "JWT",
-      "alg": "RS256",
-      "x5c": [
-        "MIIE.....=",
-        "MIIG.....=",
-        "MIIF.....="
-      ],
-      "kid": "8FUer20z6wzf1rod044wOAFdjsg"
-    }.{
-      "nbf": 1633664812,
-      "exp": 1634010712,
-      "iat": 1633665112,
-      "iss": "https://contosopolicy.eus.attest.azure.net",
-      "jti": "2b63663acbcafefa004d20969991c0b1f063c9be",
-      "ver": "1.0",
-      "x-ms-ver": "1.0",
-      "rp_data": "AQIDBA",
-      "nonce": "AQIDBA",
-      "cnf": {
-        "jwk": {
-          "kty": "RSA",
-          "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ",
-          "e": "AQAB"
-        }
-      },
-      "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0",
-      "WindowsDefenderElamDriverLoaded": true,
-      "bitlockerEnabled": true,
-      "bitlockerEnabledValue": 4,
-      "bootAppSvn": 1,
-      "bootDebuggingDisabled": true,
-      "bootMgrSvn": 1,
-      "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw",
-      "codeIntegrityEnabled": true,
-      "codeIntegrityPolicy": [
-        "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk",
-        "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o",
-        "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI",
-        "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc",
-        "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM"
-      ],
-      "depPolicy": 0,
-      "flightSigningNotEnabled": false,
-      "hvciEnabled": true,
-      "iommuEnabled": true,
-      "notSafeMode": true,
-      "notWinPE": true,
-      "osKernelDebuggingDisabled": true,
-      "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA",
-      "secureBootEnabled": true,
-      "testSigningDisabled": true,
-      "vbsEnabled": true
-    }.[Signature]
-```
-
                      5. 
-
                    
+4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy.
+
+    ```json
+        {
+          "typ": "JWT",
+          "alg": "RS256",
+          "x5c": [
+            "MIIE.....=",
+            "MIIG.....=",
+            "MIIF.....="
+          ],
+          "kid": "8FUer20z6wzf1rod044wOAFdjsg"
+        }.{
+          "nbf": 1633664812,
+          "exp": 1634010712,
+          "iat": 1633665112,
+          "iss": "https://contosopolicy.eus.attest.azure.net",
+          "jti": "2b63663acbcafefa004d20969991c0b1f063c9be",
+          "ver": "1.0",
+          "x-ms-ver": "1.0",
+          "rp_data": "AQIDBA",
+          "nonce": "AQIDBA",
+          "cnf": {
+            "jwk": {
+              "kty": "RSA",
+              "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ",
+              "e": "AQAB"
+            }
+          },
+          "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0",
+          "WindowsDefenderElamDriverLoaded": true,
+          "bitlockerEnabled": true,
+          "bitlockerEnabledValue": 4,
+          "bootAppSvn": 1,
+          "bootDebuggingDisabled": true,
+          "bootMgrSvn": 1,
+          "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw",
+          "codeIntegrityEnabled": true,
+          "codeIntegrityPolicy": [
+            "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM"
+          ],
+          "depPolicy": 0,
+          "flightSigningNotEnabled": false,
+          "hvciEnabled": true,
+          "iommuEnabled": true,
+          "notSafeMode": true,
+          "notWinPE": true,
+          "osKernelDebuggingDisabled": true,
+          "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA",
+          "secureBootEnabled": true,
+          "testSigningDisabled": true,
+          "vbsEnabled": true
+        }.[Signature]
+    ```
 
 ### Learn More 
 
@@ -470,86 +462,75 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
 
 ### Terms
 
-**TPM (Trusted Platform Module)**
-
                    TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. 
                    
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
 
-**DHA (Device HealthAttestation) feature**
-
                    The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
                    
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
 
-**DHA-Enabled device (Device HealthAttestation enabled device)**
-
                    A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
                    
+- **DHA-Enabled device (Device HealthAttestation enabled device)**: A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
 
-**DHA-Session (Device HealthAttestation session)**
-
                    The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
                    
+- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
 
-
                    The following list of transactions is performed in one DHA-Session:
                    
-
                      
-
                    • DHA-CSP and DHA-Service communication:
-
                      • DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
                        • 
-
                      • DHA-Service replies with an encrypted data blob (DHA-EncBlob)
                        • 
-
                      • 
+  The following list of transactions is performed in one DHA-Session:
 
-
                    • DHA-CSP and MDM-Server communication: 
-
                      • MDM-Server sends a device health verification request to DHA-CSP
                        • 
-
                      • DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob 
                        • 
-
                      • 
+  - DHA-CSP and DHA-Service communication:
+    - DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
+    - DHA-Service replies with an encrypted data blob (DHA-EncBlob)
 
-
                    • MDM-Server and DHA-Service communication:
-
                      • MDM-Server posts data it receives from devices to DHA-Service
                        • 
-
                      • DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report)
                        • 
-
                      • 
-
                    
+  - DHA-CSP and MDM-Server communication: 
+    - MDM-Server sends a device health verification request to DHA-CSP
+    - DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob
 
-healthattestation session diagram
                    
-DHA session data (Device HealthAttestation session data)
-
                    The following list of data is produced or consumed in one DHA-Transaction:
                    
-
                      
-
                    • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
                      • 
-
                    • DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
                      • 
-
                    • DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
                      • 
-
                    • DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
-
                         
-
                      • DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
                        • 
-
                      • DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
                        • 
-
                      
-
                      • 
-
                    • DHA-Report: the report that is issued by DHA-Service to MDM-Server
                      • 
-
                    • Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks 
                      • 
-
                    
+  - MDM-Server and DHA-Service communication:
+    - MDM-Server posts data it receives from devices to DHA-Service
+    - DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report)
 
-DHA-Enabled MDM (Device HealthAttestation enabled device management solution)
-
                    Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
                    
-
                    DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
                    
-
                    The following list of operations is performed by DHA-Enabled-MDM
                    
-
                      
-
                    • Enables the DHA feature on a DHA-Enabled device
                      • 
-
                    • Issues device health attestation requests to enrolled/managed devices
                      • 
-
                    • Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
                      • 
-
                    • Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
                      • 
-
                    
+  ![DHA session healthattestation session diagram](./images/HealthAttestation_1.png)
 
-DHA-CSP (Device HealthAttestation Configuration Service Provider)
-
                    The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
                    
-
                    The following list of operations is performed by DHA-CSP:
                    
-
                      
-
                    • Collects device boot data (DHA-BootData) from a managed device
                      • 
-
                    • Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
                      • 
-
                    • Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
                      • 
-
                    • Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
                      • 
-
                    
+- **DHA session data (Device HealthAttestation session data)**: The following list of data is produced or consumed in one DHA-Transaction:
 
-DHA-Service (Device HealthAttestation Service)
-
                    Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
                    
+  - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health.
+  - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
+  - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
+  - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
 
-
                    DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
                    
-
                    The following list of operations is performed by DHA-Service:
                    
+    - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
+    - DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
 
-- Receives device boot data (DHA-BootData) from a DHA-Enabled device
                    • 
-- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) 
                    • 
-- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
                    • 
-- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
+  - DHA-Report: the report that is issued by DHA-Service to MDM-Server
+  - Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
 
-![healthattestation service diagram.](images/healthattestation_2.png)
+- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
+
+  DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
+
+  The following list of operations is performed by DHA-Enabled-MDM
+
+  - Enables the DHA feature on a DHA-Enabled device
+  - Issues device health attestation requests to enrolled/managed devices
+  - Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
+  - Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
+
+- **DHA-CSP (Device HealthAttestation Configuration Service Provider)**: The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
+
+  The following list of operations is performed by DHA-CSP:
+
+  - Collects device boot data (DHA-BootData) from a managed device
+  - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
+  - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
+  - Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
+
+- **DHA-Service (Device HealthAttestation Service)**: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+
+  DHA-Service is available in two flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
+
+  The following list of operations is performed by DHA-Service:
+
+  - Receives device boot data (DHA-BootData) from a DHA-Enabled device
+  - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
+  - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
+  - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
+
+![Health Attestation service diagram for the different DHS services](./images/HealthAttestation_2.png)
 
 |DHA-Service type|Description|Operation cost|
 |--- |--- |--- |
@@ -561,7 +542,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
 
 The following shows the Device HealthAttestation configuration service provider in tree format. 
  
-```
+```console
 ./Vendor/MSFT
 HealthAttestation
 ----VerifyHealth
@@ -576,20 +557,24 @@ HealthAttestation
 ----PreferredMaxProtocolVersion
 ----MaxSupportedProtocolVersion
 ```
+
 **./Vendor/MSFT/HealthAttestation**  
-
                    The root node for the device HealthAttestation configuration service provider.
                    
+
+The root node for the device HealthAttestation configuration service provider.
 
 **VerifyHealth** (Required)  
-
                    Notifies the device to prepare a device health verification request.
                    
 
-
                    The supported operation is Execute.
                    
+Notifies the device to prepare a device health verification request.
+
+The supported operation is Execute.
 
 **Status** (Required)  
-
                    Provides the current status of the device health request.
                    
 
-
                    The supported operation is Get.
                    
+Provides the current status of the device health request.
 
-
                    The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.
                    
+The supported operation is Get.
+
+The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.
 
 -   0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
 -   1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
@@ -597,42 +582,47 @@ HealthAttestation
 -   3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
 
 **ForceRetrieve** (Optional)  
-
                    Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
                    
 
-
                    Boolean value. The supported operation is Replace.
                    
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+
+Boolean value. The supported operation is Replace.
 
 **Certificate** (Required)  
-
                    Instructs the DHA-CSP to forward DHA-Data to the MDM server.
                    
 
-
                    Value type is b64. The supported operation is Get.
                    
+Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+
+Value type is b64. The supported operation is Get.
 
 **Nonce** (Required)  
-
                    Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
                    
 
-
                    The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
                    
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
 
-
                    The supported operations are Get and Replace.
                    
+The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+
+The supported operations are Get and Replace.
 
 **CorrelationId** (Required)  
-
                    Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
                    
 
-
                    Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
                    
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+
+Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
 
 **HASEndpoint** (Optional)
-
                    Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
                    
 
-
                    Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
                    
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+
+Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
 
 **TpmReadyStatus** (Required)
-
                    Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
                    
-
                    Value type is integer. The supported operation is Get.
                    
 
-### **DHA-CSP integration steps**
+Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
 
+Value type is integer. The supported operation is Get.
+
+### DHA-CSP integration steps
 
 The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM):
 
-
 1.  [Verify HTTPS access](#verify-access)
 2.  [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service)
 3.  [Instruct client to prepare DHA-data for verification](#prepare-health-data)
@@ -644,14 +634,13 @@ The following list of validation and development tasks are required for integrat
 
 Each step is described in detail in the following sections of this topic.
 
-### **Step 1: Verify HTTPS access**
-
+### Step 1: Verify HTTPS access
 
 Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS).
 
 You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service:
 
-``` syntax
+```powershell
 PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443
 CONNECTED(000001A8)
 ---
@@ -696,8 +685,7 @@ SSL-Session:
     Verify return code: 20 (unable to get local issuer certificate)
 ```
 
-
-### **Step 2: Assign an enterprise trusted DHA-Service**
+### Step 2: Assign an enterprise trusted DHA-Service
 
 There are three types of DHA-Service:
 - Device Health Attestation – Cloud (owned and operated by Microsoft)
@@ -722,9 +710,7 @@ The following example shows a sample call that instructs a managed device to com
 
 ```
 
-
-### **Step 3: Instruct client to prepare health data for verification**
-
+### Step 3: Instruct client to prepare health data for verification
 
 Send a SyncML call to start collection of the DHA-Data.
 
@@ -750,7 +736,7 @@ The following example shows a sample call that triggers collection and verificat
 
 ```
 
-### **Step 4: Take action based on the clients response**
+### Step 4: Take action based on the clients response
 
 
 After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
@@ -778,7 +764,7 @@ Here is a sample alert that is issued by DHA_CSP:
 ```
 - If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).
 
-### **Step 5: Instruct the client to forward health attestation data for verification**
+### Step 5: Instruct the client to forward health attestation data for verification
 
 
 Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device.
@@ -815,39 +801,40 @@ Here is an example:
 
 ```
 
-### **Step 6: Forward device health attestation data to DHA-service**
-
+### Step 6: Forward device health attestation data to DHA-service
 
 In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response  to ./Vendor/MSFT/HealthAttestation/CorrelationId node).
 
-When the MDM-Server receives the above data, it must: 
+When the MDM-Server receives the above data, it must:
+
 - Log the CorrelationId it receives from the device (for future troubleshooting/reference), correlated to the call.
 - Decode the XML formatted data blob it receives from the device
 - Append the nonce that was generated by MDM service (add the nonce that was forwarded to the device in Step 5) to the XML structure that was forwarded by the device in following format:
 
-```xml
-
-
-    [INT]
-     [base64 blob, eg ‘ABc123+/…==’] 
-     [base64 blob, eg ‘ABc123+/...==’]
-    
-
-```
+  ```xml
+  
+  
+      [INT]
+       [base64 blob, eg ‘ABc123+/…==’] 
+       [base64 blob, eg ‘ABc123+/...==’]
+      
+  
+  ```
+
 - Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on:
-    - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3
-    - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
+
+  - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3
+  - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3
 
 
-### **Step 7: Receive response from the DHA-service**
+### Step 7: Receive response from the DHA-service
 
 When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps:
 - Decrypts the encrypted data it receives.
 - Validates the data it has received 
 - Creates a report, and shares the evaluation results to the MDM server via SSL in XML format 
 
-### **Step 8: Take appropriate policy action based on evaluation results**
-
+### Step 8: Take appropriate policy action based on evaluation results
 
 After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be:
 
@@ -892,14 +879,16 @@ The following list of data points is verified by the DHA-Service in DHA-Report v
 Each of these are described in further detail in the following sections, along with the recommended actions to take.
 
 **Issued**
-
                    The date and time DHA-report was evaluated or issued to MDM.
                    
+
+The date and time DHA-report was evaluated or issued to MDM.
 
 **AIKPresent**  
-
                    When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
                    
 
-
                    If AIKPresent = True (1), then allow access.
                    
+When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
 
-
                    If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
                    
+If AIKPresent = True (1), then allow access.
+
+If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -907,24 +896,27 @@ Each of these are described in further detail in the following sections, along w
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 
 **ResetCount** (Reported only for devices that support TPM 2.0)
-
                    This attribute reports the number of times a PC device has hibernated or resumed.
                    
+
+This attribute reports the number of times a PC device has hibernated or resumed.
 
 **RestartCount** (Reported only for devices that support TPM 2.0)
-
                    This attribute reports the number of times a PC device has rebooted
                    
+
+This attribute reports the number of times a PC device has rebooted.
 
 **DEPPolicy**  
-
                    A device can be trusted more if the DEP Policy is enabled on the device.
                    
 
-
                    Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
                    
+A device can be trusted more if the DEP Policy is enabled on the device.
 
-
                    DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
                    
+Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+
+DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
 
 -   To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
 -   To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
 
-
                    If DEPPolicy = 1 (On), then allow access.
                    
+If DEPPolicy = 1 (On), then allow access.
 
-
                    If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
                    
+If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -932,15 +924,16 @@ Each of these are described in further detail in the following sections, along w
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 
 **BitLockerStatus** (at boot time) 
-
                    When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
                    
 
-
                    Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
                    
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
 
-
                    If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
                    
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
 
-
                    If BitLockerStatus = 1 (On), then allow access.
                    
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
 
-
                    If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
                    
+If BitLockerStatus = 1 (On), then allow access.
+
+If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -948,11 +941,12 @@ Each of these are described in further detail in the following sections, along w
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 
 **BootManagerRevListVersion**
-
                    This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
                    
 
-
                    If BootManagerRevListVersion = [CurrentVersion], then allow access.
                    
+This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
 
-
                    If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
                    
+If BootManagerRevListVersion = [CurrentVersion], then allow access.
+
+If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI and MBI assets
@@ -960,11 +954,12 @@ Each of these are described in further detail in the following sections, along w
 -   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 
 **CodeIntegrityRevListVersion**
-
                    This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
                    
 
-
                    If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
                    
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
 
-
                    If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
                    
+If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+
+If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI and MBI assets
@@ -972,11 +967,12 @@ Each of these are described in further detail in the following sections, along w
 -   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 
 **SecureBootEnabled**  
-
                    When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
                    
 
-
                    If SecureBootEnabled = 1 (True), then allow access.
                    
+When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
 
-
                    If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
                    
+If SecureBootEnabled = 1 (True), then allow access.
+
+If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -984,16 +980,17 @@ Each of these are described in further detail in the following sections, along w
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 
 **BootDebuggingEnabled**
-
                    Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
                    
 
-
                    Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
                    
+Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
+
+Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
 
 -   To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**
 -   To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**
 
-
                    If BootdebuggingEnabled = 0 (False), then allow access.
                    
+If BootdebuggingEnabled = 0 (False), then allow access.
 
-
                    If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
                    
+If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -1001,11 +998,12 @@ Each of these are described in further detail in the following sections, along w
 -   Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.  
 
 **OSKernelDebuggingEnabled**
-
                    OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
                    
 
-
                    If OSKernelDebuggingEnabled = 0 (False), then allow access.
                    
+OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
 
-
                    If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
                    
+If OSKernelDebuggingEnabled = 0 (False), then allow access.
+
+If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -1013,15 +1011,16 @@ Each of these are described in further detail in the following sections, along w
 -   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 
 **CodeIntegrityEnabled**  
-
                    When code integrity is enabled, code execution is restricted to integrity verified code.
                    
 
-
                    Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
                    
+When code integrity is enabled, code execution is restricted to integrity verified code.
 
-
                    On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
                    
+Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
 
-
                    If CodeIntegrityEnabled = 1 (True), then allow access.
                    
+On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
 
-
                    If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
                    
+If CodeIntegrityEnabled = 1 (True), then allow access.
+
+If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -1029,16 +1028,17 @@ Each of these are described in further detail in the following sections, along w
 -   Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 
 **TestSigningEnabled**
-
                    When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
                    
 
-
                    Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
                    
+When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
+
+Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
 
 -   To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**
 -   To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**
 
-
                    If TestSigningEnabled = 0 (False), then allow access.
                    
+If TestSigningEnabled = 0 (False), then allow access.
 
-
                    If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
                    
+If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI and MBI assets
@@ -1046,33 +1046,36 @@ Each of these are described in further detail in the following sections, along w
 -   Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
 
 **SafeMode**  
-
                    Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
                    
 
-
                    If SafeMode = 0 (False), then allow access.
                    
+Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
 
-
                    If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
                    
+If SafeMode = 0 (False), then allow access.
+
+If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
 -   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 
 **WinPE**  
-
                    Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
                    
 
-
                    If WinPE = 0 (False), then allow access.
                    
+Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
 
-
                    If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
                    
+If WinPE = 0 (False), then allow access.
+
+If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
 
 **ELAMDriverLoaded**  (Windows Defender)
-
                    To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
                    
 
-
                    In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM  (Windows Defender) was loaded during initial boot.
                    
+To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
 
-
                    If a device is expected to use a third-party antivirus program, ignore the reported state.
                    
+In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM  (Windows Defender) was loaded during initial boot.
 
-
                    If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
                    
+If a device is expected to use a third-party antivirus program, ignore the reported state.
 
-
                    If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
                    
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
 
 -   Disallow all access
 -   Disallow access to HBI assets
@@ -1080,61 +1083,63 @@ Each of these are described in further detail in the following sections, along w
 
 **Bcdedit.exe /set {current} vsmlaunchtype auto**
 
-
                    If ELAMDriverLoaded = 1 (True), then allow access.
                    
+If ELAMDriverLoaded = 1 (True), then allow access.
 
-
                    If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
                    
+If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Disallow access to HBI assets
 -   Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
 
 **VSMEnabled**  
-
                    Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
                    
 
-
                    VSM can be enabled by using the following command in WMI or a PowerShell script:
                    
+Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
 
-
                    bcdedit.exe /set {current} vsmlaunchtype auto
                    
+VSM can be enabled by using the following command in WMI or a PowerShell script:
 
-
                    If VSMEnabled = 1 (True), then allow access.
                    
-
                    If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
                    
+`bcdedit.exe /set {current} vsmlaunchtype auto`
+
+If VSMEnabled = 1 (True), then allow access.
+If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Disallow access to HBI assets
 - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
 
 **PCRHashAlgorithmID**
-
                    This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
                    
+
+This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
 
 **BootAppSVN**
-
                    This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
                    
 
-
                    If reported BootAppSVN equals an accepted value, then allow access.
                    
+This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
 
- 
                    If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
                    
+If reported BootAppSVN equals an accepted value, then allow access.
+
+If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.
 
 **BootManagerSVN**
-
                    This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
                    
 
-
                    If reported BootManagerSVN equals an accepted value, then allow access.
                    
+This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
 
-
                    If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
                    
+If reported BootManagerSVN equals an accepted value, then allow access.
+
+If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.
 
 **TPMVersion**
 
-
                    This attribute identifies the version of the TPM that is running on the attested device.
                    
-
                    TPMVersion node provides to replies "1" and "2":
                    
-
                      
-
                    • 1 means TPM specification version 1.2
                      • 
-
                    • 2 means TPM specification version 2.0
                      • 
-
                    
+This attribute identifies the version of the TPM that is running on the attested device. TPMVersion node provides to replies "1" and "2":
 
-
                    Based on the reply you receive from TPMVersion node:
                    
+- 1 means TPM specification version 1.2
+- 2 means TPM specification version 2.0
+
+Based on the reply you receive from TPMVersion node:
 
 - If reported TPMVersion equals an accepted value, then allow access.
 - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
@@ -1142,112 +1147,194 @@ Each of these are described in further detail in the following sections, along w
     - Direct the device to an enterprise honeypot, to further monitor the device's activities.
 
 **PCR0**
-
                    The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
                    
 
-
                    Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
                    
+The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
 
-
                    If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
                    
+Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
 
-
                    If PCR[0] equals an accepted allow list value, then allow access.
                    
+If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
 
-
                    If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
                    
+If PCR[0] equals an accepted allow list value, then allow access.
+
+If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
 
 -   Disallow all access
 -   Direct the device to an enterprise honeypot, to further monitor the device's activities.
 
 **SBCPHash**
-
                    SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
                    
 
-
                    If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
+SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
 
-
                    If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
                    
+If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
+
+If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Place the device in a watch list to monitor the device more closely for potential risks.
 
 **CIPolicy**
-
                    This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
                    
 
-
                    If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
                    
+This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
 
-
                    If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
                    
+If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+
+If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Place the device in a watch list to monitor the device more closely for potential risks.
 
 **BootRevListInfo**
-
                    This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
                    
 
-
                    If reported BootRevListInfo version equals an accepted value, then allow access.
                    
+This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
 
-
                    If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
                    
+If reported BootRevListInfo version equals an accepted value, then allow access.
+
+If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.
 
 **OSRevListInfo**
-
                    This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
                    
 
-
                    If reported OSRevListInfo version equals an accepted value, then allow access.
                    
+This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
 
-
                    If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
                    
+If reported OSRevListInfo version equals an accepted value, then allow access.
+
+If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
 
 - Disallow all access
 - Direct the device to an enterprise honeypot, to further monitor the device's activities.  
 
 **HealthStatusMismatchFlags**
-
                    HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
                    
 
-
                    In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
                    
+HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
 
-### **Device HealthAttestation CSP status and error codes**
+In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
 
-|Error code|Error name|Description|
-|--- |--- |--- |
-|0|HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED|This is the initial state for devices that have never participated in a DHA-Session.|
-|1|HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED|This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.|
-|2|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED|This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.|
-|3|HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE|This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.|
-|4|HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL|Deprecated in Windows 10, version 1607.|
-|5|HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL|DHA-CSP failed to get a claim quote.|
-|6|HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY|DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.|
-|7|HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL|DHA-CSP failed in retrieving Windows AIK|
-|8|HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL|Deprecated in Windows 10, version 1607.|
-|9|HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION|Invalid TPM version (TPM version is not 1.2 or 2.0)|
-|10|HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL|Nonce was not found in the registry.|
-|11|HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL|Correlation ID was not found in the registry.|
-|12|HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL|Deprecated in Windows 10, version 1607.|
-|13|HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL|Deprecated in Windows 10, version 1607.|
-|14|HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL|Failure in Encoding functions. (Extremely unlikely scenario)|
-|15|HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL|Deprecated in Windows 10, version 1607.|
-|16|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML|DHA-CSP failed to load the payload it received from DHA-Service|
-|17|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML|DHA-CSP received a corrupted response from DHA-Service.|
-|18|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML|DHA-CSP received an empty response from DHA-Service.|
-|19|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK|DHA-CSP failed in decrypting the AES key from the EK challenge.|
-|20|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK|DHA-CSP failed in decrypting the health cert with the AES key.|
-|21|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB|DHA-CSP failed in exporting the AIK Public Key.|
-|22|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY|DHA-CSP failed in trying to create a claim with AIK attestation data.|
-|23|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB|DHA-CSP failed in appending the AIK Pub to the request blob.|
-|24|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT|DHA-CSP failed in appending the AIK Cert to the request blob.|
-|25|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE|DHA-CSP failed to obtain a Session handle.|
-|26|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE|DHA-CSP failed to connect to the DHA-Service.|
-|27|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE|DHA-CSP failed to create an HTTP request handle.|
-|28|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION|DHA-CSP failed to set options.|
-|29|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS|DHA-CSP failed to add request headers.|
-|30|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST|DHA-CSP failed to send the HTTP request.|
-|31|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE|DHA-CSP failed to receive a response from the DHA-Service.|
-|32|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS|DHA-CSP failed to query headers when trying to get HTTP status code.|
-|33|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE|DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.|
-|34|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE|DHA-CSP received an empty response along with an HTTP error code from DHA-Service.|
-|35|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER|DHA-CSP failed to impersonate user.|
-|36|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR|DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.|
-|0xFFFF|HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN|DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.|
-|400|Bad_Request_From_Client|DHA-CSP has received a bad (malformed) attestation request.|
-|404|Endpoint_Not_Reachable|DHA-Service is not reachable by DHA-CSP|
+### Device HealthAttestation CSP status and error codes
+
+Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED  
+Error description: This is the initial state for devices that have never participated in a DHA-Session.
+
+Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED  
+Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
+
+Error code: 2 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED  
+Error description: This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
+
+Error code: 3 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE  
+Error description: This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
+
+Error code: 4 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL  
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 5 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL  
+Error description: DHA-CSP failed to get a claim quote.
+
+Error code: 6 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY  
+Error description: DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
+
+Error code: 7 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL  
+Error description: DHA-CSP failed in retrieving Windows AIK
+
+Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL  
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION  
+Error description: Invalid TPM version (TPM version is not 1.2 or 2.0)
+
+Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL  
+Error description: Nonce was not found in the registry.
+
+Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL  
+Error description: Correlation ID was not found in the registry.
+
+Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL  
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 13 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL  
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 14 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL  
+Error description: Failure in Encoding functions. (Extremely unlikely scenario)
+
+Error code: 15 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL  
+Error description: Deprecated in Windows 10, version 1607.
+
+Error code: 16 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML  
+Error description: DHA-CSP failed to load the payload it received from DHA-Service
+
+Error code: 17 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML  
+Error description: DHA-CSP received a corrupted response from DHA-Service.
+
+Error code: 18 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML  
+Error description: DHA-CSP received an empty response from DHA-Service.
+
+Error code: 19 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK  
+Error description: DHA-CSP failed in decrypting the AES key from the EK challenge.
+
+Error code: 20 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK  
+Error description: DHA-CSP failed in decrypting the health cert with the AES key.
+
+Error code: 21 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB  
+Error description: DHA-CSP failed in exporting the AIK Public Key.
+
+Error code: 22 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY
+Error description: DHA-CSP failed in trying to create a claim with AIK attestation data.
+
+Error code: 23 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB
+Error description: DHA-CSP failed in appending the AIK Pub to the request blob.
+
+Error code: 24 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT
+Error description: DHA-CSP failed in appending the AIK Cert to the request blob.
+
+Error code: 25 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE
+Error description: DHA-CSP failed to obtain a Session handle.
+
+Error code: 26 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE
+Error description: DHA-CSP failed to connect to the DHA-Service.
+
+Error code: 27 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHAND
+Error description: DHA-CSP failed to create an HTTP request handle.
+
+Error code: 28 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION
+Error description: DHA-CSP failed to set options.
+
+Error code: 29 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS
+Error description: DHA-CSP failed to add request headers.
+
+Error code: 30 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST
+Error description: DHA-CSP failed to send the HTTP request.
+
+Error code: 31 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE
+Error description: DHA-CSP failed to receive a response from the DHA-Service.
+
+Error code: 32 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS
+Error description: DHA-CSP failed to query headers when trying to get HTTP status code.
+
+Error code: 33 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE
+Error description: DHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
+
+Error code: 34 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE
+Error description: DHA-CSP received an empty response along with an HTTP error code from DHA-Service.
+
+Error code: 35 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER
+Error description: DHA-CSP failed to impersonate user.
+
+Error code: 36 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR
+Error description: DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
+
+Error code: 0xFFFF | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN
+Error description: DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
+
+Error code: 400 | Error name: Bad_Request_From_Client
+Error description: DHA-CSP has received a bad (malformed) attestation request.
+
+Error code: 404 | Error name: Endpoint_Not_Reachable
+Error description: DHA-Service is not reachable by DHA-CSP
 
 ### DHA-Report V3 schema
 
-
 ```xml
 
 
 **./Vendor/MSFT/NAP**  
 Root node.
 
@@ -113,17 +113,7 @@ Node.
 ***NAPX*/Bearer/BearerType**  
 Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
 
-## Related topics
-
+## Related articles
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
-
  
-
- 
-
-
-
-
-
-

From 7e24feeec760be41d6011e5259c2aca28b1a3f20 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 16 Nov 2021 14:33:56 -0500
Subject: [PATCH 096/104] formatting

---
 windows/client-management/mdm/napdef-csp.md | 29 +++++----------------
 1 file changed, 6 insertions(+), 23 deletions(-)

diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 2c7ac27df6..c145824e5c 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -14,16 +14,12 @@ ms.date: 06/26/2017
 
 # NAPDEF CSP
 
-
 The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
 
-> **Note**  You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
+> [!Note]
+> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
 > 
-> 
-> 
-> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
-
- 
+> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application. 
 
 The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
 
@@ -77,9 +73,8 @@ Specifies the protocol used to authenticate the user.
 
 The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
 
-> **Note**  **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change.
-
- 
+> [!Note]
+> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. 
 
 **BEARER**  
 Specifies the type of bearer.
@@ -124,7 +119,6 @@ The name of the *NAPID* element is the same as the value passed during initial b
 
 ## Microsoft Custom Elements
 
-
 The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
 
 |Elements|Available|
@@ -134,17 +128,6 @@ The following table shows the Microsoft custom elements that this configuration
 |Nocharacteristic|Yes|
 |Characteristic-query|Yes|
 
-## Related topics
-
+## Related articles
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
-
- 
-
- 
-
-
-
-
-
-

From 85e675b07aa1f3e69b3182b0a1ec47eafdb22574 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 16 Nov 2021 14:37:36 -0500
Subject: [PATCH 097/104] Fixed table formatting

---
 windows/client-management/mdm/office-csp.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index d505f71d74..280b16b2cf 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -21,7 +21,8 @@ This CSP was added in Windows 10, version 1703.
 For more information, see [Office DDF](office-ddf.md).
 
 The following shows the Office configuration service provider in tree format.
-```
+
+```console
 ./Vendor/MSFT
 Office
 ----Installation
@@ -46,6 +47,7 @@ Office
 ------------Install
 ------------Status
 ```
+
 **./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**  
 The root node for the Office configuration service provider.
                    
 
@@ -159,10 +161,8 @@ To get the current status of Office 365 on the device.
 |1460|ERROR_TIMEOUT 
                    Failed to download ODT|Failure|
 |1602|ERROR_INSTALL_USEREXIT 
                    User canceled the installation|Failure|
 |1603|ERROR_INSTALL_FAILURE
                    Failed any pre-req check.
                  • SxS (Tried to install when 2016 MSI is installed)
                  • Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
-|17000|ERROR_PROCESSPOOL_INITIALIZATION 
-Failed to start C2RClient|Failure|
-|17001|ERROR_QUEUE_SCENARIO 
-Failed to queue installation scenario in C2RClient|Failure|
+|17000|ERROR_PROCESSPOOL_INITIALIZATION 
                    Failed to start C2RClient|Failure|
+|17001|ERROR_QUEUE_SCENARIO 
                    Failed to queue installation scenario in C2RClient|Failure|
 |17002|ERROR_COMPLETING_SCENARIO 
                    Failed to complete the process. Possible reasons:
                  • Installation canceled by user
                  • Installation canceled by another installation
                  • Out of disk space during installation 
                  • Unknown language ID|Failure|
 |17003|ERROR_ANOTHER_RUNNING_SCENARIO 
                    Another scenario is running|Failure|
 |17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
                    Possible reasons:
                  • Unknown SKUs
                  • Content does't exist on CDN
                    • Such as trying to install an unsupported LAP, like zh-sg
                    • CDN issue that content is not available
                  • Signature check issue, such as failed the signature check for Office content
                  • User canceled|Failure|

From 54bbdfdd5e694f1f50a9ad423e79b90eda93b129 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 16 Nov 2021 14:50:50 -0500
Subject: [PATCH 098/104] Formatting

---
 .../mdm/oma-dm-protocol-support.md            | 94 ++++++++-----------
 1 file changed, 39 insertions(+), 55 deletions(-)

diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index e0f5141f02..0237669cbd 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -17,20 +17,6 @@ ms.date: 06/26/2017
 
 The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
 
-
-## In this topic
-
--   [OMA DM standards](#oma-dm-standards)
-
--   [OMA DM protocol common elements](#protocol-common-elements)
-
--   [Device management session](#device-management-session)
-
--   [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration)
-
--   [SyncML response codes](#syncml-response-codes)
-
-
 ## OMA DM standards
 
 The following table shows the OMA DM standards that Windows uses.
@@ -39,11 +25,11 @@ The following table shows the OMA DM standards that Windows uses.
 |--- |--- |
 |Data transport and session|
                  • Client-initiated remote HTTPS DM session over SSL.
                  • Remote HTTPS DM session over SSL.
                  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
                  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
 |Bootstrap XML|OMA Client Provisioning XML.|
-|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                  • Add (Implicit Add supported)
                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                  • Exec: Invokes an executable on the client device
                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                  • Replace: Overwrites data on the client device
                  • Result: Returns the data results of a Get command to the DM server
                  • Sequence: Specifies the order in which a group of commands must be processed
                  • Status: Indicates the completion status (success or failure) of an operation
                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                  • SyncBody
                  • Atomic
                  • Sequence
                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
                    If Atomic elements are nested, the following status codes are returned:
                  • The nested Atomic command returns 500.
                  • The parent Atomic command returns 507.
                    For more information about the Atomic command, see OMA DM protocol common elements.
                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
                    LocURI cannot start with "/".
                    Meta XML tag in SyncHdr is ignored by the device.|
+|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
                  • Add (Implicit Add supported)
                  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
                  • Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
                  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
                  • Exec: Invokes an executable on the client device
                  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
                  • Replace: Overwrites data on the client device
                  • Result: Returns the data results of a Get command to the DM server
                  • Sequence: Specifies the order in which a group of commands must be processed
                  • Status: Indicates the completion status (success or failure) of an operation

                    If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
                  • SyncBody
                  • Atomic
                  • Sequence

                    If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

                    If Atomic elements are nested, the following status codes are returned:
                  • The nested Atomic command returns 500.
                  • The parent Atomic command returns 507.

                    For more information about the Atomic command, see OMA DM protocol common elements.
                    Performing an Add command followed by Replace on the same node within an Atomic element is not supported.

                    LocURI cannot start with `/`.

                    Meta XML tag in SyncHdr is ignored by the device.|
 |OMA DM standard objects|DevInfo
                  • DevDetail
                  • OMA DM DMS account objects (OMA DM version 1.2)|
 |Security|
                  • Authenticate DM server initiation notification SMS message (not used by enterprise management)
                  • Application layer Basic and MD5 client authentication
                  • Authenticate server with MD5 credential at application level
                  • Data integrity and authentication with HMAC at application level
                  • SSL level certificate-based client/server authentication, encryption, and data integrity check|
-|Nodes|In the OMA DM tree, the following rules apply for the node name:
                  • "" can be part of the node name.
                  • The node name cannot be empty.
                  • The node name cannot be only the asterisk (*) character.|
-|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
                    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                    **Note**
                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                    |
+|Nodes|In the OMA DM tree, the following rules apply for the node name:
                  • "." can be part of the node name.
                  • The node name cannot be empty.
                  • The node name cannot be only the asterisk (*) character.|
+|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).

                    If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
                    **Note**
                    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
                    |
 |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
 |Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
 
@@ -86,17 +72,25 @@ A DM session can be divided into two phases:
 1.  **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
 2.  **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
 
-The following table shows the sequence of events during a typical DM session.
+The following information shows the sequence of events during a typical DM session.
 
-|Step|Action|Description|
-|--- |--- |--- |
-|1|DM client is invoked to call back to the management server

                    Enterprise scenario – The device task schedule invokes the DM client.|The MO server sends a server trigger message to invoke the DM client.

                    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

                    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.|
-|2|The device sends a message, over an IP connection, to initiate the session.|This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.|
-|3|The DM server responds, over an IP connection (HTTPS).|The server sends initial device management commands, if any.|
-|4|The device responds to server management commands.|This message includes the results of performing the specified device management operations.|
-|5|The DM server terminates the session or sends another command.|The DM session ends, or Step 4 is repeated.|
+1. DM client is invoked to call back to the management server

                    Enterprise scenario – The device task schedule invokes the DM client.
 
-The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
+    The MO server sends a server trigger message to invoke the DM client.
+
+    The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

                    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
+
+2. The device sends a message, over an IP connection, to initiate the session.
+
+    This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
+
+3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any.
+
+4. The device responds to server management commands. This message includes the results of performing the specified device management operations.
+
+5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated.
+
+The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
 
 During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
 
@@ -117,7 +111,7 @@ The data part of this alert could be one of following strings:
 
 Below is an alert example:
 
-```
+```xml
 
         1
         1224
@@ -143,37 +137,27 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
 
 When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
 
-| Status code | Description                                                                                                                                                                                                                       |
-|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 200         | The SyncML command completed successfully.                                                                                                                                                                                        |
-| 202         | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application.                                                                                                |
+| Status code | Description |
+|---|----|
+| 200         | The SyncML command completed successfully.  |
+| 202         | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application.  |
 | 212         | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. |
-| 214         | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session.                                                                                                        |
-| 215         | Not executed. A command was not executed as a result of user interaction to cancel the command.                                                                                                                                   |
-| 216         | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully.                                                                                                   |
-| 400         | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed.                                             |
-| 401         | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error.                                                                              |
-| 403         | Forbidden. The requested command failed, but the recipient understood the requested command.                                                                                                                                      |
-| 404         | Not found. The requested target was not found. This code will be generated if you query a node that does not exist.                                                                                                               |
-| 405         | Command not allowed. This respond code will be generated if you try to write to a read-only node.                                                                                                                                 |
-| 406         | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support.                                                                                                |
-| 415         | Unsupported type or format. This response code can result from XML parsing or formatting errors.                                                                                                                                  |
-| 418         | Already exists. This response code occurs if you attempt to add a node that already exists.                                                                                                                                       |
-| 425         | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code.                 |
+| 214         | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. |
+| 215         | Not executed. A command was not executed as a result of user interaction to cancel the command.  |
+| 216         | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully.  |
+| 400         | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed.  |
+| 401         | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error.  |
+| 403         | Forbidden. The requested command failed, but the recipient understood the requested command.  |
+| 404         | Not found. The requested target was not found. This code will be generated if you query a node that does not exist.   |
+| 405         | Command not allowed. This respond code will be generated if you try to write to a read-only node.  |
+| 406         | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support.  |
+| 415         | Unsupported type or format. This response code can result from XML parsing or formatting errors.  |
+| 418         | Already exists. This response code occurs if you attempt to add a node that already exists.  |
+| 425         | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code.  |
 | 500         | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code.       |
-| 507         | `Atomic` failed. One of the operations in an `Atomic` block failed.                                                                                                                                                               |
-| 516         | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully.                                                                                                                         |
-
-
+| 507         | `Atomic` failed. One of the operations in an `Atomic` block failed.  |
+| 516         | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully.  |
 
 ## Related topics
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
-
-
-
-
-

From 39f6b3841b9e677b9cc2db78780bea409f495251 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 16 Nov 2021 15:33:52 -0500
Subject: [PATCH 099/104] Fixed note, important

---
 windows/client-management/mdm/hotspot-csp.md | 33 +++++++++-----------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index ab23f17606..897e8ee489 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -17,13 +17,10 @@ ms.date: 06/26/2017
 
 The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers.
 
-> **Note**  HotSpot CSP is only supported in Windows 10 Mobile.
+> [!Note]
+> HotSpot CSP is only supported in Windows 10 Mobile.
 > 
-> 
-> 
-> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
-
- 
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application. 
 
 The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
 
@@ -62,8 +59,8 @@ By default, any available connection will be used as a public connection. Howeve
 
 Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
 
-> **Note**   The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
-
+> [!Note]
+> The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
  
 
 If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
@@ -77,9 +74,8 @@ If a CDMA mobile operator requires using a Tethering NAI during Internet sharing
 
 Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
 
-> **Note**   The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
-
- 
+> [!Note]
+> The mapping policy will also include the connections specified in the **DedicatedConnections** as well. 
 
 If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
 
@@ -109,8 +105,8 @@ Optional. Reference to a localized string, provided by the mobile operator, that
 
 Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN.
 
-> **Note**  MOAppLink is required to use the MOHelpMessage setting.
-
+> [!Note]
+> MOAppLink is required to use the MOHelpMessage setting.
  
 
 **EntitlementRequired**
@@ -137,14 +133,14 @@ Optional. The time-out value, in minutes, after which Internet sharing is automa
 Changes to this node require a reboot.
 
 **MinWifiKeyLength**
-> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
 
- 
+> [!Important]
+> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8. 
 
 **MinWifiSSIDLength**
-> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
 
- 
+> [!Important]
+> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1. 
 
 ## Additional requirements for CDMA networks
 
@@ -169,7 +165,8 @@ For CDMA networks that use a separate Network Access Identity (NAI) for Internet
 
 ```
 
-> **Note**  CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
+> [!Note]
+> CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
 
  
 

From 9626a68f2a63ef2e76f3e1decfc4408ab765abc5 Mon Sep 17 00:00:00 2001
From: Mandi Ohlinger 
Date: Tue, 16 Nov 2021 15:50:40 -0500
Subject: [PATCH 100/104] Removed error messages into bullets

---
 .../mdm/mobile-device-enrollment.md           | 99 +++++++++++++++----
 1 file changed, 80 insertions(+), 19 deletions(-)

diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 8b9380767e..149069b97b 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -110,15 +110,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
 
 ```
 
-|Namespace|Subcode|Error|Description|HRESULT|
-|--- |--- |--- |--- |--- |
-|s:|MessageFormat|MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|Invalid message from the Mobile Device Management (MDM) server.|80180001|
-|s:|Authentication|MENROLL_E_DEVICE_AUTHENTICATION_ERROR|The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.|80180002|
-|s:|Authorization|MENROLL_E_DEVICE_AUTHORIZATION_ERROR|The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.|80180003|
-|s:|CertificateRequest|MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR|The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.|80180004|
-|s:|EnrollmentServer|MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.|80180005|
-|a:|InternalServiceFault|MENROLL_E_DEVICE_INTERNALSERVICE_ERROR|There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.|80180006|
-|a:|InvalidSecurity|MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.|80180007|
+**Sample error messages**
+
+- **Namespace**: `s:`
+  - **Subcode**: MessageFormat
+  - **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
+  - **Description**: Invalid message from the Mobile Device Management (MDM) server.
+  - **HRESULT**: 80180001
+
+- **Namespace**: `s:`
+  - **Subcode**: Authentication
+  - **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR
+  - **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.
+  - **HRESULT**: 80180002
+
+- **Namespace**: `s:`
+  - **Subcode**: Authorization
+  - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR
+  - **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
+  - **HRESULT**: 80180003
+
+- **Namespace**: `s:`
+  - **Subcode**: CertificateRequest
+  - **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR
+  - **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.
+  - **HRESULT**: 80180004
+
+- **Namespace**: `s:`
+  - **Subcode**: EnrollmentServer
+  - **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
+  - **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.
+  - **HRESULT**: 80180005
+
+- **Namespace**: `a:`
+  - **Subcode**: InternalServiceFault
+  - **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
+  - **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.
+  - **HRESULT**: 80180006
+
+- **Namespace**: `a:`
+  - **Subcode**: InvalidSecurity
+  - **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
+  - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
+  - **HRESULT**: 80180007
 
 In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
 
@@ -152,15 +186,42 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
 
 ```
 
-|Subcode|Error|Description|HRESULT|
-|--- |--- |--- |--- |
-|DeviceCapReached|MENROLL_E_DEVICECAPREACHED|The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.|80180013|
-|DeviceNotSupported|MENROLL_E_DEVICENOTSUPPORTED|The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.|80180014|
-|NotSupported|MENROLL_E_NOT_SUPPORTED|Mobile Device Management (MDM) is generally not supported for this device.|80180015|
-|NotEligibleToRenew|MENROLL_E_NOTELIGIBLETORENEW|The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.|80180016|
-|InMaintenance|MENROLL_E_INMAINTENANCE|The Mobile Device Management (MDM) server states your account is in maintenance, try again later.|80180017|
-|UserLicense|MENROLL_E_USER_LICENSE|There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.|80180018|
-|InvalidEnrollmentData|MENROLL_E_ENROLLMENTDATAINVALID|The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.|80180019|
+**Sample error messages**
+
+- **Subcode**: DeviceCapReached
+  - **Error**: MENROLL_E_DEVICECAPREACHED
+  - **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.
+  - **HRESULT**: 80180013
+
+- **Subcode**: DeviceNotSupported
+  - **Error**: MENROLL_E_DEVICENOTSUPPORTED
+  - **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.
+  - **HRESULT**: 80180014
+
+- **Subcode**: NotSupported
+  - **Error**: MENROLL_E_NOT_SUPPORTED
+  - **Description**: Mobile Device Management (MDM) is generally not supported for this device.
+  - **HRESULT**: 80180015
+
+- **Subcode**: NotEligibleToRenew
+  - **Error**: MENROLL_E_NOTELIGIBLETORENEW
+  - **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.
+  - **HRESULT**: 80180016
+
+- **Subcode**: InMaintenance
+  - **Error**: MENROLL_E_INMAINTENANCE
+  - **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later.
+  - **HRESULT**: 80180017
+
+- **Subcode**: UserLicense
+  - **Error**: MENROLL_E_USER_LICENSE
+  - **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.
+  - **HRESULT**: 80180018
+
+- **Subcode**: InvalidEnrollmentData
+  - **Error**: MENROLL_E_ENROLLMENTDATAINVALID
+  - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
+  - **HRESULT**: 80180019
 
 TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
 
@@ -169,4 +230,4 @@ TraceID is a freeform text node which is logged. It should identify the server s
 -   [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
 -   [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
 -   [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
--   [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
\ No newline at end of file
+-   [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)

From 0af883e11c7f5f9169cc8dfd33945d17659a2d18 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Tue, 16 Nov 2021 14:07:27 -0800
Subject: [PATCH 101/104] Changed label on code block

---
 windows/client-management/mdm/healthattestation-csp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 3f2e38b93b..83e90a87ec 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -640,7 +640,7 @@ Validate that both the MDM server and the device (MDM client) can access has.sps
 
 You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service:
 
-```powershell
+```console
 PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443
 CONNECTED(000001A8)
 ---

From f1e0f7da406b1e1f5b28d1d8325fcf54a8a36d27 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Tue, 16 Nov 2021 14:07:54 -0800
Subject: [PATCH 102/104] Added image border via newer style image ref

---
 .../mdm/implement-server-side-mobile-application-management.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 65f11b56b4..6313e10ef7 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
 
 MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  
 
-![Mobile application management app.](images/implement-server-side-mobile-application-management.png)
+:::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
 
 MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  
 

From 51833ec1f98955d11e1843ec9ff12bf7236a3439 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Tue, 16 Nov 2021 14:09:27 -0800
Subject: [PATCH 103/104] Decreased indentation of code block's contents

---
 .../mdm/oma-dm-protocol-support.md            | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index 0237669cbd..893ac1e192 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -113,16 +113,16 @@ Below is an alert example:
 
 ```xml
 
-        1
-        1224
-        
-            
-                com.microsoft/MDM/LoginStatus
-                chr
-            
-            user
-        
-    
+    1
+    1224
+    
+        
+            com.microsoft/MDM/LoginStatus
+            chr
+        
+        user
+    
+
 ```
 
 The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration.

From fc8653be3cda76508c4f35ec2f8c0aa30ccf98f8 Mon Sep 17 00:00:00 2001
From: Gary Moore 
Date: Tue, 16 Nov 2021 14:11:00 -0800
Subject: [PATCH 104/104] Acrolinx: "AD integrated" as an adjective

---
 .../implement-server-side-mobile-application-management.md  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 6313e10ef7..396d3ea018 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -18,11 +18,11 @@ The Windows version of mobile application management (MAM) is a lightweight solu
 
 ## Integration with Azure AD
 
-MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  
+MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  
 
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.  
+MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.  
 
-On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.  
+On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.  
 
 Regular non-admin users can enroll to MAM.