cleaning up note/important/tip/warning formatting for markdig engine conformance

windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md

@@ -18,7 +18,7 @@ ms.topic: article
 
 You can use the package converter utility to upgrade virtual application packages created by previous versions of App-V. This section will tell you how to convert existing virtual application packages for upgrade.
 
->[!NOTE]  
+>[!NOTE]
 >If you are running a computer with a 64-bit architecture, you must use the x86 version of Windows PowerShell.
 
 The package converter can only directly convert packages created by an App-V sequencer version 4.5 or later. Packages created with an App-V version earlier than 4.5 must be upgraded to at least App-V 4.5 before conversion.

windows/application-management/deploy-app-upgrades-windows-10-mobile.md

@@ -41,7 +41,7 @@ Before you can deploy the upgrade, make sure you import the new version of the a
 4. Click **Add**, browse to the existing (older) version of the app that you're upgrading, and then click **OK**.
 5. Under **New Deployment Type** select the new version of the app. (When you imported the new version, it comes in as a new deployment type. If you're upgrading a Universal application, you'll see only one type here.)
    ![Create a supersedence rule for the new version of the app](media/app-upgrade-supersede-deploy-type.png)
-   > [!IMPORTANT] 
+   > [!IMPORTANT]
    > Do **NOT** select **Uninstall**. This tells Configuration Manager to uninstall the old version, but it does **NOT** then install the new version.
 
 6. Click **OK**.

windows/client-management/manage-settings-app-with-group-policy.md

@@ -41,7 +41,7 @@ Policy paths:
 
 The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). 
 
->[!NOTE]  
+>[!NOTE]
 > When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
 
 Here are some examples:

windows/client-management/mandatory-user-profile.md

@@ -54,7 +54,7 @@ First, you create a default user profile with the customizations that you want,
 
 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
 
-   > [!NOTE] 
+   > [!NOTE]
    > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 
 
 2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. 

windows/client-management/mdm/accountmanagement-csp.md

@@ -16,7 +16,7 @@ manager: dansimp
 
 AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803.
 
-> [!Note]  
+> [!NOTE]
 > The AccountManagement CSP is only supported in Windows Holographic for Business edition.
 
 

windows/client-management/mdm/applocker-csp.md

@@ -35,7 +35,7 @@ Defines the root node for the AppLocker configuration service provider.
 <a href="" id="applicationlaunchrestrictions"></a>**ApplicationLaunchRestrictions**
 Defines restrictions for applications.
 
-> [!NOTE]  
+> [!NOTE]
 > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
 >
 > In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.

windows/client-management/mdm/bitlocker-csp.md

@@ -17,7 +17,7 @@ manager: dansimp
 
 The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
 
-> [!Note]  
+> [!NOTE]
 > Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.  
 > You must send all the settings together in a single SyncML to be effective.
 
@@ -167,7 +167,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
@@ -193,7 +193,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 - 6 = XTS-AES 128
 - 7 = XTS-AES 256
 
-> [!Note]  
+> [!NOTE]
 > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.  
 
 <p style="margin-left: 20px">  If you want to disable this policy use the following SyncML:</p> 
@@ -245,26 +245,26 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
 
-> [!Note]  
+> [!NOTE]
 > Only one of the additional authentication options can be required at startup, otherwise an error occurs.
 
 <p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the &quot;ConfigureNonTPMStartupKeyUsage_Name&quot; data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
 
 <p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
 
-> [!Note]  
+> [!NOTE]
 > In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
 
 <p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
 
 <p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
 
-> [!Note]  
+> [!NOTE]
 > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
 
 <p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
@@ -342,12 +342,12 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
 
-> [!Note]  
+> [!NOTE]
 > In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. 
 >
 >In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
@@ -411,7 +411,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
@@ -437,7 +437,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 -  'yy' = string of max length 900.
 -  'zz' = string of max length 500.
 
-> [!Note]  
+> [!NOTE]
 > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
 
 <p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors.  If you want to disable this policy use the following SyncML:</p>
@@ -457,7 +457,7 @@ The following diagram shows the BitLocker configuration service provider in tree
                          </Replace>
 ```
 
-> [!Note]  
+> [!NOTE]
 > Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
 
 <p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
@@ -492,7 +492,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
@@ -589,7 +589,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
@@ -687,7 +687,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
@@ -749,7 +749,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 
-> [!Tip]  
+> [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
 
 <p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
@@ -795,7 +795,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 
 <p style="margin-left: 20px">Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.</p>
 
-> [!Important]  
+> [!IMPORTANT]
 > Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
 
 > [!Warning]
@@ -855,7 +855,7 @@ The following diagram shows the BitLocker configuration service provider in tree
 <a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**  
 Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
 
-> [!Note]  
+> [!NOTE]
 > This policy is only supported in Azure AD accounts.
 
 "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy  being set to "0", i.e, silent encryption is enforced.

windows/client-management/mdm/devdetail-csp.md

@@ -188,7 +188,7 @@ Value type is string. Supported operation is Get.
 <a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**  
 <p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
 
-> [!Note]  
+> [!NOTE]
 > This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
 
 <p style="margin-left: 20px">Supported operation is Get.

windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md

@@ -61,7 +61,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
 
     In this example you configure **Enable App-V Client** to **Enabled**.
 
-> [!Note]  
+> [!NOTE]
 > The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
      
 ``` syntax
@@ -223,7 +223,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
 
       Here is the example for **AppVirtualization/PublishingAllowServer2**:
         
-> [!Note]  
+> [!NOTE]
 > The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
     
     ``` syntax

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -21,7 +21,7 @@ Requirements:
 - The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
 - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
 
-> [!Tip]  
+> [!TIP]
 > [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
 
 To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
@@ -32,7 +32,7 @@ Here is a partial screenshot of the result:
 
 The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
 
-> [!Note]  
+> [!NOTE]
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. 
 
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure  Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
@@ -109,7 +109,7 @@ Requirements:
 - Enterprise AD must be integrated with Azure AD.
 - Ensure that PCs belong to same computer group.
 
->[!IMPORTANT] 
+>[!IMPORTANT]
 >If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:        
 >   1. Download:  
 >   1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/en-us/download/details.aspx?id=56880) or  

windows/client-management/mdm/enterpriseassignedaccess-csp.md

@@ -41,7 +41,7 @@ Supported operations are Add, Delete, Get and Replace.
 
 The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML.
 
-> [!IMPORTANT]    
+> [!IMPORTANT]  
 > When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability.
 
 When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters.

windows/client-management/mdm/enterprisedataprotection-csp.md

@@ -71,7 +71,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.
 <a href="" id="settings-allowuserdecryption"></a>**Settings/AllowUserDecryption**  
 <p style="margin-left: 20px">Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.
 
-> [!Important]  
+> [!IMPORTANT]
 > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
 
 <p style="margin-left: 20px">The following list shows the supported values:

windows/client-management/mdm/enterprisedataprotection-ddf-file.md

@@ -16,7 +16,7 @@ ms.date: 12/05/2017
 
 The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
 
-> [!Important]  
+> [!IMPORTANT]
 > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
 
 Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -167,7 +167,7 @@ Supported operations are Get and Delete.
 <a href="" id="appmanagement-releasemanagement"></a>**AppManagement/AppStore/ReleaseManagement**  
 Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
 
-> [!Note]  
+> [!NOTE]
 > ReleaseManagement settings only apply to updates through the Microsoft Store.
 
 <a href="" id="appmanagement-releasemanagement-releasemanagementkey"></a>**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**  

windows/client-management/mdm/networkproxy-csp.md

@@ -15,7 +15,7 @@ manager: dansimp
 
 The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
 
-> [!Note]  
+> [!NOTE]
 > In Windows 10 Mobile, the NetworkProxy CSP only works in ethernet connections. Use the WiFi CSP to configure per-network proxy for Wi-Fi connections in mobile devices.  
 
 How the settings work:  
@@ -40,7 +40,7 @@ Added in Windows 10, version 1803. When set to 0, it enables proxy configuration
 
 Supported operations are Add, Get, Replace, and Delete.
 
-> [!Note]  
+> [!NOTE]
 > Per user proxy configuration setting is not supported.
 
 <a href="" id="autodetect"></a>**AutoDetect**  

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -741,7 +741,7 @@ The following diagram shows the Policy configuration service provider in tree fo
     <a href="./policy-csp-cryptography.md#cryptographyallowfipsalgorithmpolicy" id="CryptographyAllowFipsAlgorithmPolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
   </dd>
   <dd>
-    <a href="./policy-csp-cryptography.md#cryptography-tlsciphersuites" id="cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
+    <a href="./policy-csp-cryptography.md#cryptographytlsciphersuites" id="cryptographytlsciphersuites">Cryptography/TLSCipherSuites</a>
   </dd>
 </dl>
 
@@ -5244,7 +5244,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [Camera/AllowCamera](#camera-allowcamera)
 -   [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
 -   [Cryptography/AllowFipsAlgorithmPolicy](#cryptographyallowfipsalgorithmpolicy)
--   [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
+-   [Cryptography/TLSCipherSuites](#cryptographytlsciphersuites)
 -   [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
 -   [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
 -   [Defender/AllowCloudProtection](#defender-allowcloudprotection)

windows/client-management/mdm/policy-csp-applicationmanagement.md

@@ -600,7 +600,7 @@ For this policy to work, the Windows apps need to declare in their manifest that
 </desktop:Extension>
 ```
 
-> [!Note]  
+> [!NOTE]
 > This policy only works on modern apps.
 
 <!--/Description-->

windows/client-management/mdm/policy-csp-bits.md

@@ -456,7 +456,7 @@ ADMX Info:
 <!--Description-->
 This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
 
-> [!Note]  
+> [!NOTE]
 > Any property changes to the job or any successful download action will reset this timeout.
 
 Value type is integer. Default is 90 days.

windows/client-management/mdm/policy-csp-browser.md

@@ -3807,7 +3807,7 @@ Most restricted value: 0
 
 [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
 
-> [!NOTE]  
+> [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.  
 
 <!--/Description-->

windows/client-management/mdm/policy-csp-controlpolicyconflict.md

@@ -66,7 +66,7 @@ manager: dansimp
 <!--Description-->
 Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
 
-> [!Note]  
+> [!NOTE]
 > MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
 
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.

windows/client-management/mdm/policy-csp-defender.md

@@ -1244,7 +1244,7 @@ If this setting is on, Windows Defender Antivirus will be more aggressive when i
 
 For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
       
-> [!Note]  
+> [!NOTE]
 > This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
 
 <!--/Description-->
@@ -1315,7 +1315,7 @@ The typical cloud check timeout is 10 seconds. To enable the extended cloud chec
 
 For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. 
 
-> [!Note]  
+> [!NOTE]
 > This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
 
 <!--/Description-->

windows/client-management/mdm/policy-csp-dmaguard.md

@@ -73,7 +73,7 @@ Device memory sandboxing allows the OS to leverage the I/O Memory Management Uni
 
 This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe.
 
-> [!Note]   
+> [!NOTE]
 > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices.
 
 Supported values:

windows/client-management/mdm/policy-csp-internetexplorer.md

@@ -2227,7 +2227,7 @@ Value - A number indicating the zone with which this site should be associated f
 
 If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
 
-> [!Note]  
+> [!NOTE]
 > This policy is a list that contains the site and index value.
 
 The list is a set of pairs of strings. Each string is seperated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.

windows/client-management/mdm/policy-csp-kioskbrowser.md

@@ -88,7 +88,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
 <!--Description-->
 Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
 
-> [!Note]  
+> [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
 
 <!--/Description-->
@@ -134,7 +134,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
 <!--Description-->
 Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
 
-> [!Note]  
+> [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
 
 <!--/Description-->
@@ -180,7 +180,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
 <!--Description-->
 Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
 
-> [!Note]  
+> [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
 
 <!--/Description-->
@@ -269,7 +269,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki
 <!--Description-->
 Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
 
-> [!Note]  
+> [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
 
 <!--/Description-->
@@ -315,7 +315,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
 <!--Description-->
 Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
 
-> [!Note]  
+> [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
 
 <!--/Description-->
@@ -363,7 +363,7 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle
 
 The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
 
-> [!Note]  
+> [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
 
 <!--/Description-->

windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md

@@ -692,7 +692,7 @@ GP Info:
 <!--/Scope-->
 <!--Description-->
 
-> [!Warning]  
+> [!WARNING]
 > Starting in the version 1809 of Windows, this policy is deprecated.
 
 Domain member: Digitally encrypt or sign secure channel data (always)
@@ -762,7 +762,7 @@ GP Info:
 <!--/Scope-->
 <!--Description-->
 
-> [!Warning]  
+> [!WARNING]
 > Starting in the version 1809 of Windows, this policy is deprecated.
 
 Domain member: Digitally encrypt secure channel data (when possible)
@@ -829,7 +829,7 @@ GP Info:
 <!--/Scope-->
 <!--Description-->
 
-> [!Warning]  
+> [!WARNING]
 > Starting in the version 1809 of Windows, this policy is deprecated.
 
 Domain member: Disable machine account password changes

windows/client-management/mdm/policy-csp-notifications.md

@@ -81,7 +81,7 @@ If you disable or do not configure this policy setting, the client computer will
 
 No reboots or service restarts are required for this policy setting to take effect.
 
-> [!Warning]  
+> [!WARNING]
 > This policy is designed for zero exhaust. This policy may cause some MDM processes to break because WNS notification is used by the MDM server to send real time tasks to the device, such as remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work and some time-sensitive actions such as remote wipe when the device is stolen or unenrollment when the device is compromised will not work.
 
 <!--/Description-->

windows/client-management/mdm/policy-csp-privacy.md

@@ -318,7 +318,7 @@ manager: dansimp
 <!--Description-->
 Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
 
-> [!Note]  
+> [!NOTE]
 > There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
 
 

windows/client-management/mdm/policy-csp-system.md

@@ -444,7 +444,7 @@ This MDM setting corresponds to the EnableFontProviders Group Policy setting. If
 
 This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
 
-> [!Note]  
+> [!NOTE]
 > Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
 
 <!--/Description-->

windows/client-management/mdm/policy-csp-update.md

@@ -1896,7 +1896,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic
 
 The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
 
-> [!Note]  
+> [!NOTE]
 > If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period.
 
 Value type is integer. Default is 14.
@@ -3786,7 +3786,7 @@ Options:
 -  1 – Turn off all notifications, excluding restart warnings
 -  2 – Turn off all notifications, including restart warnings
 
-> [!Important]  
+> [!IMPORTANT]
 > If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
 
 <!--/Description-->
@@ -3847,7 +3847,7 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-> [!Important]  
+> [!IMPORTANT]
 > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
 
 Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
@@ -3939,7 +3939,7 @@ To use this setting, you must set two server name values: the server from which
 
 Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
 
-> [!Note]  
+> [!NOTE]
 > If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.  
 > If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.  
 > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.

windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md

@@ -436,7 +436,7 @@ Valid values:
 <!--Description-->
 Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
 
-> [!Note]  
+> [!NOTE]
 > If Suppress notification is enabled then users will not see critical or non-critical messages.
 
 Value type is integer. Supported operations are Add, Get, Replace and Delete.

windows/client-management/mdm/sharedpc-csp.md

@@ -45,7 +45,7 @@ The default value changed to false in Windows 10, version 1703. The default valu
 <a href="" id="setpowerpolicies"></a>**SetPowerPolicies**  
 Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The supported operations are Add, Get, Replace, and Delete.
@@ -55,7 +55,7 @@ The default value is Not Configured and the effective power settings are determi
 <a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**  
 Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
 
-> [!Note]  
+> [!NOTE]
 >  If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The supported operations are Add, Get, Replace, and Delete.
@@ -65,7 +65,7 @@ The default value is Not Configured and its value in the SharedPC provisioning p
 <a href="" id="signinonresume"></a>**SignInOnResume**  
 Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The supported operations are Add, Get, Replace, and Delete.
@@ -75,7 +75,7 @@ The default value is Not Configured and its value in the SharedPC provisioning p
 <a href="" id="sleeptimeout"></a>**SleepTimeout**  
 The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. 
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The supported operations are Add, Get, Replace, and Delete.
@@ -85,7 +85,7 @@ The default value is Not Configured, and effective behavior is determined by the
 <a href="" id="enableaccountmanager"></a>**EnableAccountManager**  
 A boolean that enables the account manager for shared PC mode.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The supported operations are Add, Get, Replace, and Delete.
@@ -95,7 +95,7 @@ The default value is Not Configured and its value in the SharedPC provisioning p
 <a href="" id="accountmodel"></a>**AccountModel**  
 Configures which type of accounts are allowed to use the PC.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The supported operations are Add, Get, Replace, and Delete.
@@ -111,7 +111,7 @@ Its value in the SharedPC provisioning package is 1 or 2.
 <a href="" id="deletionpolicy"></a>**DeletionPolicy**  
 Configures when accounts are deleted.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The supported operations are Add, Get, Replace, and Delete.
@@ -132,7 +132,7 @@ The default value is Not Configured. Its value in the SharedPC provisioning pack
 <a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**  
 Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
 
 The default value is Not Configured. Its default value in the SharedPC provisioning package is 25.
@@ -144,7 +144,7 @@ The supported operations are Add, Get, Replace, and Delete.
 <a href="" id="disklevelcaching"></a>**DiskLevelCaching**  
 Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
 
 The default value is Not Configured. The default value in the SharedPC provisioning package is 25.
@@ -158,7 +158,7 @@ Added in Windows 10, version 1703. Restricts the user from using local storage.
 
 The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
 
 <a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**  
@@ -166,7 +166,7 @@ Added in Windows 10, version 1703. Specifies the AUMID of the app to use with as
 
 Value type is string. Supported operations are Add, Get, Replace, and Delete.  
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
 
 <a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**  
@@ -174,7 +174,7 @@ Added in Windows 10, version 1703. Specifies the display text for the account sh
 
 Value type is string. Supported operations are Add, Get, Replace, and Delete. 
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
 
 <a href="" id="inactivethreshold"></a>**InactiveThreshold**  
@@ -187,7 +187,7 @@ The default in the SharedPC provisioning package is 30.
 <a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**  
 Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. 
 
-> [!Note]  
+> [!NOTE]
 > If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
 
 Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

windows/client-management/mdm/tenantlockdown-csp.md

@@ -18,7 +18,7 @@ manager: dansimp
 
 The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes.
 
-> [!Note]  
+> [!NOTE]
 > The forced network connection is only applicable to devices after reset (not new).
 
 The following diagram shows the TenantLockdown configuration service provider in tree format.

windows/client-management/mdm/uefi-csp.md

@@ -16,10 +16,10 @@ manager: dansimp
 
 The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
 
-> [!Note]  
+> [!NOTE]
 > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
 
-> [!Note]  
+> [!NOTE]
 > The production UEFI CSP is present in 1809, but it depends upon the Device Firmware Configuration Interface (DFCI) and UEFI firmware to comply with this interface.  The specification for this interface and compatible firmware is not yet available.
 
 The following diagram shows the UEFI CSP in tree format.

windows/client-management/mdm/windowsdefenderapplicationguard-csp.md

@@ -50,7 +50,7 @@ This policy setting allows you to decide how the clipboard behaves while in Appl
 - 2 - Turns On clipboard operation from the host to an isolated session
 - 3 - Turns On clipboard operation in both the directions
 
-> [!Important]  
+> [!IMPORTANT]
 > Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. 
 
 <a href="" id="printingsettings"></a>**Settings/PrintingSettings**  
@@ -128,7 +128,7 @@ If you enable this policy, applications inside Windows Defender Application Guar
 
 If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device.
 
-> [!Important]  
+> [!IMPORTANT]
 > If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.  To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.
 
 <a href="" id="status"></a>**Status**  

windows/client-management/mdm/windowslicensing-csp.md

@@ -31,7 +31,7 @@ The supported operation is Get.
 <a href="" id="upgradeeditionwithproductkey"></a>**UpgradeEditionWithProductKey**  
 Enters a product key for an edition upgrade of Windows 10 desktop devices.
 
-> [!NOTE] 
+> [!NOTE]
 > This upgrade process requires a system restart.
 
  
@@ -97,7 +97,7 @@ The supported operation is Get.
 <a href="" id="upgradeeditionwithlicense"></a>**UpgradeEditionWithLicense**  
 Provides a license for an edition upgrade of Windows 10 mobile devices.
 
-> [!NOTE] 
+> [!NOTE]
 > This upgrade process does not require a system restart.
 
  
@@ -216,7 +216,7 @@ Values:
 </SyncML>
 ```
 
-> [!NOTE] 
+> [!NOTE]
 > `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
 
  
@@ -297,7 +297,7 @@ Values:
 </SyncML>
 ```
 
-> [!NOTE] 
+> [!NOTE]
 > `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
 
  

windows/client-management/troubleshoot-windows-freeze.md

@@ -16,7 +16,7 @@ ms.author: dansimp
 
 This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. 
 
-> [!Note] 
+> [!NOTE]
 > The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. 
 
 ## Identify the problem  
@@ -76,14 +76,14 @@ To collect data for a server freeze, check the following table, and use one or m
 
 ### Method 1: Memory dump 
 
-> [!Note] 
+> [!NOTE]
 > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.   
 
 A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected.   
 
 If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump.   
 
-> [!Note] 
+> [!NOTE]
 > If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process.   
 
 
@@ -97,7 +97,7 @@ If the computer is no longer frozen and now is running in a good state, use the
 
    3.  In the **Write Debugging Information** section, select **Complete Memory Dump**. 
 
-       > [!Note]     
+       > [!NOTE]  
        > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD):
        >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled**   
 
@@ -131,12 +131,12 @@ If the computer is no longer frozen and now is running in a good state, use the
 
    To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change.   
 
-   > [!Note] 
+   > [!NOTE]
    > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146).   
 
 4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file.   
 
-   > [!Note] 
+   > [!NOTE]
    > By default, the dump file is located in the following path:<br /> 
    > %SystemRoot%\MEMORY.DMP 
 
@@ -194,12 +194,12 @@ If the physical computer is still running in a frozen state, follow these steps
 
 
 1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps:   
-   > [!Note] 
+   > [!NOTE]
    > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified.   
 
    1. Try to access the desktop of the computer by any means.   
 
-      > [!Note] 
+      > [!NOTE]
       > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured.   
 
    2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: 
@@ -218,7 +218,7 @@ If the physical computer is still running in a frozen state, follow these steps
 
         If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size.   
 
-        > [!Note] 
+        > [!NOTE]
         > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). 
 
    3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. 
@@ -244,7 +244,7 @@ If the physical computer is still running in a frozen state, follow these steps
    4.  Restart the computer. 
 
 3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump.  
-   > [!Note] 
+   > [!NOTE]
    > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP 
 
 ### Use Pool Monitor to collect data for the physical computer that is no longer frozen 
@@ -267,7 +267,7 @@ To debug the virtual machines on Hyper-V, run the following cmdlet in Windows Po
 Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname  
 ``` 
 
-> [!Note] 
+> [!NOTE]
 > This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section.  
 
 #### VMware 

windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md

@@ -49,14 +49,14 @@ Three features enable Start and taskbar layout control:
 
 -   The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
-    >[!NOTE]  
+    >[!NOTE]
     >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
 
 -    [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include  `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration. 
 
 -   In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. The Group Policy object doesn't support an empty tile layout, so the default tile layout for Windows is loaded in that case.
 
->[!NOTE]  
+>[!NOTE]
 >To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863).
 
  
@@ -79,7 +79,7 @@ For information about deploying GPOs in a domain, see [Working with Group Policy
 
 You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
 
->[!NOTE]  
+>[!NOTE]
 >This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment).
 >
 >This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.

windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md

@@ -44,7 +44,7 @@ Two features enable Start layout control:
 
 -   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
-    >[!NOTE]  
+    >[!NOTE]
     >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
 
      

windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md

@@ -39,7 +39,7 @@ Three features enable Start and taskbar layout control:
 
 -   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
-    >[!NOTE]  
+    >[!NOTE]
     >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
 
 -    [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include  `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.

windows/configuration/kiosk-prepare.md

@@ -71,7 +71,7 @@ In addition to the settings in the table, you may want to set up **automatic log
 
 1. Open Registry Editor (regedit.exe).
 
-   >[!NOTE]  
+   >[!NOTE]
    >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
   
  

windows/configuration/kiosk-validate.md

@@ -28,7 +28,7 @@ Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applic
 
 To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. 
 
->[!NOTE] 
+>[!NOTE]
 >The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. 
 
 The following sections explain what to expect on a multi-app kiosk.

windows/configuration/manage-wifi-sense-in-enterprise.md

@@ -22,7 +22,7 @@ ms.topic: article
 -   Windows 10
 -   Windows 10 Mobile
 
->[!IMPORTANT] 
+>[!IMPORTANT]
 >Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
 
 Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When you’re in range of one of these Wi-Fi hotspots, you automatically get connected to it.

windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md

@@ -46,7 +46,7 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
 
 ### Set up assigned access using Windows Configuration Designer
 
->[!IMPORTANT] 
+>[!IMPORTANT]
 >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
 #### Create the *AssignedAccess*.xml file

windows/configuration/mobile-devices/start-layout-xml-mobile.md

@@ -50,7 +50,7 @@ The diagrams show:
 
 IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles.
 
->[!NOTE]  
+>[!NOTE]
 >To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file:
 >- Do not leave spaces or white lines in between each element.
 >- Do not add comments inside the StartLayout node or any of its children elements.

windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md

@@ -26,7 +26,7 @@ Configuration service providers (CSPs) expose device configuration settings in W
 
 The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
 
->[!NOTE]  
+>[!NOTE]
 >The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
 
  [See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809)

windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md

@@ -132,7 +132,7 @@ For details about the settings you can customize in provisioning packages, see [
 
 5. Set a value for **Package Version**.
 
-   > [!TIP]  
+   > [!TIP]
    > You can make changes to existing packages and change the version number to update previously applied packages.
 
 6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.

windows/configuration/provisioning-packages/provision-pcs-with-apps.md

@@ -144,7 +144,7 @@ For details about the settings you can customize in provisioning packages, see [
 
 5. Set a value for **Package Version**.
 
-   > [!TIP]  
+   > [!TIP]
    > You can make changes to existing packages and change the version number to update previously applied packages.
 
 6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.

windows/configuration/set-up-shared-or-guest-pc.md

@@ -135,7 +135,7 @@ Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
     - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
     - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
     
-      > [!IMPORTANT]  
+      > [!IMPORTANT]
       > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
         
 13. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location.

windows/configuration/start-layout-troubleshoot.md

@@ -185,7 +185,7 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded
 
 **Resolution**: This issue was resolved in the June 2017 updates. Please update Windows 10, version 1607 to the latest cumulative or feature updates.
 
->[!Note] 
+>[!NOTE]
 >When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**.
 
 

windows/configuration/start-layout-xml-desktop.md

@@ -59,7 +59,7 @@ Comments are not supported in the `LayoutModification.xml` file.
 
 ### Supported elements and attributes
 
->[!NOTE]  
+>[!NOTE]
 >To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
 >- Do not leave spaces or white lines in between each element.
 >- Do not add comments inside the StartLayout node or any of its children elements.

windows/configuration/wcd/wcd-smisettings.md

@@ -102,7 +102,7 @@ Use ShellLauncher to specify the application or executable to use as the default
 
 You can also configure ShellLauncher to launch different shell applications for different users or user groups.
 
->[!IMPORTANT]  
+>[!IMPORTANT]
 >You may specify any executable file to be the default shell except C:\Windows\System32\Eshell.exe. Using Eshell.exe as the default shell will result in a blank screen after a user signs in.
 >
 >You cannot use ShellLauncher to launch a Windows app as a custom shell. However, you can use Windows 10 application launcher to launch a Windows app at startup.

windows/configuration/wcd/wcd-textinput.md

@@ -41,7 +41,7 @@ PreEnabledKeyboard must be entered once for each keyboard you want to pre-enable
 
 The following table shows the values that you can use for the Locale code.Locale value part of the setting name.
 
->[!NOTE]  
+>[!NOTE]
 >The keyboards for some locales require additional language model files: am-ET, bn-IN, gu-IN, hi-IN, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, my-MM, or-IN, pa-IN, si-LK, ta-IN, te-IN, zh-TW, zh-CN, and zh-HK. 
 
 

windows/configuration/wcd/wcd-unifiedwritefilter.md

@@ -25,7 +25,7 @@ UWF intercepts all write attempts to a protected volume and redirects those writ
 
 The overlay does not mirror the entire volume, but dynamically grows to keep track of redirected writes. Generally the overlay is stored in system memory, although you can cache a portion of the overlay on a physical volume. 
 
->[!NOTE]  
+>[!NOTE]
 >UWF fully supports the NTFS system; however, during device startup, NTFS file system journal files can write to a protected volume before UWF has loaded and started protecting the volume. 
 
 [Learn more about the Unified Write Filter feature.](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter)

windows/deployment/deploy-enterprise-licenses.md

@@ -186,7 +186,7 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g
 
 If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
 
->[!NOTE] 
+>[!NOTE]
 >If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
 >Name: Windows(R), Professional edition
 >Description: Windows(R) Operating System, RETAIL channel

windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md

@@ -290,7 +290,7 @@ This section will show you how to create the task sequence used to deploy your p
        1.  Choose a selection profile: Nothing
        2.  Install all drivers from the selection profile
 
-           >[!NOTE]  
+           >[!NOTE]
            >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
              
    3.  State Restore. Enable the **Windows Update (Pre-Application Installation)** action.

windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md

@@ -96,7 +96,7 @@ This section will show you how to configure the rules (the Windows 10 x64 Settin
 
 3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**.
 
-   >[!NOTE]  
+   >[!NOTE]
    >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes.
 
  

windows/deployment/deploy-windows-to-go.md

@@ -53,7 +53,7 @@ Completing these steps will give you a generic Windows To Go drive that can be d
 
 In this step we are creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](https://go.microsoft.com/fwlink/p/?LinkId=619174) using a combination of Windows PowerShell and command-line tools.
 
->[!WARNING]  
+>[!WARNING]
 >The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
 
 #### To create a Windows To Go workspace with the Windows To Go Creator Wizard
@@ -64,7 +64,7 @@ In this step we are creating the operating system image that will be used on the
 
 3. Verify that the .wim file location (which can be a network share, a DVD , or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
 
-    >[!NOTE]  
+    >[!NOTE]
     >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=619150). For more information about using sysprep, see [Sysprep Overview](https://go.microsoft.com/fwlink/p/?LinkId=619151).
 
 4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. The **Windows To Go Creator Wizard** opens.
@@ -76,7 +76,7 @@ In this step we are creating the operating system image that will be used on the
 7.  (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you do not wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](https://go.microsoft.com/fwlink/p/?LinkId=619152) for instructions.
 r
 
-    >[!WARNING]  
+    >[!WARNING]
     >If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
 
     If you choose to encrypt the Windows To Go drive now:
@@ -85,13 +85,13 @@ r
 
 
 ~~~
-    >[!IMPORTANT]  
+    >[!IMPORTANT]
     >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](https://go.microsoft.com/fwlink/p/?LinkId=619157).    
 ~~~
 
 8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then click **Create** to start the Windows To Go workspace creation process.
 
-    >[!WARNING]  
+    >[!WARNING]
     >The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.  
 
 9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer.
@@ -142,7 +142,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
 
 3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
 
-    >[!TIP]  
+    >[!TIP]
     >The index number must be set correctly to a valid Enterprise image in the .WIM file.
 
     ``` syntax
@@ -225,7 +225,7 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
 
     After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\)
 
-    >[!IMPORTANT]  
+    >[!IMPORTANT]
     >Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
 
     If you do not wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC.
@@ -238,7 +238,7 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a
 
 Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it is attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace.
 
->[!TIP]  
+>[!TIP]
 >If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
 
 
@@ -303,7 +303,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
     djoin /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
     ```
 
-    >[!NOTE]  
+    >[!NOTE]
     >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information see the [Offline Domain Join Step-by-Step guide](https://go.microsoft.com/fwlink/p/?LinkId=619171).
 
 2. Insert the Windows To Go drive.
@@ -350,7 +350,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
 
 
 ~~~
->[!TIP]  
+>[!TIP]
 >The index number must be set correctly to a valid Enterprise image in the .WIM file.
 
 ``` syntax
@@ -409,7 +409,7 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind
 
    * If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
 
-   >[!NOTE]  
+   >[!NOTE]
    >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
 
 You should now be able to access your organization’s network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises.
@@ -457,7 +457,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
 
 4. Provision the Windows To Go drive using the following cmdlets:
 
-    >[!NOTE]  
+    >[!NOTE]
     >If you used the [manual method for creating a workspace](https://go.microsoft.com/fwlink/p/?LinkId=619174) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
 
    ``` syntax
@@ -496,7 +496,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
 
    Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
 
-   >[!TIP]  
+   >[!TIP]
    >The index number must be set correctly to a valid Enterprise image in the .WIM file.
 
    ``` syntax
@@ -528,12 +528,12 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
    Enable-BitLocker W: -PasswordProtector $spwd
    ```
 
-   >[!WARNING]  
+   >[!WARNING]
    >To have BitLocker only encrypt used space on the disk append the parameter `–UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
 
 8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten.
 
-   >[!WARNING]  
+   >[!WARNING]
    >If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
 
    If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker). 
@@ -561,7 +561,7 @@ The Windows To Go drives are now ready to be distributed to users and are protec
 
 4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option.
 
->[!NOTE]  
+>[!NOTE]
 >If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
 
 ### Advanced deployment sample script

windows/deployment/update/device-health-get-started.md

@@ -34,7 +34,7 @@ Device Health is offered as a *solution* which you link to a new or existing [Az
 
 1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
    
-    >[!NOTE] 
+    >[!NOTE]
     > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. 
 
 2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution.

windows/deployment/update/feature-update-maintenance-window.md

@@ -102,7 +102,7 @@ loss of business information, or other pecuniary loss) arising out of the use of
 or documentation, even if Microsoft has been advised of the possibility of such damages.
 ```
 
->[!NOTE] 
+>[!NOTE]
 >If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. 
 
 ## Manually deploy feature updates
@@ -133,13 +133,13 @@ Before you deploy the feature updates, you can download the content as a separat
      - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. 
      - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. 
 
-   >[!NOTE] 
+   >[!NOTE]
    >The deployment package source location that you specify cannot be used by another software deployment package. 
 
-   >[!IMPORTANT] 
+   >[!IMPORTANT]
    >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. 
 
-   >[!IMPORTANT] 
+   >[!IMPORTANT]
    >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. 
 
    Click **Next**. 
@@ -163,7 +163,7 @@ Before you deploy the feature updates, you can download the content as a separat
    - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
    - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. 
    
-     >[!NOTE] 
+     >[!NOTE]
      >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
 
    Click **Next**. 
@@ -195,10 +195,10 @@ After you determine which feature updates you intend to deploy, you can manually
 
    - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. 
    
-     >[!IMPORTANT] 
+     >[!IMPORTANT]
      > After you create the software update deployment, you cannot later change the type of deployment. 
    
-     >[!NOTE] 
+     >[!NOTE]
      >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured.
 
    - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. 
@@ -211,19 +211,19 @@ After you determine which feature updates you intend to deploy, you can manually
 
    - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. 
    
-     >[!NOTE] 
+     >[!NOTE]
      >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. 
 
    - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: 
      - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. 
    - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. 
    
-     >[!NOTE] 
+     >[!NOTE]
      >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
 
    - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. 
 
-   >[!NOTE] 
+   >[!NOTE]
    >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). 
 7. On the User Experience page, configure the following settings: 
    - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. 
@@ -234,7 +234,7 @@ After you determine which feature updates you intend to deploy, you can manually
      >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation.
    - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. 
 
-     >[!NOTE] 
+     >[!NOTE]
      >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 
    - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. 
 8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. 

windows/deployment/update/feature-update-user-install.md

@@ -80,7 +80,7 @@ loss of business information, or other pecuniary loss) arising out of the use of
 or documentation, even if Microsoft has been advised of the possibility of such damages.
 ```
 
->[!NOTE] 
+>[!NOTE]
 >If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. 
 
 ## Manually deploy feature updates in a user-initiated installation
@@ -111,13 +111,13 @@ Before you deploy the feature updates, you can download the content as a separat
    - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. 
    - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. 
 
-     >[!NOTE] 
+     >[!NOTE]
      >The deployment package source location that you specify cannot be used by another software deployment package. 
 
-     >[!IMPORTANT] 
+     >[!IMPORTANT]
      >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. 
 
-     >[!IMPORTANT] 
+     >[!IMPORTANT]
      >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. 
 
    Click **Next**. 
@@ -141,7 +141,7 @@ Before you deploy the feature updates, you can download the content as a separat
    - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
    - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. 
    
-     >[!NOTE] 
+     >[!NOTE]
      >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
 
    Click **Next**. 
@@ -173,10 +173,10 @@ After you determine which feature updates you intend to deploy, you can manually
 
    - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. 
    
-     >[!IMPORTANT] 
+     >[!IMPORTANT]
      > After you create the software update deployment, you cannot later change the type of deployment. 
    
-     >[!NOTE] 
+     >[!NOTE]
      >A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured.
 
    - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**. 
@@ -194,7 +194,7 @@ After you determine which feature updates you intend to deploy, you can manually
  
    - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. 
    
-     >[!NOTE] 
+     >[!NOTE]
      >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. 
 
      - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window. 
@@ -204,7 +204,7 @@ After you determine which feature updates you intend to deploy, you can manually
 7. On the User Experience page, configure the following settings: 
    - **User notifications**: Specify **Display in Software Center and show all notifications**. 
    - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. 
-     >[!NOTE] 
+     >[!NOTE]
      >Remember that the installation deadline date and time will be well into the future to allow plenty of time for the user-initiated install during a fixed servicing window.
    - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. 
 
@@ -212,7 +212,7 @@ After you determine which feature updates you intend to deploy, you can manually
      >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation.
    - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. 
 
-     >[!NOTE] 
+     >[!NOTE]
      >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 
    - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. 
 8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. 

windows/deployment/update/windows-analytics-get-started.md

@@ -73,7 +73,7 @@ To enable data sharing, configure your proxy server to whitelist the following e
 >[!NOTE]
 >Proxy authentication and SSL inspections are frequent challenges for enterprises. See the following sections for configuration options.
 
-> [!Important] 
+> [!IMPORTANT]
 > For privacy and data integrity, Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. SSL interception and inspection aren't possible. To use Desktop Analytics, exclude these endpoints from SSL inspection.<!-- BUG 4647542 --> 
 
 

windows/deployment/update/windows-update-logs.md

@@ -63,7 +63,7 @@ The WU engine has different component names. The following are some of the most
 - DataStore - Caching update data locally 
 - IdleTimer - Tracking active calls, stopping a service 
  
->[!NOTE] 
+>[!NOTE]
 >Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. 
  
 ### Windows Update log structure 

windows/deployment/update/wufb-compliancedeadlines.md

@@ -29,7 +29,7 @@ This flow only enforces the deadline where the device will attempt to silently r
 
 Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to reboot the device. 
 
->[!NOTE] 
+>[!NOTE]
 >Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
 
 ### Policy overview

windows/deployment/upgrade/upgrade-readiness-get-started.md

@@ -47,7 +47,7 @@ Upgrade Readiness is offered as a *solution* which you link to a new or existing
 
 1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
    
-    >[!NOTE] 
+    >[!NOTE]
     > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. 
 
 2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. 

windows/deployment/upgrade/upgrade-readiness-requirements.md

@@ -28,7 +28,7 @@ The compatibility update that sends diagnostic data from user computers to Micro
 
 If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
 
-> [!NOTE] 
+> [!NOTE]
 > Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
 
 See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.

windows/deployment/windows-autopilot/windows-autopilot-reset.md

@@ -32,7 +32,7 @@ The Windows Autopilot Reset process automatically retains information from the e
 
 Windows Autopilot Reset will block the user from accessing the desktop until this information is restored, including re-applying any provisioning packages.  For devices enrolled in an MDM service, Windows Autopilot Reset will also block until an MDM sync is completed.  
 
->[!IMPORTANT] 
+>[!IMPORTANT]
 >To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. 
 
 >[!NOTE]

windows/privacy/windows-diagnostic-data-1703.md

@@ -33,7 +33,7 @@ The data covered in this article is grouped into the following categories:
 -   Browsing History data
 -   Inking, Typing, and Speech Utterance data
 
-> [!NOTE]  
+> [!NOTE]
 > The majority of diagnostic data falls into the first four categories.
 
 ## Common data

windows/security/identity-protection/credential-guard/additional-mitigations.md

@@ -75,7 +75,7 @@ Run the following command:
 CertReq -EnrollCredGuardCert MachineAuthentication
 ```
 
-> [!NOTE]  
+> [!NOTE]
 > You must restart the device after enrolling the machine authentication certificate.
  
 ##### How a certificate issuance policy can be used for access control
@@ -126,7 +126,7 @@ Authentication policies have the following requirements:
 11. Click **OK** to create the authentication policy.
 12. Close Active Directory Administrative Center.
 
-> [!NOTE]  
+> [!NOTE]
 > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
 
 ##### Discovering authentication failures due to authentication policies
@@ -327,7 +327,7 @@ write-host "There are no issuance policies which are not mapped to groups"
     }
 }
 ```
-> [!NOTE]  
+> [!NOTE]
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
  
 #### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
@@ -609,5 +609,5 @@ write-host $tmp -Foreground Red
 }
 ```
 
-> [!NOTE]  
+> [!NOTE]
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.

windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md

@@ -100,7 +100,7 @@ Run the following command:
 CertReq -EnrollCredGuardCert MachineAuthentication
 ```
 
-> [!NOTE]  
+> [!NOTE]
 > You must restart the device after enrolling the machine authentication certificate.
  
 ##### How a certificate issuance policy can be used for access control
@@ -151,7 +151,7 @@ Authentication policies have the following requirements:
 11. Click **OK** to create the authentication policy.
 12. Close Active Directory Administrative Center.
 
-> [!NOTE]  
+> [!NOTE]
 > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
 
 ##### Discovering authentication failures due to authentication policies
@@ -356,7 +356,7 @@ write-host "There are no issuance policies which are not mapped to groups"
     }
 }
 ```
-> [!NOTE]  
+> [!NOTE]
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
  
 #### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
@@ -638,7 +638,7 @@ write-host $tmp -Foreground Red
 }
 ```
 
-> [!NOTE]  
+> [!NOTE]
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
 
 ## See also

windows/security/identity-protection/credential-guard/credential-guard-scripts.md

@@ -209,7 +209,7 @@ write-host "There are no issuance policies which are not mapped to groups"
     }
 }
 ```
-> [!NOTE]  
+> [!NOTE]
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
  
 ## <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
@@ -491,5 +491,5 @@ write-host $tmp -Foreground Red
 }
 ```
 
-> [!NOTE]  
+> [!NOTE]
 > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.

windows/security/identity-protection/enterprise-certificate-pinning.md

@@ -26,7 +26,7 @@ ms.reviewer:
 Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name. 
 Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
 
->[!NOTE] 
+>[!NOTE]
 > External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning.
 
 Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates. 

windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md

@@ -273,7 +273,7 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
 
 #### Example 2
 This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones.  This configuration is wrapped for reading.  Once properly formatted, the entire XML contents must be a single line.  This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
->[!NOTE] 
+>[!NOTE]
 >Separate each rule element using a comma.
 
 ```

windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md

@@ -382,7 +382,7 @@ $deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService)
 $deSCP.CommitChanges()
 ```
 
->[!NOTE] 
+>[!NOTE]
 > You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1.
 >
 

windows/security/identity-protection/hello-for-business/hello-planning-guide.md

@@ -247,7 +247,7 @@ If you use modern management for both domain and non-domain joined devices, writ
 Windows Hello for Business is a feature exclusive to Windows 10.   Some deployments and features are available using earlier versions of Windows 10.  Others need the latest versions.
 
 If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet.  Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
->[!NOTE] 
+>[!NOTE]
 >Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings.  Use modern management to adjust policy settings to match the business needs of your organization.
 
 Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. 

windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

@@ -71,7 +71,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
 
 - Microsoft Remote Desktop
 
->[!NOTE] 
+>[!NOTE]
 >Microsoft Visio and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining.
 
 ## List of WIP-work only apps from Microsoft

windows/security/threat-protection/device-control/control-usb-devices-using-intune.md

@@ -46,7 +46,7 @@ Protecting authorized removable storage with Windows Defender Antivirus requires
 - If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
 - If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
 
->[!NOTE] 
+>[!NOTE]
 >We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**.
 
 <!-- Need to build out point in the precedeing note. 
@@ -113,7 +113,7 @@ Based on any Windows Defender ATP event, including the plug and play events, you
 
 Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
 
->[!Note] 
+>[!NOTE]
 >Always test and refine these settings with a pilot group of users and devices first before applying them in production. 
 
 The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. 
@@ -125,7 +125,7 @@ For more information about controlling USB devices, see the [Microsoft Secure bl
 | [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals)   | Users can only install and use approved peripherals that report specific properties in their firmware |
 | [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
 
->[!Note] 
+>[!NOTE]
 >Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
 
 ### Block installation and usage of removable storage

windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md

@@ -40,7 +40,7 @@ You need to make sure that all your devices are enrolled in Intune. You can use
 
 There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
 
-> [!NOTE] 
+> [!NOTE]
 > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
 
 Take the following steps to enable Conditional Access:

windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md

@@ -61,7 +61,7 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
 
 ## Grant the MSSP access to the portal
 
->[!NOTE] 
+>[!NOTE]
 > These set of steps are directed towards the MSSP customer. <br>
 > Access to the portal can only be done by the MSSP customer.
 
@@ -96,7 +96,7 @@ As a MSSP customer, you can always remove or modify the permissions granted to t
 
 ##  Access the Microsoft Defender Security Center MSSP customer portal
 
->[!NOTE] 
+>[!NOTE]
 >These set of steps are directed towards the MSSP. 
 
 By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.

windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md

@@ -57,7 +57,7 @@ Learn how to use data sensitivity labels to prioritize incident investigation.
 
     ![Image of machine timeline with narrowed down search results based on label](images/machine-timeline-labels.png)
 
->[!NOTE] 
+>[!NOTE]
 > The event side pane now provides additional insight to the WIP and AIP protection status.  
 
 

windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md

@@ -92,7 +92,7 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Enable **Microsoft network client: Digitally sign communications (always)**.
 
->[!NOTE]  
+>[!NOTE]
 >An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
 
 ### Potential impact

windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md

@@ -95,7 +95,7 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Enable **Microsoft network server: Digitally sign communications (always)**.
 
->[!NOTE]  
+>[!NOTE]
 >An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
 
 ### Potential impact

windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md

@@ -146,7 +146,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
     1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
     2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
     
-> [!NOTE]  
+> [!NOTE]
 > "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.
 
 ## Related topics

windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md

@@ -24,7 +24,7 @@ manager: dansimp
 
 You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
 
->[!NOTE] 
+>[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
 
 

windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md

@@ -27,7 +27,7 @@ Microsoft next-gen technologies in Windows Defender Antivirus provide near-insta
 To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 
 
 
->[!NOTE] 
+>[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
 
 With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: 

windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md

@@ -26,7 +26,7 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W
 
 Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
 
-> [!IMPORTANT] 
+> [!IMPORTANT]
 > Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
 
 > [!WARNING] 

windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md

@@ -85,7 +85,7 @@ Use the following procedure after you have been running a computer with a WDAC p
 
    ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
 
-   > [!Note] 
+   > [!NOTE]
    > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
 
 4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
@@ -96,5 +96,5 @@ Use the following procedure after you have been running a computer with a WDAC p
 
 You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies).
 
-> [!Note] 
+> [!NOTE]
 > You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.

windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md

@@ -26,7 +26,7 @@ For this example, you must initiate variables to be used during the creation pro
 Then create the WDAC policy by scanning the system for installed applications. 
 The policy file is converted to binary format when it gets created so that Windows can interpret it.
 
-> [!Note] 
+> [!NOTE]
 > Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. 
 
 Each installed software application should be validated as trustworthy before you create a policy. 
@@ -70,7 +70,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
 
 After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
 
-> [!Note] 
+> [!NOTE]
 > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
 
 We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error messages. For information about how to audit a WDAC policy, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md).

windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md

@@ -23,10 +23,10 @@ ms.date: 02/28/2018
 
 WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
 
-> [!NOTE] 
+> [!NOTE]
 > This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic.
 
-> [!NOTE] 
+> [!NOTE]
 > Signed WDAC policies can cause boot failures when deployed. We recommend that signed WDAC policies be thoroughly tested on each hardware platform before enterprise deployment.
 
 To deploy and manage a WDAC policy with Group Policy:
@@ -52,12 +52,12 @@ To deploy and manage a WDAC policy with Group Policy:
 
     In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin.
 
-    > [!NOTE] 
+    > [!NOTE]
     > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
 
     ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png)
 
-    > [!NOTE] 
+    > [!NOTE]
     > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
 
 7.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md).

windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md

@@ -37,7 +37,7 @@ If the WDAC policy was deployed by using Group Policy, the GPO that is currently
 
 Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
 
-> [!Note] 
+> [!NOTE]
 > For reference, signed WDAC policies should be replaced and removed from the following locations:
 
 -   <EFI System Partition>\\Microsoft\\Boot\\

windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md

@@ -23,7 +23,7 @@ ms.date: 05/03/2018
 
 Every WDAC policy is created with audit mode enabled. After you have successfully deployed and tested a WDAC policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
 
-> [!Note] 
+> [!NOTE]
 > Every WDAC policy should be tested in audit mode first. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md), earlier in this topic.
 
 1. Initialize the variables that will be used:
@@ -36,7 +36,7 @@ Every WDAC policy is created with audit mode enabled. After you have successfull
 
    ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
 
-   > [!Note] 
+   > [!NOTE]
    > The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
 
 2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the WDAC policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
@@ -55,7 +55,7 @@ Every WDAC policy is created with audit mode enabled. After you have successfull
 
    ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
 
-   > [!Note] 
+   > [!NOTE]
    > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy.
 
 5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary format:

windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md

@@ -23,7 +23,7 @@ ms.date: 05/03/2018
 
 Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy.
 
-> [!NOTE] 
+> [!NOTE]
 > Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then amanaged installer using System Center Configuration Manager (SCCM) targeted the same device, the SCCM policy would overwrite the SiPolicy.p7b file.
 
 To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
@@ -40,7 +40,7 @@ To merge two WDAC policies, complete the following steps in an elevated Windows
 
    ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
 
-   > [!Note] 
+   > [!NOTE]
    > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
 
 2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:

windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md

@@ -46,7 +46,7 @@ To modify the policy rule options of an existing WDAC policy, use [Set-RuleOptio
 
 You can set several rule options within a WDAC policy. Table 2 describes each rule option. 
 
-> [!NOTE] 
+> [!NOTE]
 > We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
 
 **Table 2. Windows Defender Application Control policy - policy rule options**

windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md

@@ -49,7 +49,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
     
    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
 
-   > [!Note] 
+   > [!NOTE]
    > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
 
 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
@@ -64,7 +64,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
 
    ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
 
-   > [!Note] 
+   > [!NOTE]
    > <Path to exported .cer certificate> should be the full path to the certificate that you exported in   step 3.
    Also, adding update signers is crucial to being able to modify or disable this policy in the future. 
 
@@ -80,7 +80,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
 
    ` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
 
-   > [!Note] 
+   > [!NOTE]
    > The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
 
 9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).

windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md

@@ -51,7 +51,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
     
    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
 
-   > [!Note] 
+   > [!NOTE]
    > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
 
 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
@@ -66,7 +66,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
 
    ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
 
-   > [!Note] 
+   > [!NOTE]
    > *&lt;Path to exported .cer certificate&gt;* should be  the full path to the certificate that you exported in   step 3.
    Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows).
 
@@ -82,7 +82,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
 
    ` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
 
-   > [!Note] 
+   > [!NOTE]
    > The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
 
 9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).

windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md

@@ -18,7 +18,7 @@ Although [AppLocker](applocker/applocker-overview.md) is not considered a new Wi
 There are many scenarios in which WDAC would be used alongside AppLocker rules. 
 As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
 
-> [!NOTE] 
+> [!NOTE]
 > One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule.
 
 AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. 

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -181,7 +181,7 @@ This rule blocks the following file types from launching unless they either meet
 >[!NOTE]
 >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
 
->[!IMPORTANT] 
+>[!IMPORTANT]
 >The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
 >
 >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.

windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md

@@ -101,7 +101,7 @@ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] |
 Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 
 
->[!NOTE] 
+>[!NOTE]
 >The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
 > 
 >See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.

windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md

@@ -143,7 +143,7 @@ Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [
 Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 
->[!NOTE] 
+>[!NOTE]
 >The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
 > 
 >See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.

windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md

@@ -108,7 +108,7 @@ It acts as a collector or single place to see the status and perform some config
 
 Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features.
 
-> [!IMPORTANT] 
+> [!IMPORTANT]
 > Individually disabling any of the services will not disable the other services or the Windows Security app.
 
 For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.

windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md

@@ -71,5 +71,5 @@ SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Even
 
 - [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
 
->[!NOTE] 
+>[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).