Merge branch 'main' into main

2025-05-12 21:37:22 +00:00 · 2025-01-22 13:43:43 -08:00 · 2025-01-22 13:43:43 -08:00 · dbf0f8b83b
commit dbf0f8b83b
parent 484ad7b210 734048f864
394 changed files with 13141 additions and 2415 deletions
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@ -9982,7 +9982,47 @@
    },
    {
      "source_path": "windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
-      "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md",
+      "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/application-security/index.md",
      "redirect_url": "/windows/security/book/application-security",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/hardware-security/index.md",
      "redirect_url": "/windows/security/book/hardware-security",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/cloud-services/index.md",
      "redirect_url": "/windows/security/book/cloud-services",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/identity-protection/index.md",
      "redirect_url": "/windows/security/book/identity-protection",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/index.md",
      "redirect_url": "/windows/security/book/operating-system-security",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/security-foundations/index.md",
      "redirect_url": "/windows/security/book/security-foundation",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/introduction.md",
      "redirect_url": "/windows/security/book",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/security-foundations/zero-trust-windows-device-health.md",
      "redirect_url": "/windows/security/book/security-foundation",
      "redirect_document_id": false
    }
  ]
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@ Anyone who is interested can contribute to the topics. When you contribute, your
 ### Quickly update an article using GitHub.com
-Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://www.microsoft.com/videoplayer/embed/RE1XQTG) also covers how to contribute.
+Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://learn-video.azurefd.net/vod/player?id=b5167c5a-9c69-499b-99ac-e5467882bc92) also covers how to contribute.
 1. Make sure you're signed in to GitHub.com with your GitHub account.
 2. Browse to the page you want to edit on Microsoft Learn.
--- a/education/index.yml
+++ b/education/index.yml
@ -8,7 +8,7 @@ metadata:
  title: Microsoft 365 Education Documentation
  description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
  ms.topic: hub-page
-  ms.date: 07/22/2024
+  ms.date: 12/05/2024
 productDirectory:
  title: For IT admins
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@ -1,7 +1,7 @@
 ---
-title: Configure federation between Google Workspace and Microsoft Entra ID
+title: Configure Federation Between Google Workspace And Microsoft Entra Id
 description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
 ---
@ -43,10 +43,10 @@ To test federation, the following prerequisites must be met:
 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
   :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
 1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later
-1. On the **Service provider detail's** page
+1. On the **Service provider detail's** page:
      - Select the option **Signed response**
      - Verify that the Name ID format is set to **PERSISTENT**
-      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\
+      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping\
        If using Google autoprovisioning, select **Basic Information > Primary email**
      - Select **Continue**
 1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
@ -139,4 +139,4 @@ From a private browser session, navigate to https://portal.azure.com and sign in
 1. The user is redirected to Google Workspace to sign in
 1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in
-:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
+    :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@ -1,7 +1,7 @@
 ---
-title: Configure Stickers for Windows 11 SE
+title: Configure Stickers For Windows 11 SE
 description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
--- a/education/windows/edu-themes.md
+++ b/education/windows/edu-themes.md
@ -1,7 +1,7 @@
 ---
-title: Configure education themes for Windows 11
+title: Configure Education Themes For Windows 11
 description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@ -1,8 +1,8 @@
 ---
-title: Get and deploy Minecraft Education
+title: Deploy Minecraft Education To Windows Devices
 description: Learn how to obtain and distribute Minecraft Education to Windows devices.
 ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/5/2024
 ms.collection:
  - education
  - tier2
@ -48,7 +48,7 @@ To purchase direct licenses:
 1. Select the quantity of licenses you'd like to purchase and select **Place Order**
 1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
-If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
+   If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses)
 ### Volume licensing
@ -88,14 +88,14 @@ You must be a *Global*, *License*, or *User admin* to assign licenses. For more
 1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
 1. From the left-hand menu in Microsoft Admin Center, select *Users*
 1. From the Users list, select the users you want to add or remove for Minecraft Education access
-1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
+1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it is not assigned already
    > [!Note]
-    > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
+    > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions
 1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
    > [!Note]
    > If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
-:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
+    :::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
 For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
@ -118,31 +118,31 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d
 1. Select **Next**
 1. On the *Review + Create* screen, select **Create**
-Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
+   Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
-:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
+   :::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
-For more information how to deploy Minecraft Education, see:
+   For more information how to deploy Minecraft Education, see:
- [Windows installation guide][EDU-6]
+    - [Windows installation guide][EDU-6]
- [Chromebook installation guide][EDU-7]
+    - [Chromebook installation guide][EDU-7]
- [iOS installation guide][EDU-8]
+    - [iOS installation guide][EDU-8]
- [macOS installation guide][EDU-9]
+    - [macOS installation guide][EDU-9]
-If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
+   If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
-<!--links-->
+   <!--links-->
-[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
+    [EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
-[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
+    [EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
-[EDU-3]: https://www.microsoft.com/education/products/office
+    [EDU-3]: https://www.microsoft.com/education/products/office
-[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
+    [EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
-[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
+    [EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
-[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
+    [EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
-[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
+    [EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
-[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
+    [EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
-[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
+    [EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
-[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
+    [M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
-[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
+    [M365-2]: /microsoft-365/admin/add-users/about-admin-roles
-[AKA-1]: https://aka.ms/minecraftedusupport
+    [AKA-1]: https://aka.ms/minecraftedusupport
--- a/education/windows/suspcs/provisioning-package.md
+++ b/education/windows/suspcs/provisioning-package.md
@ -1,7 +1,7 @@
 ---
-title: What's in Set up School PCs provisioning package
+title: What's In Set up School PCs Provisioning Package
 description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: reference
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@ -1,7 +1,7 @@
 ---
 title: Take tests and assessments in Windows
 description: Learn about the built-in Take a Test app for Windows and how to use it.
-ms.date: 02/29/2024
+ms.date: 11/11/2024
 ms.topic: how-to
 ---
@ -9,11 +9,11 @@ ms.topic: how-to
 Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
+- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
- access other applications
+- Access other applications
- change system settings, such as display extension, notifications, updates
+- Change system settings, such as display extension, notifications, updates
- access Cortana
+- Access Cortana
- access content copied to the clipboard
+- Access content copied to the clipboard
 ## How to use Take a Test
@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case:
 - For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
 - For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
-:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
+  :::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
 ## Create a secure assessment link
@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options:
 For this option, copy the assessment URL and open the web application <a href="https://aka.ms/create-a-take-a-test-link" target="_blank"><u>Customize your assessment URL</u></a>, where you can:
- Paste the link to the assessment URL
+- Paste the link to the assessment URL.
- Select the options you want to allow during the test
+- Select the options you want to allow during the test.
- Generate the link by selecting the button Create link
+- Generate the link by selecting the button Create link.
 This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet
 ## Distribute the secure assessment link
-Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
+Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice.
 For example, you can create and copy the shortcut to the assessment URL to the students' desktop.
@ -85,4 +85,4 @@ To take the test, have the students open the link.
 Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d).
-To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
+To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
--- a/education/windows/tutorial-deploy-apps-winse/considerations.md
+++ b/education/windows/tutorial-deploy-apps-winse/considerations.md
@ -1,7 +1,7 @@
 ---
-title: Important considerations before deploying apps with managed installer
+title: Important Considerations Before Deploying Apps With Managed Installer For Windows 11 SE
 description: Learn about important aspects to consider before deploying apps with managed installer.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
--- a/education/windows/tutorial-deploy-apps-winse/create-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md
@ -1,7 +1,7 @@
 ---
-title: Create policies to enable applications
+title: Create Policies To Enable Applications In Windows 11 SE
 description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -54,7 +54,7 @@ To create supplemental policies, download and install the [WDAC Policy Wizard][E
 The following video provides an overview and explains how to create supplemental policies for apps blocked by the Windows 11 SE base policy.
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO]
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=1eedb284-5592-43e7-9446-ce178953502d]
 ### Create a supplemental policy for Win32 apps
--- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
@ -1,7 +1,7 @@
 ---
-title: Applications deployment considerations
+title: Applications Deployment Considerations In Windows 11 SE
 description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
--- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
@ -1,7 +1,7 @@
 ---
-title: Deploy policies to enable applications
+title: Deploy Policies To Enable Applications In Windows 11 SE
 description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
--- a/education/windows/tutorial-deploy-apps-winse/index.md
+++ b/education/windows/tutorial-deploy-apps-winse/index.md
@ -1,7 +1,7 @@
 ---
-title: Deploy applications to Windows 11 SE with Intune
+title: Deploy Applications To Windows 11 SE With Intune
 description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
--- a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
+++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
@ -1,7 +1,7 @@
 ---
-title: Troubleshoot app deployment issues in Windows SE
+title: Troubleshoot App Deployment Issues In Windows Se
 description: Troubleshoot common issues when deploying apps to Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
--- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
@ -1,7 +1,7 @@
 ---
-title: Validate the applications deployed to Windows SE devices
+title: Validate The Applications Deployed To Windows Se Devices
 description: Learn how to validate the applications deployed to Windows SE devices via Intune.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
--- a/includes/iot/supported-os-enterprise-plus.md
+++ b/includes/iot/supported-os-enterprise-plus.md
@ -0,0 +1,8 @@
 ---
 author: TerryWarwick
 ms.author: twarwick
 ms-topic: include
 ms.date: 09/30/2024
 ---
 **Supported Editions** </br> ✅ IoT Enterprise LTSC</br>✅ IoT Enterprise</br>✅ Enterprise LTSC</br>✅ Enterprise</br>✅ Education
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@ -1,11 +1,11 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/06/2024
 ms.topic: include
 ---
-| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
+| Feature name | Windows Pro | Windows Enterprise/IoT Enterprise | Windows Pro Education | Windows Education |
 |:---|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
@ -13,7 +13,7 @@ ms.topic: include
 |**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
 |**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
 |**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
@ -32,7 +32,7 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
 |**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
-|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815)**|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
 |**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
 |**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
@ -53,7 +53,7 @@ ms.topic: include
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
 |**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
@ -84,6 +84,7 @@ ms.topic: include
 |**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**Windows Hotpatch**|❌|Yes|❌|❌|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@ -5,7 +5,7 @@ ms.date: 11/02/2023
 ms.topic: include
 ---
-|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|Feature name|Windows Pro/Pro Education|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---|:---:|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
@ -13,7 +13,7 @@ ms.topic: include
 |**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
 |**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
@ -53,7 +53,7 @@ ms.topic: include
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
 |**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
@ -84,6 +84,7 @@ ms.topic: include
 |**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**Windows Hotpatch**|❌|Yes|Yes|❌|❌|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
--- a/windows/client-management/declared-configuration.md
+++ b/windows/client-management/declared-configuration.md
@ -121,7 +121,7 @@ If the processing of declared configuration document fails, the errors are logge
 - If the Document ID doesn't match between the `<LocURI>` and inside DeclaredConfiguration document, Admin event log shows an error message similar to:
-    `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-3436249567-4017981746-3373817415-1001), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
+    `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-1004336348-1177238915-682003330-1234), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
 - Any typo in the OMA-URI results in a failure. In this example, `TrafficFilterList` is specified instead of `TrafficFilterLists`, and Admin event log shows an error message similar to:
@ -129,4 +129,4 @@ If the processing of declared configuration document fails, the errors are logge
    There's also another warning message in operational channel:
-    `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007)`
+    `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007).`
--- a/windows/client-management/images/8908044-recall-search.png
+++ b/windows/client-management/images/8908044-recall-search.png
--- a/windows/client-management/images/8908044-recall.png
+++ b/windows/client-management/images/8908044-recall.png
--- a/windows/client-management/images/9598546-copilot-key-settings.png
+++ b/windows/client-management/images/9598546-copilot-key-settings.png
--- a/windows/client-management/manage-recall.md
+++ b/windows/client-management/manage-recall.md
@ -1,9 +1,9 @@
 ---
 title: Manage Recall for Windows clients
-description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
+description: Learn how to manage Recall for commercial environments and about Recall features.
 ms.topic: how-to
 ms.subservice: windows-copilot
-ms.date: 06/13/2024
+ms.date: 11/22/2024
 ms.author: mstewart
 author: mestew
 ms.collection:
@ -18,72 +18,161 @@ appliesto:
 <!--8908044-->
 >**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c).
-Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
+Recall (preview) allows users to search locally saved and locally analyzed snapshots of their screen using natural language. By default, Recall is disabled and removed on managed devices. IT admins can choose if they want to allow Recall to be used in their organizations and users, on their own, won't be able to enable it on their managed device if the Allow Recall policy is disabled. IT admins, on their own, can't start saving snapshots for end users. Recall is an opt-in experience that requires end user consent to save snapshots. Users can choose to enable or disable saving snapshots for themselves anytime. IT admins can only set policies that give users the option to enable saving snapshots and configure certain policies for Recall.
 This article provides information about Recall and how to manage it in a commercial environment.
 > [!NOTE]
-> Recall is coming soon through a post-launch Windows update. See [aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs). 
+> - Recall is now available in preview to Copilot+ PCs through the Windows Insider Program. For more information, see [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/).
 > - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined. 
 > - Recall is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
-When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
+## What is Recall?
-:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png":::
+Recall (preview) allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
 When Recall opens a snapshot you selected, it enables Click to Do, which runs on top of the saved snapshot. Click to Do analyzes what's in the snapshot and allows you to interact with individual elements in the snapshot. For instance, you can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
 :::image type="content" border="true" source="images/8908044-recall-search.png" alt-text="Screenshot of Recall with search results displayed for a query for a presentation with a red barn." lightbox="images/8908044-recall-search.png":::
 ### Recall security and privacy architecture
 Privacy and security are built into Recall's design. With Copilot+ PCs, you get powerful AI that runs locally on the device. No internet or cloud connections are required or used to save and analyze snapshots. Snapshots aren't sent to Microsoft. Recall AI processing occurs locally, and snapshots are securely stored on the local device only.
 Recall doesn't share snapshots with other users that are signed into Windows on the same device and IT admins can't access or view the snapshots on end-user devices. Microsoft can't access or view the snapshots. Recall requires users to confirm their identity with [Windows Hello](https://support.microsoft.com/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) before it launches and before accessing snapshots. At least one biometric sign-in option must be enabled for Windows Hello, either facial recognition or a fingerprint, to launch and use Recall. Before snapshots start getting saved to the device, users need to open Recall and authenticate. Recall takes advantage of just in time decryption protected by [Hello Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). Snapshots and any associated information in the vector database are always encrypted. Encryption keys are protected via Trusted Platform Module (TPM), which is tied to the user's Windows Hello ESS identity, and can be used by operations within a secure environment called a [Virtualization-based Security Enclave (VBS Enclave)](/windows/win32/trusted-execution/vbs-enclaves). This means that other users can't access these keys and thus can't decrypt this information. Device Encryption or BitLocker are enabled by default on Windows 11. For more information, see [Recall security and privacy architecture in the Windows Experience Blog](https://blogs.windows.com/windowsexperience/?p=179096).
 When using Recall, the **Sensitive information filtering** setting is enabled by default to help ensure your data's confidentiality. This feature operates directly on your device, utilizing the NPU and the Microsoft Classification Engine (MCE) - the same technology leveraged by [Microsoft Purview](/purview/purview) for detecting and labeling sensitive information. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the **Sensitive information filtering** setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md).
 In keeping with Microsoft's commitment to data privacy and security, all saved images and processed data are kept on the device and processed locally. However, Click to Do allows users to choose if they want to perform additional actions on their content.
 Click to Do allows users to choose to get more information about their selected content online. When users choose one of the following Click to Do actions, the selected content is sent to the online provider from the local device to complete the request:
 -	**Search the web**: Sends the selected content to the default search engine of the default browser
 -	**Open website**: Opens the selected website in the default browser
 -	**Visual search with Bing**: Sends the selected content to Bing visual search using the default browser. 
 When you choose to send info from Click to Do to an app, like Paint, Click to Do will temporarily save this info in order to complete the transfer. Click to Do creates a temporary file in the following location: 
 - `C:\Users\[username]\AppData\Local\Temp` 
 Temporary files may also be saved when you choose send feedback. These temporary files aren't saved long term. Click to Do doesn't keep any content from your screen after completing the requested action, but some basic telemetry is gathered to keep Click to Do secure, up to date, and working.
 ## System requirements
 Recall has the following minimum system requirements:
- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs)
+Recall has the following minimum requirements:
 - A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs) that meets the [Secured-core standard](/windows-hardware/design/device-experiences/oem-highly-secure-11)
 - 40 TOPs NPU ([neural processing unit](https://support.microsoft.com/windows/all-about-neural-processing-units-npus-e77a5637-7705-4915-96c8-0c6a975f9db4))
 - 16 GB RAM
 - 8 logical processors
 - 256 GB storage capacity
  - To enable Recall, you need at least 50 GB of space free
-  - Snapshot capture automatically pauses once the device has less than 25 GB of disk space
+  - Saving snapshots automatically pauses once the device has less than 25 GB of storage space
 - Users need to enable Device Encryption or BitLocker
 - Users need to enroll into [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) with at least one biometric sign-in option enabled in order to authenticate.
 ## Supported browsers
-Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
+Users need a supported browser for Recall to [filter websites](#app-and-website-filtering-policies) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
- **Microsoft Edge**: blocks websites and filters private browsing activity
+- **Microsoft Edge**: filters specified websites and filters private browsing activity
- **Firefox**: blocks websites and filters private browsing activity
+- **Firefox**: filters specified websites and filters private browsing activity
- **Opera**: blocks websites and filters private browsing activity
+- **Opera**: filtered specified websites and filters private browsing activity
- **Google Chrome**: blocks websites and filters private browsing activity
+- **Google Chrome**: filters specified websites and filters private browsing activity
- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed above, filters private browsing activity only, doesn't block specific websites
+- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed, filters private browsing activity only, doesn't filter specific websites
 ## Configure policies for Recall
-Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. The following policy allows you to disable analysis of user content:
+By default, Recall is removed on commercially managed devices. If you want to allow Recall to be available for users in your organization and allow them to choose to save snapshots, you need to configure both the **Allow Recall to be enabled** and **Turn off saving snapshots for Windows** policies. Policies for Recall fall into the following general areas:
 - [Allow Recall and snapshots policies](#allow-recall-and-snapshots-policies)
 - [Storage policies](#storage-policies)
 - [App and website filtering policies](#app-and-website-filtering-policies)
 ### Allow Recall and snapshots policies
 The **Allow Recall to be enabled** policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled and removed for managed devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own. If you disable this policy, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart. If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
 | &nbsp; | Setting  |
 |---|---|
-| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) |
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[AllowRecallEnablement](mdm/policy-csp-windowsai.md#allowrecallenablement) |
-| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Allow Recall to be enabled** |
 ## Limitations
 In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
 ## User controlled settings for Recall
 The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page:
 - Website filtering
 - App filtering
 - Storage allocation
    - When the storage limit is reached, the oldest snapshots are deleted first.
 - Deleting snapshots
    - Delete all snapshots
    - Delete snapshots within a specific time frame
-### Storage allocation
+The **Turn off saving snapshots for Windows** policy allows you to give the users the choice to save snapshots of their screen for use with Recall. Administrators can't enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent. By default, snapshots won't be saved for use with Recall. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
-The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
+| &nbsp; | Setting  |
 | Device storage capacity | Storage allocation options for Recall |
 |---|---|
-| 256 GB | 25 GB (default), 10 GB |
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis)|
-| 512 GB | 75 GB (default), 50 GB, 25 GB |
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
 | 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB |
 ### Storage policies
 You can define how much disk space Recall can use by using the **Set maximum storage for snapshots used by Recall** policy. You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB. When the storage limit is reached, the oldest snapshots are deleted first. When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity. 25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.	
 | &nbsp; | Setting  |
 |---|---|
 | **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)|
 | **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br> User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** |
 You can define how long snapshots can be retained on the device by using the **Set maximum duration for storing snapshots used by Recall** policy. You can configure the maximum storage duration to be 30, 60, 90, or 180 days. If the policy isn't configured, snapshots aren't deleted until the maximum storage allocation is reached, and then the oldest snapshots are deleted first.
 | &nbsp; | Setting  |
 |---|---|
 | **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)|
 | **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum duration for storing snapshots used by Recall** |
 ### App and website filtering policies
 You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some remote desktop connection clients are filtered by default from snapshots. For more information, see the [Remote desktop connection clients filtered from snapshots](#remote-desktop-connection-clients-filtered-from-snapshots) section.
 To filter websites from being saved in snapshots, use the **Set a list of URIs to be filtered from snapshots for Recall** policy. Define the list using a semicolon to separate URIs. Make sure you include the URL scheme such as `http://`, `file://`, `https://www.`. Sites local to a supported browser like `edge://`, or `chrome://`, are filtered by default. For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
 > [!NOTE]
 > - Private browsing activity is filtered by default when using [supported web browsers](#supported-browsers). 
 > - Be aware that websites are filtered when they are in the foreground or are in the currently opened tab of a supported browser. Parts of filtered websites can still appear in snapshots such as embedded content, the browser's history, or an opened tab that isn't in the foreground.
 > - Filtering doesn't prevent browsers, internet service providers (ISPs), websites, organizations, or others from knowing that the website was accessed and building a history.
 > - Changes to this policy take effect after device restart.
 | &nbsp; | Setting  |
 |---|---|
 | **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall)|
 | **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** |
 **Set a list of apps to be filtered from snapshots for Recall** policy allows you to filter apps from being saved in snapshots. Define the list using a semicolon to separate apps. The list can include Application User Model IDs (AUMID) or the name of the executable file. For example: `code.exe;Microsoft. WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
 > [!Note]
 > -	Like other Windows apps, such as the Snipping Tool, Recall won't store digital rights management (DRM) content.
 > - Changes to this policy take effect after device restart.
 | &nbsp; | Setting  |
 |---|---|
 | **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall)|
 | **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall**|
 #### Remote desktop connection clients filtered from snapshots
 Snapshots won't be saved when remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots:<!--9119193-->
   - [Remote Desktop Connection (mstsc.exe)](/windows-server/administration/windows-commands/mstsc)
   - [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect) 
      - [Microsoft Remote Desktop from the Microsoft Store](/windows-server/remote/remote-desktop-services/clients/windows) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
   - [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows) 
      - [Azure Virtual Desktop apps from the Microsoft Store](/azure/virtual-desktop/users/connect-remote-desktop-client) are saved in snapshots. To prevent these apps from being saved in snapshots, add them to the app filtering list.
  - [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) windows
  - [Windows App from the Microsoft Store](/windows-app/get-started-connect-devices-desktops-apps) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
 ## Information for developers
 If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this URI, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
 ## Microsoft's commitment to responsible AI
@ -91,6 +180,10 @@ Microsoft has been on a responsible AI journey since 2017, when we defined our p
 Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and control over your Recall experience](https://support.microsoft.com/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15).
-## Information for developers
+## Related links
-
+- [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai)
-If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
+- [Update on Recall security and privacy architecture](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/)
 - [Retrace your steps with Recall](https://support.microsoft.com/windows/aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c)
 - [Privacy and control over your Recall experience](https://support.microsoft.com/windows/d404f672-7647-41e5-886c-a3c59680af15)
 - [Click to Do in Recall](https://support.microsoft.com/topic/967304a8-32d1-4812-a904-fad59b5e6abf)
 - [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/)
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@ -1,9 +1,9 @@
 ---
-title: Updated Windows and Microsoft Copilot experience
+title: Updated Windows and Microsoft 365 Copilot Chat experience
 description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
 ms.topic: overview
 ms.subservice: windows-copilot
-ms.date: 09/18/2024
+ms.date: 01/22/2025
 ms.author: mstewart
 author: mestew
 ms.collection:
@ -13,62 +13,62 @@ appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
 ---
-# Updated Windows and Microsoft Copilot experience
+# Updated Windows and Microsoft 365 Copilot Chat experience
 <!--8445848, 9294806-->
->**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft Copilot experiences?** See [Understanding the different Microsoft Copilot experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
+>**Looking for consumer information?** See [Welcome to Copilot on Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft 365 Copilot Chat experiences?** See [Understanding the different Microsoft 365 Copilot Chat experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
 ## Enhanced data protection with enterprise data protection
-The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft Copilot will offer enterprise data protection](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) at no additional cost and redirect users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Copilot for Microsoft 365 and Microsoft Copilot. This means that security, privacy, compliance controls and commitments available for Copilot for Microsoft 365 will extend to Microsoft Copilot prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers - not only for Copilot for Microsoft 365, but also for emails in Exchange and files in SharePoint. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft Copilot updates and enterprise data protection FAQ](/copilot/edpfaq).
+The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft 365 Copilot Chat](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) is available at no additional cost and it redirects users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. This means that security, privacy, compliance controls and commitments available for Microsoft 365 Copilot will extend to Microsoft 365 Copilot Chat prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft 365 Copilot Chat updates and enterprise data protection FAQ](/copilot/edpfaq).
 > [!IMPORTANT]
 > To streamline the user experience, updates to the Copilot entry points in Windows are being made for users. **Copilot in Windows (preview) will be removed from Windows**. The experience will slightly vary depending on whether your organization has already opted into using Copilot in Windows (preview) or not. 
 ## Copilot in Windows (preview) isn't enabled
-If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither the Microsoft Copilot app nor the Microsoft 365 app are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
+If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither Microsoft 365 Copilot Chat or the Microsoft 365 Copilot app (formerly the Microsoft 365 app) are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
 > [!NOTE]
 > Although we won't be pinning any app to the taskbar by default, IT has the capability to use policies to enforce their preferred app pinning.
 ## Copilot in Windows (preview) is enabled
-If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your employees moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we'll ensure that you have control over how you enable the Copilot experience within your organization.  Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
+If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 Copilot app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
-If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
+If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 Copilot app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
 ## Users signing in to new PCs with Microsoft Entra accounts
 For users signing in to new PCs with work or school accounts, the following experience occurs:
-	The Microsoft 365 app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc. 
+-	The Microsoft 365 Copilot app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc. 
-	Users that have the Microsoft 365 Copilot license will have Microsoft Copilot pinned by default inside the Microsoft 365 app. 
+-	Users that have the Microsoft 365 Copilot license have Microsoft 365 Copilot Chat pinned by default inside the Microsoft 365 Copilot app. 
-	Within the Microsoft 365 app, the Microsoft Copilot icon is situated next to the home button.
+-	Within the Microsoft 365 Copilot app, the Microsoft 365 Copilot Chat icon is situated next to the home button.
-    - Microsoft Copilot (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license. 
+    - Microsoft 365 Copilot Chat (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license. 
-    - Microsoft Copilot is available at no additional cost to customers with a Microsoft Entra account. Microsoft Copilot is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat. 
+    - Microsoft 365 Copilot Chat is available at no additional cost to customers with a Microsoft Entra account. Microsoft 365 Copilot Chat is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat. 
-   - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft Copilot and the work scoped chat capabilities of Microsoft 365 Copilot. 
+   - For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft 365 Copilot Chat and the work scoped chat capabilities of Microsoft 365 Copilot. 
-	Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft Copilot to ensure they have easy access to Copilot. To set the default behavior, admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. 
+-	Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft 365 Copilot Chat to ensure they have easy access to Copilot. To set the default behavior, admins should [set taskbar pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center. 
-	If admins elect not to pin Copilot and indicate that users may be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams. 
+-	If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 Copilot app, Outlook, and Teams. 
-	If admins elect not to pin Microsoft Copilot and indicate that users may not be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users will have access to Microsoft Copilot from <www.microsoft.com/copilot> unless that URL is blocked by the IT admin.
+-	If admins elect not to pin Microsoft 365 Copilot Chat and indicate that users can't be asked, Microsoft 365 Copilot Chat won't be available via the Microsoft 365 Copilot app, Outlook, or Teams. Users have access to Microsoft 365 Copilot Chat from <www.microsoft.com/copilot> unless that URL is blocked by the IT admin.
-	If the admins make no selection, users will be asked to pin Microsoft Copilot by themselves for easy access. 
+-	If the admins make no selection, users will be asked to pin Microsoft 365 Copilot Chat by themselves for easy access. 
 ## When will this happen?
-The update to Microsoft Copilot to offer enterprise data protection is rolling out now.
+The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now.
-
+The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
-The shift to the Microsoft 365 app as the entry point for Microsoft Copilot is coming soon. Changes will be rolled out to managed PCs starting with the optional nonsecurity preview release on September 24, 2024, and following with the monthly security update release on October 8 for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
+ 
-
+The Microsoft 365 Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates. 
-> [!IMPORTANT]
+ 
-> Want to get started? You can enable the Microsoft Copilot experience for your users now by using the [TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) policy and pin the Microsoft 365 app using the existing policies for taskbar pinning.
+Note that the Microsoft 365 Copilot app doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
-## Policy information
+## Policy information for previous Copilot in Windows (preview) experience
-Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft Copilot within the Microsoft 365 app in the Microsoft 365 admin center. 
+Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app in the Microsoft 365 admin center. 
-The following policy to manage Copilot in Windows (preview) will be removed in the future:
+The following policy to manage Copilot in Windows (preview) will be removed in the future and is considered a legacy policy:
 | &nbsp; | Setting  |
@ -76,3 +76,83 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
 | **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
 | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
 ## Remove or prevent installation of the Copilot app
 You can remove or uninstall the Copilot app from your device by using one of the following methods:
 1. Enterprise users  can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
 1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
   1. Prevent installation of the Copilot app:
     - Configure [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows update. AppLocker helps you control which apps and files users can run. Note: AppLocker policy should be used instead of the [Turn Off Windows Copilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) legacy policy setting and its MDM equivalent, [TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot). The policy is subject to near-term deprecation. 
     - The Applocker policy can be configured by following one of the methods listed in [Edit an AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/edit-an-applocker-policy) and adding the below text to the policy:
     </br>**Publisher**: CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
     </br> **Package name**: MICROSOFT.COPILOT
    </br> **Package version**: * (and above)
   1. Remove the Copilot app using PowerShell script:
      1. Open a Windows PowerShell window. You can do this by opening the Start menu, typing `PowerShell`, and selecting **Windows PowerShell** from the results.
      1. Once the PowerShell window is open, enter the following commands:
       ```powershell
       # Get the package full name of the Copilot app
       $packageFullName = Get-AppxPackage -Name "Microsoft.Copilot" | Select-Object -ExpandProperty PackageFullName
       # Remove the Copilot app
       Remove-AppxPackage -Package $packageFullName
       ```
 ## Implications for the Copilot hardware key
 <!--9598546-->
 The Microsoft 365 Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft 365 Copilot Chat for work (https://copilot.cloud.microsoft). 
 For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 Copilot app so that users can access Copilot within the Microsoft 365 Copilot app. End users can also configure this from the **Settings** page. 
 The Microsoft 365 Copilot app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 Copilot app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 Copilot app. We also suggest you [Pin Microsoft 365 Copilot Chat](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 Copilot app. 
 To avoid confusion for users as to which entry point for Microsoft 365 Copilot Chat to use, we recommend you uninstall the Copilot app.
 Use the table below to help determine the experience for your managed organization:
 | Configuration | Copilot experience | Copilot key invokes |
 | ---| --- | --- |
 | Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft 365 Copilot app are present. | Windows Search |
 | Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft 365 Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft 365 Copilot app | 
 | Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** |  Copilot in Windows (preview) is not present. Microsoft 365 Copilot Chat is accessed through the Microsoft 365 Copilot app (after post-setup update). | Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app (after post-setup update). |
 |  Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft 365 Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 Copilot app, or prompt users to choose. |
 ## Policies to manage the Copilot key
 Policies are available to configure the target app of the Copilot hardware key. For more information, see [WindowsAI Policy CSP](mdm/policy-csp-windowsai.md). 
 To configure the Copilot key, use the following policy:
 | &nbsp; | Setting  |
 |---|---|
 | **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetCopilotHardwareKey](mdm/policy-csp-windowsai.md#setcopilothardwarekey) |
 | **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Set Copilot Hardware Key** |
 ## End user settings for the Copilot key
 If you choose to provide users in your organization with the choice to manage their own experience, a protocol to launch the **Settings** app remap the Copilot key is available. The following can be used by apps and scripts to bring the user to the setting so they can modify it to meet their needs:
 `ms-settings:personalization-textinput-copilot-hardwarekey`
 :::image type="content" border="true" source="./images/9598546-copilot-key-settings.png" alt-text="Screenshot of the text input page in Settings." lightbox="./images/9598546-copilot-key-settings.png":::
 If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 Copilot app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected.
 To map the key to the Microsoft 365 Copilot app, the user should select **Custom** and then choose the Microsoft 365 Copilot app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 Copilot app, they should reinstall it from the Microsoft Store. 
 Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app options the Copilot key can remap to meet security and privacy requirements.   
 ## Copilot installation with Windows updates and controls
 If you're an IT administrator and have enabled group policies to prevent the installation of Copilot, the Copilot app won't be installed on the configured devices. If you haven't enabled a group policy, you can remove the Copilot app by following one of the steps in the [Remove or prevent installation of the Copilot app](#remove-or-prevent-installation-of-the-copilot-app) section or configure the [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) before installing Windows updates. When the AppLocker policy for Copilot is enabled, it will:
 - Prevent the app from being installed if it isn't already on the device.
 - Block the app from being launched if it's already installed.
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@ -54,7 +54,7 @@ Available naming macros:
 Supported operation is Add.
 > [!Note]
-> For desktop PCs on Windows 10, version 2004 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
+> For desktop PCs on supported versions of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md).
 <a href="" id="users"></a>**Users**
 Interior node for the user account information.
@ -62,12 +62,26 @@ Interior node for the user account information.
 <a href="" id="users-username"></a>**Users/_UserName_**
 This node specifies the username for a new local user account. This setting can be managed remotely.
 > [!IMPORTANT]
 > The username is limited to 20 characters. 
 <a href="" id="users-username-password"></a>**Users/_UserName_/Password**
 This node specifies the password for a new local user account. This setting can be managed remotely.
 Supported operation is Add.
 GET operation isn't supported.  This setting will report as failed when deployed from Intune.
 > [!IMPORTANT]
 > This string needs to meet the current password policy requirements.
 >
 > Escape any special characters in the string. For example,
 >
 > | Character | Escape sequence |
 > |:---|:---|
 > | `<` | `&lt;` |
 > | `>` | `&gt;` |
 > | `&` | `&amp;` |
 <a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**
 This optional node specifies the local user group that a local user account should be joined to.  If the node isn't set, the new local user account is joined just to the Standard Users group.  Set the value to 2 for Administrators group. This setting can be managed remotely.
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@ -1,7 +1,7 @@
 ---
 title: AssignedAccess CSP
 description: Learn more about the AssignedAccess CSP.
-ms.date: 04/10/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -126,7 +126,7 @@ To learn how to configure xml file, see [Create an Assigned Access configuration
 <!-- Description-Source-DDF -->
 This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
-Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`.
+Example: `{"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`.
 When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -1,7 +1,7 @@
 ---
 title: Defender CSP
 description: Learn more about the Defender CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -3775,9 +3775,9 @@ Enable this policy to specify when devices receive Microsoft Defender security i
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 0 (Default) | Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. |
-| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
+| 4 | Current Channel (Staged): Same as Current Channel (Broad). |
-| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. |
 <!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-AllowedValues-End -->
 <!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Examples-Begin -->
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@ -1,7 +1,7 @@
 ---
 title: Defender DDF file
 description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -1627,15 +1627,15 @@ The following XML file contains the device description framework (DDF) for the D
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>4</MSFT:Value>
-              <MSFT:ValueDescription>Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Current Channel (Staged): Same as Current Channel (Broad).</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>5</MSFT:Value>
-              <MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@ -1,7 +1,7 @@
 ---
 title: DevDetail CSP
 description: Learn more about the DevDetail CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -1259,7 +1259,7 @@ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as de
 <!-- Device-SwV-Description-Begin -->
 <!-- Description-Source-DDF -->
-Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+Returns the Windows 10 OS software version in the format `MajorVersion.MinorVersion.BuildNumber.QFEnumber`. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
 <!-- Device-SwV-Description-End -->
 <!-- Device-SwV-Editable-Begin -->
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -1,7 +1,7 @@
 ---
 title: DMClient CSP
 description: Learn more about the DMClient CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -1654,7 +1654,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@ -1694,7 +1694,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->
@ -4311,7 +4311,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@ -4351,7 +4351,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@ -1,7 +1,7 @@
 ---
 title: EnterpriseModernAppManagement CSP
 description: Learn more about the EnterpriseModernAppManagement CSP.
-ms.date: 09/11/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -6951,7 +6951,7 @@ Interior node for all managed app setting values.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
 <!-- Description-Source-DDF -->
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@ -8193,7 +8193,7 @@ This node is only supported in the user context.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
 <!-- Description-Source-DDF -->
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@ -9495,7 +9495,7 @@ This node is only supported in the user context.
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
 <!-- Description-Source-DDF -->
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@ -1,25 +1,31 @@
 ---
-title: PDE CSP
+title: Personal Data Encryption CSP
-description: Learn more about the PDE CSP.
+description: Learn more about the Personal Data Encryption CSP.
-ms.date: 01/18/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
 <!-- PDE-Begin -->
-# PDE CSP
+# Personal Data Encryption CSP
 <!-- PDE-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+The Personal Data Encryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
 <!-- PDE-Editable-End -->
 <!-- PDE-Tree-Begin -->
-The following list shows the PDE configuration service provider nodes:
+The following list shows the Personal Data Encryption configuration service provider nodes:
 - ./User/Vendor/MSFT/PDE
  - [EnablePersonalDataEncryption](#enablepersonaldataencryption)
  - [ProtectFolders](#protectfolders)
    - [ProtectDesktop](#protectfoldersprotectdesktop)
    - [ProtectDocuments](#protectfoldersprotectdocuments)
    - [ProtectPictures](#protectfoldersprotectpictures)
  - [Status](#status)
    - [FolderProtectionStatus](#statusfolderprotectionstatus)
    - [FoldersProtected](#statusfoldersprotected)
    - [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
 <!-- PDE-Tree-End -->
@ -45,7 +51,7 @@ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this poli
 <!-- User-EnablePersonalDataEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
+The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for Personal Data Encryption to be enabled.
 <!-- User-EnablePersonalDataEncryption-Editable-End -->
 <!-- User-EnablePersonalDataEncryption-DFProperties-Begin -->
@ -72,6 +78,191 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
 <!-- User-EnablePersonalDataEncryption-End -->
 <!-- User-ProtectFolders-Begin -->
 ## ProtectFolders
 <!-- User-ProtectFolders-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- User-ProtectFolders-Applicability-End -->
 <!-- User-ProtectFolders-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/PDE/ProtectFolders
 ```
 <!-- User-ProtectFolders-OmaUri-End -->
 <!-- User-ProtectFolders-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- User-ProtectFolders-Description-End -->
 <!-- User-ProtectFolders-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- User-ProtectFolders-Editable-End -->
 <!-- User-ProtectFolders-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `node` |
 | Access Type | Get |
 <!-- User-ProtectFolders-DFProperties-End -->
 <!-- User-ProtectFolders-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- User-ProtectFolders-Examples-End -->
 <!-- User-ProtectFolders-End -->
 <!-- User-ProtectFolders-ProtectDesktop-Begin -->
 ### ProtectFolders/ProtectDesktop
 <!-- User-ProtectFolders-ProtectDesktop-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- User-ProtectFolders-ProtectDesktop-Applicability-End -->
 <!-- User-ProtectFolders-ProtectDesktop-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
 ```
 <!-- User-ProtectFolders-ProtectDesktop-OmaUri-End -->
 <!-- User-ProtectFolders-ProtectDesktop-Description-Begin -->
 <!-- Description-Source-DDF -->
 Allows the Admin to enable Personal Data Encryption on Desktop folder. Set to '1' to set this policy.
 <!-- User-ProtectFolders-ProtectDesktop-Description-End -->
 <!-- User-ProtectFolders-ProtectDesktop-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- User-ProtectFolders-ProtectDesktop-Editable-End -->
 <!-- User-ProtectFolders-ProtectDesktop-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br>  |
 <!-- User-ProtectFolders-ProtectDesktop-DFProperties-End -->
 <!-- User-ProtectFolders-ProtectDesktop-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
 | 1 | Enable Personal Data Encryption on the folder. |
 <!-- User-ProtectFolders-ProtectDesktop-AllowedValues-End -->
 <!-- User-ProtectFolders-ProtectDesktop-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- User-ProtectFolders-ProtectDesktop-Examples-End -->
 <!-- User-ProtectFolders-ProtectDesktop-End -->
 <!-- User-ProtectFolders-ProtectDocuments-Begin -->
 ### ProtectFolders/ProtectDocuments
 <!-- User-ProtectFolders-ProtectDocuments-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- User-ProtectFolders-ProtectDocuments-Applicability-End -->
 <!-- User-ProtectFolders-ProtectDocuments-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
 ```
 <!-- User-ProtectFolders-ProtectDocuments-OmaUri-End -->
 <!-- User-ProtectFolders-ProtectDocuments-Description-Begin -->
 <!-- Description-Source-DDF -->
 Allows the Admin to enable Personal Data Encryption on Documents folder. Set to '1' to set this policy.
 <!-- User-ProtectFolders-ProtectDocuments-Description-End -->
 <!-- User-ProtectFolders-ProtectDocuments-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- User-ProtectFolders-ProtectDocuments-Editable-End -->
 <!-- User-ProtectFolders-ProtectDocuments-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br>  |
 <!-- User-ProtectFolders-ProtectDocuments-DFProperties-End -->
 <!-- User-ProtectFolders-ProtectDocuments-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
 | 1 | Enable Personal Data Encryption on the folder. |
 <!-- User-ProtectFolders-ProtectDocuments-AllowedValues-End -->
 <!-- User-ProtectFolders-ProtectDocuments-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- User-ProtectFolders-ProtectDocuments-Examples-End -->
 <!-- User-ProtectFolders-ProtectDocuments-End -->
 <!-- User-ProtectFolders-ProtectPictures-Begin -->
 ### ProtectFolders/ProtectPictures
 <!-- User-ProtectFolders-ProtectPictures-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- User-ProtectFolders-ProtectPictures-Applicability-End -->
 <!-- User-ProtectFolders-ProtectPictures-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
 ```
 <!-- User-ProtectFolders-ProtectPictures-OmaUri-End -->
 <!-- User-ProtectFolders-ProtectPictures-Description-Begin -->
 <!-- Description-Source-DDF -->
 Allows the Admin to enable Personal Data Encryption on Pictures folder. Set to '1' to set this policy.
 <!-- User-ProtectFolders-ProtectPictures-Description-End -->
 <!-- User-ProtectFolders-ProtectPictures-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- User-ProtectFolders-ProtectPictures-Editable-End -->
 <!-- User-ProtectFolders-ProtectPictures-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br>  |
 <!-- User-ProtectFolders-ProtectPictures-DFProperties-End -->
 <!-- User-ProtectFolders-ProtectPictures-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
 | 1 | Enable Personal Data Encryption on the folder. |
 <!-- User-ProtectFolders-ProtectPictures-AllowedValues-End -->
 <!-- User-ProtectFolders-ProtectPictures-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- User-ProtectFolders-ProtectPictures-Examples-End -->
 <!-- User-ProtectFolders-ProtectPictures-End -->
 <!-- User-Status-Begin -->
 ## Status
@ -93,10 +284,10 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
 <!-- User-Status-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-Reports the current status of Personal Data Encryption (PDE) for the user.
+Reports the current status of Personal Data Encryption for the user.
- If prerequisites of PDE aren't met, then the status will be 0.
+- If prerequisites of Personal Data Encryption aren't met, then the status will be 0.
- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+- If all prerequisites are met for Personal Data Encryption, then Personal Data Encryption will be enabled and status will be 1.
 <!-- User-Status-Editable-End -->
 <!-- User-Status-DFProperties-Begin -->
@ -114,6 +305,95 @@ Reports the current status of Personal Data Encryption (PDE) for the user.
 <!-- User-Status-End -->
 <!-- User-Status-FolderProtectionStatus-Begin -->
 ### Status/FolderProtectionStatus
 <!-- User-Status-FolderProtectionStatus-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- User-Status-FolderProtectionStatus-Applicability-End -->
 <!-- User-Status-FolderProtectionStatus-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
 ```
 <!-- User-Status-FolderProtectionStatus-OmaUri-End -->
 <!-- User-Status-FolderProtectionStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node reports folder protection status for a user.
 <!-- User-Status-FolderProtectionStatus-Description-End -->
 <!-- User-Status-FolderProtectionStatus-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- User-Status-FolderProtectionStatus-Editable-End -->
 <!-- User-Status-FolderProtectionStatus-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Get |
 <!-- User-Status-FolderProtectionStatus-DFProperties-End -->
 <!-- User-Status-FolderProtectionStatus-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Protection not started. |
 | 1 | Protection is completed with no failures. |
 | 2 | Protection in progress. |
 | 3 | Protection failed. |
 <!-- User-Status-FolderProtectionStatus-AllowedValues-End -->
 <!-- User-Status-FolderProtectionStatus-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- User-Status-FolderProtectionStatus-Examples-End -->
 <!-- User-Status-FolderProtectionStatus-End -->
 <!-- User-Status-FoldersProtected-Begin -->
 ### Status/FoldersProtected
 <!-- User-Status-FoldersProtected-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- User-Status-FoldersProtected-Applicability-End -->
 <!-- User-Status-FoldersProtected-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/PDE/Status/FoldersProtected
 ```
 <!-- User-Status-FoldersProtected-OmaUri-End -->
 <!-- User-Status-FoldersProtected-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node reports all folders (full path to each folder) that have been protected.
 <!-- User-Status-FoldersProtected-Description-End -->
 <!-- User-Status-FoldersProtected-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- User-Status-FoldersProtected-Editable-End -->
 <!-- User-Status-FoldersProtected-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Get |
 <!-- User-Status-FoldersProtected-DFProperties-End -->
 <!-- User-Status-FoldersProtected-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- User-Status-FoldersProtected-Examples-End -->
 <!-- User-Status-FoldersProtected-End -->
 <!-- User-Status-PersonalDataEncryptionStatus-Begin -->
 ### Status/PersonalDataEncryptionStatus
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@ -1,14 +1,14 @@
 ---
-title: PDE DDF file
+title: Personal Data Encryption DDF file
-description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
+description: View the XML file containing the device description framework (DDF) for the Personal Data Encryption configuration service provider.
-ms.date: 06/28/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
-# PDE DDF file
+# Personal Data Encryption DDF file
-The following XML file contains the device description framework (DDF) for the PDE configuration service provider.
+The following XML file contains the device description framework (DDF) for the Personal Data Encryption configuration service provider.
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@ -76,6 +76,171 @@ The following XML file contains the device description framework (DDF) for the P
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>ProtectFolders</NodeName>
      <DFProperties>
        <AccessType>
          <Get />
        </AccessType>
        <DFFormat>
          <node />
        </DFFormat>
        <Occurrence>
          <One />
        </Occurrence>
        <Scope>
          <Permanent />
        </Scope>
        <DFType>
          <DDFName />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
          <MSFT:CspVersion>1.0</MSFT:CspVersion>
        </MSFT:Applicability>
      </DFProperties>
      <Node>
        <NodeName>ProtectDocuments</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <Description>Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
          <MSFT:DependencyBehavior>
            <MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
              <MSFT:Dependency Type="DependsOn">
                <MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
                <MSFT:DependencyAllowedValue ValueType="ENUM">
                  <MSFT:Enum>
                    <MSFT:Value>1</MSFT:Value>
                    <MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
                  </MSFT:Enum>
                </MSFT:DependencyAllowedValue>
              </MSFT:Dependency>
            </MSFT:DependencyGroup>
          </MSFT:DependencyBehavior>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>ProtectDesktop</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <Description>Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
          <MSFT:DependencyBehavior>
            <MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
              <MSFT:Dependency Type="DependsOn">
                <MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
                <MSFT:DependencyAllowedValue ValueType="ENUM">
                  <MSFT:Enum>
                    <MSFT:Value>1</MSFT:Value>
                    <MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
                  </MSFT:Enum>
                </MSFT:DependencyAllowedValue>
              </MSFT:Dependency>
            </MSFT:DependencyGroup>
          </MSFT:DependencyBehavior>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>ProtectPictures</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <Description>Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
          <MSFT:DependencyBehavior>
            <MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
              <MSFT:Dependency Type="DependsOn">
                <MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
                <MSFT:DependencyAllowedValue ValueType="ENUM">
                  <MSFT:Enum>
                    <MSFT:Value>1</MSFT:Value>
                    <MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
                  </MSFT:Enum>
                </MSFT:DependencyAllowedValue>
              </MSFT:Dependency>
            </MSFT:DependencyGroup>
          </MSFT:DependencyBehavior>
        </DFProperties>
      </Node>
    </Node>
    <Node>
      <NodeName>Status</NodeName>
      <DFProperties>
@ -116,6 +281,74 @@ The following XML file contains the device description framework (DDF) for the P
          </DFType>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>FolderProtectionStatus</NodeName>
        <DFProperties>
          <AccessType>
            <Get />
          </AccessType>
          <Description>This node reports folder protection status for a user. </Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:Applicability>
            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
            <MSFT:CspVersion>1.0</MSFT:CspVersion>
          </MSFT:Applicability>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>Protection not started.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>Protection is completed with no failures.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>2</MSFT:Value>
              <MSFT:ValueDescription>Protection in progress.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>3</MSFT:Value>
              <MSFT:ValueDescription>Protection failed.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>FoldersProtected</NodeName>
        <DFProperties>
          <AccessType>
            <Get />
          </AccessType>
          <Description>This node reports all folders (full path to each folder) that have been protected.</Description>
          <DFFormat>
            <chr />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:Applicability>
            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
            <MSFT:CspVersion>1.0</MSFT:CspVersion>
          </MSFT:Applicability>
        </DFProperties>
      </Node>
    </Node>
  </Node>
 </MgmtTree>
@ -123,4 +356,4 @@ The following XML file contains the device description framework (DDF) for the P
 ## Related articles
-[PDE configuration service provider reference](personaldataencryption-csp.md)
+[Personal Data Encryption configuration service provider reference](personaldataencryption-csp.md)
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@ -1,7 +1,7 @@
 ---
 title: Policies supported by Windows 10 Team
 description: Learn about the policies supported by Windows 10 Team.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -382,8 +382,10 @@ This article lists the policies that are applicable for the Surface Hub operatin
 ## Start
 - [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
 - [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
 - [StartLayout](policy-csp-start.md#startlayout)
 - [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
 ## System
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -62,6 +62,7 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## Display
 - [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
 - [SetClonePreferredResolutionSource](policy-csp-display.md#setclonepreferredresolutionsource)
 ## DMClient CSP
@ -106,6 +107,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
 - [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
 ## NewsAndInterests
 - [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen)
 ## PassportForWork CSP
 - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
@ -118,6 +123,11 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
 ## Start
 - [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
 - [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
 ## SurfaceHub CSP
 - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
@ -137,9 +147,14 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## WindowsAI
- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
+- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
 - [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
 - [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
 - [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
 - [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
 - [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
 - [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)
 - [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement)
 ## WindowsLicensing CSP
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_Bits Policy CSP
 description: Learn more about the ADMX_Bits Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -348,7 +348,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
 - If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
-You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule.
+You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
 - If you disable or don't configure this policy setting, the limits defined for work or nonwork schedules will be used.
@ -412,7 +412,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
 - If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
-You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
+You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
 - If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
 <!-- BITS_MaxBandwidthV2_Work-Description-End -->
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_ControlPanel Policy CSP
 description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -36,7 +36,7 @@ This setting allows you to display or hide specified Control Panel items, such a
 If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
-To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
 > [!NOTE]
 > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items".
@ -243,7 +243,7 @@ If users try to select a Control Panel item from the Properties item on a contex
 <!-- Description-Source-ADMX -->
 This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
-To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
 > [!NOTE]
 > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_ControlPanelDisplay Policy CSP
 description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -519,7 +519,7 @@ Prevents users from changing the background image shown when the machine is lock
 By default, users can change the background image shown when the machine is locked or displaying the logon screen.
-If you enable this setting, the user won't be able to change their lock screen and logon image, and they will instead see the default image.
+If you enable this setting, the user won't be able to change their lock screen and logon image, and they'll instead see the default image.
 <!-- CPL_Personalization_NoChangingLockScreen-Description-End -->
 <!-- CPL_Personalization_NoChangingLockScreen-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_DiskDiagnostic Policy CSP
 description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 08/06/2024
 <!-- DfdAlertPolicy-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault.
+This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
 - If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
@ -97,15 +97,15 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set
 <!-- WdiScenarioExecutionPolicy-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics.
+This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics.
-Self-Monitoring And Reporting Technology (S. M. A. R. T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur.
+Self-Monitoring And Reporting Technology (S.M.A.R.T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss.
+- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken.
+- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
- If you don't configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default.
+- If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default.
 This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_DnsClient Policy CSP
 description: Learn more about the ADMX_DnsClient Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -602,11 +602,11 @@ You can use this policy setting to prevent users, including local administrators
 <!-- Description-Source-ADMX -->
 Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
-By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: `mycomputer.microsoft.com`.
 - If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
-For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for `mycomputer.VPNconnection` and `mycomputer.microsoft.com` when this policy setting is enabled.
 > [!IMPORTANT]
 > This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_Explorer Policy CSP
 description: Learn more about the ADMX_Explorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -120,7 +120,7 @@ This policy setting configures File Explorer to always display the menu bar.
 | Name | Value |
 |:--|:--|
 | Name | AlwaysShowClassicMenu |
-| Friendly Name | Display the menu bar in File Explorer  |
+| Friendly Name | Display the menu bar in File Explorer |
 | Location | User Configuration |
 | Path | WindowsComponents > File Explorer |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
--- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_FileRevocation Policy CSP
 description: Learn more about the ADMX_FileRevocation Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -36,7 +36,7 @@ Windows Runtime applications can protect content which has been associated with
 Example value:
-Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy.
+`Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy`
 - If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_FileSys Policy CSP
 description: Learn more about the ADMX_FileSys Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -317,7 +317,7 @@ Enabling Win32 long paths will allow manifested win32 applications and packaged
 <!-- Description-Source-ADMX -->
 These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
-If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
+If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they'll never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
 <!-- ShortNameCreationSettings-Description-End -->
 <!-- ShortNameCreationSettings-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_Globalization Policy CSP
 description: Learn more about the ADMX_Globalization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -638,7 +638,7 @@ This policy setting is related to the "Turn off handwriting personalization" pol
 <!-- LocaleSystemRestrict-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
+This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list.
 The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
@ -1097,7 +1097,7 @@ This policy setting prevents the user from customizing their locale by changing
 Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
 - If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
@ -1166,7 +1166,7 @@ This policy setting prevents the user from customizing their locale by changing
 Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
 - If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_MicrosoftDefenderAntivirus Policy CSP
 description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -2938,7 +2938,7 @@ This policy setting allows you to manage whether or not end users can pause a sc
 <!-- Scan_ArchiveMaxDepth-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0.
+This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
 - If you enable this setting, archive files will be scanned to the directory depth level specified.
@ -2997,7 +2997,7 @@ This policy setting allows you to configure the maximum directory depth level in
 <!-- Scan_ArchiveMaxSize-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
+This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
 - If you enable this setting, archive files less than or equal to the size specified will be scanned.
@ -3056,7 +3056,7 @@ This policy setting allows you to configure the maximum size of archive files su
 <!-- Scan_DisableArchiveScanning-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
 - If you enable or don't configure this setting, archive files will be scanned.
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_OfflineFiles Policy CSP
 description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -352,7 +352,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s
 <!-- Description-Source-ADMX -->
 Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
 This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
@ -413,7 +413,7 @@ This setting appears in the Computer Configuration and User Configuration folder
 <!-- Description-Source-ADMX -->
 Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
 This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_UserExperienceVirtualization Policy CSP
 description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -7541,7 +7541,7 @@ This policy setting configures where custom settings location templates are stor
 - If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
-If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored.
+If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they'll be ignored.
 If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used.
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_UserProfiles Policy CSP
 description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -157,7 +157,7 @@ This policy setting controls whether Windows forcefully unloads the user's regis
 <!-- Description-Source-ADMX -->
 This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
-By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
+By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
 - If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@ -1,7 +1,7 @@
 ---
 title: ADMX_WindowsExplorer Policy CSP
 description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -4468,7 +4468,7 @@ Shows or hides sleep from the power options menu.
 <!-- TryHarderPinnedLibrary-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file.
+This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the `.Library-ms or .searchConnector-ms` file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified `.Library-ms or .searchConnector-ms` file.
 You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@ -1,7 +1,7 @@
 ---
 title: ApplicationManagement Policy CSP
 description: Learn more about the ApplicationManagement Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -371,7 +371,7 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st
 <!-- Description-Source-ADMX -->
 Manages a Windows app's ability to share data between users who have installed the app.
- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API.
+- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the `Windows.Storage` API.
 - If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder.
 <!-- AllowSharedUserAppData-Description-End -->
@ -629,7 +629,7 @@ Disable turns off the launch of all apps from the Microsoft Store that came pre-
 | Name | Value |
 |:--|:--|
 | Name | DisableStoreApps |
-| Friendly Name | Disable all apps from Microsoft Store  |
+| Friendly Name | Disable all apps from Microsoft Store |
 | Location | Computer Configuration |
 | Path | Windows Components > Store |
 | Registry Key Name | Software\Policies\Microsoft\WindowsStore |
@ -867,7 +867,7 @@ This policy setting directs Windows Installer to use elevated permissions when i
 <!-- Description-Source-ADMX -->
 Denies access to the retail catalog in the Microsoft Store, but displays the private store.
- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store.
+- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they'll be able to view apps in the private store.
 - If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store.
 <!-- RequirePrivateStoreOnly-Description-End -->
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@ -1,7 +1,7 @@
 ---
 title: AttachmentManager Policy CSP
 description: Learn more about the AttachmentManager Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -154,7 +154,7 @@ This policy setting allows you to manage whether users can manually remove the z
 <!-- NotifyAntivirusPrograms-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
 - If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@ -1,7 +1,7 @@
 ---
 title: BITS Policy CSP
 description: Learn more about the BITS Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 01/18/2024
 <!-- Description-Source-ADMX -->
 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
 - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@ -98,7 +98,7 @@ Consider using this setting to prevent BITS transfers from competing for network
 <!-- Description-Source-ADMX -->
 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
 - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
@ -164,7 +164,7 @@ Consider using this setting to prevent BITS transfers from competing for network
 <!-- Description-Source-ADMX -->
 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
 - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). 
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins.
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -1,7 +1,7 @@
 ---
 title: Defender Policy CSP
 description: Learn more about the Defender Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -30,7 +30,7 @@ ms.date: 09/27/2024
 <!-- AllowArchiveScanning-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
 - If you enable or don't configure this setting, archive files will be scanned.
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@ -1,7 +1,7 @@
 ---
 title: Display Policy CSP
 description: Learn more about the Display Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -32,7 +32,7 @@ ms.date: 11/05/2024
 <!-- ConfigureMultipleDisplayMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy set the default display to set the arrangement between cloning or extending.
+This policy sets the default display arrangement to pick between clone or extend.
 <!-- ConfigureMultipleDisplayMode-Description-End -->
 <!-- ConfigureMultipleDisplayMode-Editable-Begin -->
@ -66,7 +66,7 @@ This policy set the default display to set the arrangement between cloning or ex
 |:--|:--|
 | Name | ConfigureMultipleDisplayMode |
 | Path | Display > AT > System > DisplayCat |
-| Element Name | ConfigureMultipleDisplayModePrompt |
+| Element Name | DisplayConfigureMultipleDisplayModeSettings |
 <!-- ConfigureMultipleDisplayMode-GpMapping-End -->
 <!-- ConfigureMultipleDisplayMode-Examples-Begin -->
@ -298,6 +298,66 @@ Enabling this setting lets you specify the system-wide default for desktop appli
 <!-- EnablePerProcessDpiForApps-End -->
 <!-- SetClonePreferredResolutionSource-Begin -->
 ## SetClonePreferredResolutionSource
 <!-- SetClonePreferredResolutionSource-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- SetClonePreferredResolutionSource-Applicability-End -->
 <!-- SetClonePreferredResolutionSource-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/Display/SetClonePreferredResolutionSource
 ```
 <!-- SetClonePreferredResolutionSource-OmaUri-End -->
 <!-- SetClonePreferredResolutionSource-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy sets the cloned monitor preferred resolution source to an internal or external monitor by default.
 <!-- SetClonePreferredResolutionSource-Description-End -->
 <!-- SetClonePreferredResolutionSource-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SetClonePreferredResolutionSource-Editable-End -->
 <!-- SetClonePreferredResolutionSource-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 1 |
 <!-- SetClonePreferredResolutionSource-DFProperties-End -->
 <!-- SetClonePreferredResolutionSource-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Default. |
 | 1 (Default) | Internal. |
 | 2 | External. |
 <!-- SetClonePreferredResolutionSource-AllowedValues-End -->
 <!-- SetClonePreferredResolutionSource-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | SetClonePreferredResolutionSource |
 | Path | Display > AT > System > DisplayCat |
 | Element Name | DisplaySetClonePreferredResolutionSourceSettings |
 <!-- SetClonePreferredResolutionSource-GpMapping-End -->
 <!-- SetClonePreferredResolutionSource-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- SetClonePreferredResolutionSource-Examples-End -->
 <!-- SetClonePreferredResolutionSource-End -->
 <!-- TurnOffGdiDPIScalingForApps-Begin -->
 ## TurnOffGdiDPIScalingForApps
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@ -1,7 +1,7 @@
 ---
 title: InternetExplorer Policy CSP
 description: Learn more about the InternetExplorer Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -2472,11 +2472,11 @@ This policy setting determines whether Internet Explorer requires that all file-
 <!-- DisableActiveXVersionListAutoDownload-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
+This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
+- If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.
+- If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML.
 For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
 <!-- DisableActiveXVersionListAutoDownload-Description-End -->
@ -4429,7 +4429,7 @@ This policy setting allows you to manage a list of domains on which Internet Exp
 - If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
-1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
+1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
 2. "hostname". For example, if you want to include https://example, use "example".
 3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".
@ -5272,7 +5272,7 @@ This policy setting allows you to manage the loading of Extensible Application M
 <!-- InternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -6825,7 +6825,7 @@ This policy setting allows you to manage the opening of windows and frames and a
 <!-- InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@ -7337,7 +7337,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- IntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -8410,7 +8410,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- LocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -9325,7 +9325,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- LockedDownInternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -10174,7 +10174,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- LockedDownIntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -10883,7 +10883,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -11662,7 +11662,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -12441,7 +12441,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -13373,7 +13373,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
 | Name | Value |
 |:--|:--|
 | Name | VerMgmtDisableRunThisTime |
-| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer  |
+| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Internet Explorer > Security Features > Add-on Management |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext |
@ -14307,7 +14307,7 @@ This policy setting allows you to manage whether a user's browser can be redirec
 <!-- RestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
@ -15862,7 +15862,7 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t
 <!-- RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
@ -16472,7 +16472,7 @@ Also, see the "Security zones: Don't allow users to change policies" policy.
 | Name | Value |
 |:--|:--|
 | Name | Security_HKLM_only |
-| Friendly Name | Security Zones: Use only machine settings  |
+| Friendly Name | Security Zones: Use only machine settings |
 | Location | Computer Configuration |
 | Path | Windows Components > Internet Explorer |
 | Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
@ -16981,7 +16981,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 <!-- TrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@ -9,7 +9,7 @@ ms.date: 11/05/2024
 <!-- LocalPoliciesSecurityOptions-Begin -->
 # Policy CSP - LocalPoliciesSecurityOptions
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+[!INCLUDE [Windows Windows Insider Preview tip](includes/mdm-insider-csp-note.md)]
 <!-- LocalPoliciesSecurityOptions-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
@ -517,7 +517,7 @@ Audit: Shut down system immediately if unable to log security audits This securi
 <!-- Devices_AllowedToFormatAndEjectRemovableMedia-Description-Begin -->
 <!-- Description-Source-DDF -->
-Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
+Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
 <!-- Devices_AllowedToFormatAndEjectRemovableMedia-Description-End -->
 <!-- Devices_AllowedToFormatAndEjectRemovableMedia-Editable-Begin -->
@ -1117,7 +1117,7 @@ Domain member: Require strong (Windows 2000 or later) session key This security
 <!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Description-Begin -->
 <!-- Description-Source-DDF -->
-Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4)
+Interactive Logon: Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4)
 <!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Description-End -->
 <!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Editable-Begin -->
@ -1556,7 +1556,7 @@ Interactive logon: Message title for users attempting to log on This security se
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@ -1568,6 +1568,9 @@ Interactive logon: Message title for users attempting to log on This security se
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-Begin -->
 <!-- Description-Source-DDF -->
 Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
 > [!NOTE]
 > This setting previously showed as applicable to Windows 11, version 24H2 [10.0.26100] and later in error.  MDM solutions may show as applicable to that version until a future release. 
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-End -->
 <!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-Begin -->
@ -1780,7 +1783,7 @@ Microsoft network client: Digitally sign communications (if server agrees) This
 - If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
+- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Description-End -->
 <!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Editable-Begin -->
@ -2021,7 +2024,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
 - If this policy is disabled, the SMB client will never negotiate SMB packet signing. on domain controllers only.
 > [!IMPORTANT]
-> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
+> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Description-End -->
 <!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@ -1,7 +1,7 @@
 ---
 title: MixedReality Policy CSP
 description: Learn more about the MixedReality Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -139,7 +139,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us
 <!-- AllowLaunchUriInSingleAppKiosk-Description-Begin -->
 <!-- Description-Source-DDF -->
-By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
+By default, launching applications via Launcher API is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
 <!-- AllowLaunchUriInSingleAppKiosk-Description-End -->
 <!-- AllowLaunchUriInSingleAppKiosk-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@ -1,7 +1,7 @@
 ---
 title: NewsAndInterests Policy CSP
 description: Learn more about the NewsAndInterests Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
 <!-- NewsAndInterests-Begin -->
 # Policy CSP - NewsAndInterests
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- NewsAndInterests-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- NewsAndInterests-Editable-End -->
@ -82,6 +84,64 @@ This policy applies to the entire widgets experience, including content on the t
 <!-- AllowNewsAndInterests-End -->
 <!-- DisableWidgetsOnLockScreen-Begin -->
 ## DisableWidgetsOnLockScreen
 <!-- DisableWidgetsOnLockScreen-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- DisableWidgetsOnLockScreen-Applicability-End -->
 <!-- DisableWidgetsOnLockScreen-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsOnLockScreen
 ```
 <!-- DisableWidgetsOnLockScreen-OmaUri-End -->
 <!-- DisableWidgetsOnLockScreen-Description-Begin -->
 <!-- Description-Source-DDF -->
 Disable widgets on lock screen.
 <!-- DisableWidgetsOnLockScreen-Description-End -->
 <!-- DisableWidgetsOnLockScreen-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DisableWidgetsOnLockScreen-Editable-End -->
 <!-- DisableWidgetsOnLockScreen-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- DisableWidgetsOnLockScreen-DFProperties-End -->
 <!-- DisableWidgetsOnLockScreen-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Enabled. |
 | 1 | Disabled. |
 <!-- DisableWidgetsOnLockScreen-AllowedValues-End -->
 <!-- DisableWidgetsOnLockScreen-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | DisableWidgetsOnLockScreen |
 | Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
 <!-- DisableWidgetsOnLockScreen-GpMapping-End -->
 <!-- DisableWidgetsOnLockScreen-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- DisableWidgetsOnLockScreen-Examples-End -->
 <!-- DisableWidgetsOnLockScreen-End -->
 <!-- NewsAndInterests-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- NewsAndInterests-CspMoreInfo-End -->
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@ -1,7 +1,7 @@
 ---
 title: RemoteDesktopServices Policy CSP
 description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -197,7 +197,7 @@ This policy applies only when using legacy authentication to authenticate to the
 | Name | Value |
 |:--|:--|
 | Name | TS_DISCONNECT_ON_LOCK_POLICY |
-| Friendly Name |  Disconnect remote session on lock for legacy authentication |
+| Friendly Name | Disconnect remote session on lock for legacy authentication |
 | Location | Computer Configuration |
 | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@ -1,7 +1,7 @@
 ---
 title: RemoteProcedureCall Policy CSP
 description: Learn more about the RemoteProcedureCall Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -105,11 +105,11 @@ This policy setting impacts all RPC applications. In a domain environment this p
 <!-- Description-Source-ADMX -->
 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
+- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
 - If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
 > [!NOTE]
 > This policy won't be applied until the system is rebooted.
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@ -1,7 +1,7 @@
 ---
 title: Start Policy CSP
 description: Learn more about the Start Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 08/06/2024
 <!-- Start-Begin -->
 # Policy CSP - Start
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- Start-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Start-Editable-End -->
@ -513,6 +515,63 @@ This policy controls the visibility of the Videos shortcut on the Start menu. Th
 <!-- AllowPinnedFolderVideos-End -->
 <!-- AlwaysShowNotificationIcon-Begin -->
 ## AlwaysShowNotificationIcon
 <!-- AlwaysShowNotificationIcon-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- AlwaysShowNotificationIcon-Applicability-End -->
 <!-- AlwaysShowNotificationIcon-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/Start/AlwaysShowNotificationIcon
 ```
 <!-- AlwaysShowNotificationIcon-OmaUri-End -->
 <!-- AlwaysShowNotificationIcon-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- AlwaysShowNotificationIcon-Description-End -->
 <!-- AlwaysShowNotificationIcon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AlwaysShowNotificationIcon-Editable-End -->
 <!-- AlwaysShowNotificationIcon-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- AlwaysShowNotificationIcon-DFProperties-End -->
 <!-- AlwaysShowNotificationIcon-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Auto-hide notification bell icon. |
 | 1 | Show notification bell icon. |
 <!-- AlwaysShowNotificationIcon-AllowedValues-End -->
 <!-- AlwaysShowNotificationIcon-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | AlwaysShowNotificationIcon |
 | Path | Taskbar > AT > StartMenu |
 <!-- AlwaysShowNotificationIcon-GpMapping-End -->
 <!-- AlwaysShowNotificationIcon-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AlwaysShowNotificationIcon-Examples-End -->
 <!-- AlwaysShowNotificationIcon-End -->
 <!-- ConfigureStartPins-Begin -->
 ## ConfigureStartPins
@ -2247,6 +2306,63 @@ For more information on how to customize the Start layout, see [Customize the St
 <!-- StartLayout-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-Begin -->
 ## TurnOffAbbreviatedDateTimeFormat
 <!-- TurnOffAbbreviatedDateTimeFormat-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- TurnOffAbbreviatedDateTimeFormat-Applicability-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/Start/TurnOffAbbreviatedDateTimeFormat
 ```
 <!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- TurnOffAbbreviatedDateTimeFormat-Description-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- TurnOffAbbreviatedDateTimeFormat-Editable-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Show abbreviated time and date format. |
 | 1 | Show classic time and date format. |
 <!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | TurnOffAbbreviatedDateTimeFormat |
 | Path | Taskbar > AT > StartMenu |
 <!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- TurnOffAbbreviatedDateTimeFormat-Examples-End -->
 <!-- TurnOffAbbreviatedDateTimeFormat-End -->
 <!-- Start-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- Start-CspMoreInfo-End -->
--- a/windows/client-management/mdm/policy-csp-sudo.md
+++ b/windows/client-management/mdm/policy-csp-sudo.md
@ -1,7 +1,7 @@
 ---
 title: Sudo Policy CSP
 description: Learn more about the Sudo Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -19,7 +19,7 @@ ms.date: 09/27/2024
 <!-- EnableSudo-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- EnableSudo-Applicability-End -->
 <!-- EnableSudo-OmaUri-Begin -->
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -1,7 +1,7 @@
 ---
 title: Update Policy CSP
 description: Learn more about the Update Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -2522,7 +2522,7 @@ Minimum number of days from update installation until restarts occur automatical
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
@ -2601,7 +2601,7 @@ This policy will override the following policies:
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
@ -3237,7 +3237,7 @@ These policies are not exclusive and can be used in any combination. Together wi
 <!-- ScheduledInstallTime-Description-Begin -->
 <!-- Description-Source-DDF -->
- the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
+Enables the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
 <!-- ScheduledInstallTime-Description-End -->
 <!-- ScheduledInstallTime-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@ -1,7 +1,7 @@
 ---
 title: WebThreatDefense Policy CSP
 description: Learn more about the WebThreatDefense Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -308,7 +308,7 @@ This policy setting determines whether Enhanced Phishing Protection in Microsoft
 - If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
+- If you don't configure this setting, users can decide whether or not they'll enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
 <!-- ServiceEnabled-Description-End -->
 <!-- ServiceEnabled-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@ -1,7 +1,7 @@
 ---
 title: WindowsAI Policy CSP
 description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 12/09/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -15,28 +15,103 @@ ms.date: 11/05/2024
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsAI-Editable-End -->
 <!-- AllowRecallEnablement-Begin -->
 ## AllowRecallEnablement
 <!-- AllowRecallEnablement-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- AllowRecallEnablement-Applicability-End -->
 <!-- AllowRecallEnablement-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement
 ```
 <!-- AllowRecallEnablement-OmaUri-End -->
 <!-- AllowRecallEnablement-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled for managed commercial devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own.
 - If this policy isn't configured, end users will have the Recall component in a disabled state.
 - If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart.
 - If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
 <!-- AllowRecallEnablement-Description-End -->
 <!-- AllowRecallEnablement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AllowRecallEnablement-Editable-End -->
 <!-- AllowRecallEnablement-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 1 |
 <!-- AllowRecallEnablement-DFProperties-End -->
 <!-- AllowRecallEnablement-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Recall isn't available. |
 | 1 (Default) | Recall is available. |
 <!-- AllowRecallEnablement-AllowedValues-End -->
 <!-- AllowRecallEnablement-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | AllowRecallEnablement |
 | Friendly Name | Allow Recall to be enabled |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows AI |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
 | Registry Value Name | AllowRecallEnablement |
 | ADMX File Name | WindowsCopilot.admx |
 <!-- AllowRecallEnablement-GpMapping-End -->
 <!-- AllowRecallEnablement-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AllowRecallEnablement-Examples-End -->
 <!-- AllowRecallEnablement-End -->
 <!-- DisableAIDataAnalysis-Begin -->
 ## DisableAIDataAnalysis
 <!-- DisableAIDataAnalysis-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisableAIDataAnalysis-Applicability-End -->
 <!-- DisableAIDataAnalysis-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
 ```
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
 ```
 <!-- DisableAIDataAnalysis-OmaUri-End -->
 <!-- DisableAIDataAnalysis-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
+This policy setting allows you to determine whether snapshots of the screen can be saved for use with Recall. By default, snapshots for Recall aren't enabled. IT administrators can't, on their own, enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent.
- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
+- If the policy isn't configured, snapshots won't be saved for use with Recall.
- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
+- If you enable this policy, snapshots won't be saved for use with Recall. If snapshots were previously saved on the device, they'll be deleted when this policy is enabled.
 If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
 <!-- DisableAIDataAnalysis-Description-End -->
 <!-- DisableAIDataAnalysis-Editable-Begin -->
@ -68,8 +143,8 @@ This policy setting allows you to control whether Windows saves snapshots of the
 | Name | Value |
 |:--|:--|
 | Name | DisableAIDataAnalysis |
-| Friendly Name | Turn off Saving Snapshots for Windows |
+| Friendly Name | Turn off saving snapshots for use with Recall |
-| Location | User Configuration |
+| Location | Computer and User Configuration |
 | Path | Windows Components > Windows AI |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
 | Registry Value Name | DisableAIDataAnalysis |
@ -144,6 +219,68 @@ This policy setting allows you to control whether Cocreator functionality is dis
 <!-- DisableCocreator-End -->
 <!-- DisableGenerativeFill-Begin -->
 ## DisableGenerativeFill
 <!-- DisableGenerativeFill-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- DisableGenerativeFill-Applicability-End -->
 <!-- DisableGenerativeFill-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableGenerativeFill
 ```
 <!-- DisableGenerativeFill-OmaUri-End -->
 <!-- DisableGenerativeFill-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy setting allows you to control whether generative fill functionality is disabled in the Windows Paint app.
 - If this policy is enabled, generative fill functionality won't be accessible in the Paint app.
 - If this policy is disabled or not configured, users will be able to access generative fill functionality.
 <!-- DisableGenerativeFill-Description-End -->
 <!-- DisableGenerativeFill-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- DisableGenerativeFill-Editable-End -->
 <!-- DisableGenerativeFill-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- DisableGenerativeFill-DFProperties-End -->
 <!-- DisableGenerativeFill-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Generative fill is enabled. |
 | 1 | Generative fill is disabled. |
 <!-- DisableGenerativeFill-AllowedValues-End -->
 <!-- DisableGenerativeFill-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | DisableGenerativeFill |
 | Path | WindowsAI > AT > WindowsComponents > Paint |
 <!-- DisableGenerativeFill-GpMapping-End -->
 <!-- DisableGenerativeFill-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- DisableGenerativeFill-Examples-End -->
 <!-- DisableGenerativeFill-End -->
 <!-- DisableImageCreator-Begin -->
 ## DisableImageCreator
@ -212,7 +349,7 @@ This policy setting allows you to control whether Image Creator functionality is
 <!-- SetCopilotHardwareKey-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5044380](https://support.microsoft.com/help/5044380) [10.0.22621.4391] and later |
 <!-- SetCopilotHardwareKey-Applicability-End -->
 <!-- SetCopilotHardwareKey-OmaUri-Begin -->
@ -222,7 +359,7 @@ This policy setting allows you to control whether Image Creator functionality is
 <!-- SetCopilotHardwareKey-OmaUri-End -->
 <!-- SetCopilotHardwareKey-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
 This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
 - If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
@ -249,7 +386,11 @@ This policy setting determines which app opens when the user presses the Copilot
 | Name | Value |
 |:--|:--|
 | Name | SetCopilotHardwareKey |
-| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
+| Friendly Name | Set Copilot Hardware Key |
 | Location | User Configuration |
 | Path | Windows Components > Windows Copilot |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CopilotKey |
 | ADMX File Name | WindowsCopilot.admx |
 <!-- SetCopilotHardwareKey-GpMapping-End -->
 <!-- SetCopilotHardwareKey-Examples-Begin -->
@ -258,6 +399,294 @@ This policy setting determines which app opens when the user presses the Copilot
 <!-- SetCopilotHardwareKey-End -->
 <!-- SetDenyAppListForRecall-Begin -->
 ## SetDenyAppListForRecall
 <!-- SetDenyAppListForRecall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- SetDenyAppListForRecall-Applicability-End -->
 <!-- SetDenyAppListForRecall-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
 ```
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
 ```
 <!-- SetDenyAppListForRecall-OmaUri-End -->
 <!-- SetDenyAppListForRecall-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy allows you to define a list of apps that won't be included in snapshots for Recall.
 Users will be able to add additional applications to exclude from snapshots using Recall settings.
 The list can include Application User Model IDs (AUMID) or name of the executable file.
 Use a semicolon-separated list of apps to define the deny app list for Recall.
 For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
 > [!IMPORTANT]
 > When configuring this policy setting, changes won't take effect until the device restarts.
 <!-- SetDenyAppListForRecall-Description-End -->
 <!-- SetDenyAppListForRecall-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SetDenyAppListForRecall-Editable-End -->
 <!-- SetDenyAppListForRecall-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | List (Delimiter: `;`) |
 <!-- SetDenyAppListForRecall-DFProperties-End -->
 <!-- SetDenyAppListForRecall-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | SetDenyAppListForRecall |
 | Friendly Name | Set a list of apps to be filtered from snapshots for Recall |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Windows AI |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
 | Registry Value Name | SetDenyAppListForRecall |
 | ADMX File Name | WindowsCopilot.admx |
 <!-- SetDenyAppListForRecall-GpMapping-End -->
 <!-- SetDenyAppListForRecall-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- SetDenyAppListForRecall-Examples-End -->
 <!-- SetDenyAppListForRecall-End -->
 <!-- SetDenyUriListForRecall-Begin -->
 ## SetDenyUriListForRecall
 <!-- SetDenyUriListForRecall-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- SetDenyUriListForRecall-Applicability-End -->
 <!-- SetDenyUriListForRecall-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
 ```
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
 ```
 <!-- SetDenyUriListForRecall-OmaUri-End -->
 <!-- SetDenyUriListForRecall-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs.
 For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
 Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`.
 > [!IMPORTANT]
 > Changes to this policy take effect after device restart.
 <!-- SetDenyUriListForRecall-Description-End -->
 <!-- SetDenyUriListForRecall-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SetDenyUriListForRecall-Editable-End -->
 <!-- SetDenyUriListForRecall-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | List (Delimiter: `;`) |
 <!-- SetDenyUriListForRecall-DFProperties-End -->
 <!-- SetDenyUriListForRecall-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | SetDenyUriListForRecall |
 | Friendly Name | Set a list of URIs to be filtered from snapshots for Recall |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Windows AI |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
 | Registry Value Name | SetDenyUriListForRecall |
 | ADMX File Name | WindowsCopilot.admx |
 <!-- SetDenyUriListForRecall-GpMapping-End -->
 <!-- SetDenyUriListForRecall-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- SetDenyUriListForRecall-Examples-End -->
 <!-- SetDenyUriListForRecall-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-Begin -->
 ## SetMaximumStorageDurationForRecallSnapshots
 <!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
 ```
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
 ```
 <!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy setting allows you to control the maximum amount of time (in days) that Windows saves snapshots for Recall.
 When the policy is enabled, you can configure the maximum storage duration to be 30, 60, 90, or 180 days.
 When this policy isn't configured, a time frame isn't set for deleting snapshots.
 Snapshots aren't deleted until the maximum storage allocation for Recall is reached, and then the oldest snapshots are deleted first.
 <!-- SetMaximumStorageDurationForRecallSnapshots-Description-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-Editable-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Let the OS define the maximum amount of time the snapshots will be saved. |
 | 30 | 30 days. |
 | 60 | 60 days. |
 | 90 | 90 days. |
 | 180 | 180 days. |
 <!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | SetMaximumStorageDurationForRecallSnapshots |
 | Friendly Name | Set maximum duration for storing snapshots used by Recall |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Windows AI |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
 | Registry Value Name | SetMaximumStorageDurationForRecallSnapshots |
 | ADMX File Name | WindowsCopilot.admx |
 <!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-Examples-End -->
 <!-- SetMaximumStorageDurationForRecallSnapshots-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Begin -->
 ## SetMaximumStorageSpaceForRecallSnapshots
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
 ```
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
 ```
 <!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Description-Begin -->
 <!-- Description-Source-ADMX -->
 This policy setting allows you to control the maximum amount of disk space that can be used by Windows to save snapshots for Recall.
 You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB.
 When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity.
 25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Description-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | Let the OS define the maximum storage amount based on hard drive storage size. |
 | 10000 | 10GB. |
 | 25000 | 25GB. |
 | 50000 | 50GB. |
 | 75000 | 75GB. |
 | 100000 | 100GB. |
 | 150000 | 150GB. |
 <!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | SetMaximumStorageSpaceForRecallSnapshots |
 | Friendly Name | Set maximum storage for snapshots used by Recall |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Windows AI |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
 | Registry Value Name | SetMaximumStorageSpaceForRecallSnapshots |
 | ADMX File Name | WindowsCopilot.admx |
 <!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-End -->
 <!-- SetMaximumStorageSpaceForRecallSnapshots-End -->
 <!-- TurnOffWindowsCopilot-Begin -->
 ## TurnOffWindowsCopilot
@ -289,6 +718,7 @@ This policy setting allows you to turn off Windows Copilot.
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > - The TurnOffWindowsCopilot policy isn't for the [new Copilot experience](https://techcommunity.microsoft.com/blog/windows-itpro-blog/evolving-copilot-in-windows-for-your-workforce/4141999) that's in some [Windows Insider builds](https://blogs.windows.com/windows-insider/2024/05/22/releasing-windows-11-version-24h2-to-the-release-preview-channel/) and that will be gradually rolling out to Windows 11 and Windows 10 devices. <!--9048085-->
 > - This policy also applies to upgrade scenarios to prevent installation of the Copilot app from an image that would have had the Copilot in Windows pane.
 <!-- TurnOffWindowsCopilot-Editable-End -->
 <!-- TurnOffWindowsCopilot-DFProperties-Begin -->
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@ -1,7 +1,7 @@
 ---
 title: WindowsLogon Policy CSP
 description: Learn more about the WindowsLogon Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -349,7 +349,7 @@ This policy setting allows you to control whether users see the first sign-in an
 | Name | Value |
 |:--|:--|
 | Name | EnableFirstLogonAnimation |
-| Friendly Name | Show first sign-in animation  |
+| Friendly Name | Show first sign-in animation |
 | Location | Computer Configuration |
 | Path | System > Logon |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@ -1,7 +1,7 @@
 ---
 title: WindowsSandbox Policy CSP
 description: Learn more about the WindowsSandbox Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -19,7 +19,7 @@ ms.date: 09/27/2024
 <!-- AllowAudioInput-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowAudioInput-Applicability-End -->
 <!-- AllowAudioInput-OmaUri-Begin -->
@ -54,10 +54,18 @@ Note that there may be security implications of exposing host audio input to the
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowAudioInput-DFProperties-End -->
 <!-- AllowAudioInput-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowAudioInput-AllowedValues-End -->
 <!-- AllowAudioInput-GpMapping-Begin -->
 **Group policy mapping**:
@ -84,7 +92,7 @@ Note that there may be security implications of exposing host audio input to the
 <!-- AllowClipboardRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowClipboardRedirection-Applicability-End -->
 <!-- AllowClipboardRedirection-OmaUri-Begin -->
@ -117,10 +125,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowClipboardRedirection-DFProperties-End -->
 <!-- AllowClipboardRedirection-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowClipboardRedirection-AllowedValues-End -->
 <!-- AllowClipboardRedirection-GpMapping-Begin -->
 **Group policy mapping**:
@ -182,10 +198,18 @@ Note that there may be security implications of exposing folders from the host i
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowMappedFolders-DFProperties-End -->
 <!-- AllowMappedFolders-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowMappedFolders-AllowedValues-End -->
 <!-- AllowMappedFolders-GpMapping-Begin -->
 **Group policy mapping**:
@ -212,7 +236,7 @@ Note that there may be security implications of exposing folders from the host i
 <!-- AllowNetworking-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowNetworking-Applicability-End -->
 <!-- AllowNetworking-OmaUri-Begin -->
@ -247,10 +271,18 @@ Note that enabling networking can expose untrusted applications to the internal
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowNetworking-DFProperties-End -->
 <!-- AllowNetworking-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowNetworking-AllowedValues-End -->
 <!-- AllowNetworking-GpMapping-Begin -->
 **Group policy mapping**:
@ -277,7 +309,7 @@ Note that enabling networking can expose untrusted applications to the internal
 <!-- AllowPrinterRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowPrinterRedirection-Applicability-End -->
 <!-- AllowPrinterRedirection-OmaUri-Begin -->
@ -310,10 +342,18 @@ This policy setting enables or disables printer sharing from the host into the S
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowPrinterRedirection-DFProperties-End -->
 <!-- AllowPrinterRedirection-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowPrinterRedirection-AllowedValues-End -->
 <!-- AllowPrinterRedirection-GpMapping-Begin -->
 **Group policy mapping**:
@ -340,7 +380,7 @@ This policy setting enables or disables printer sharing from the host into the S
 <!-- AllowVGPU-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowVGPU-Applicability-End -->
 <!-- AllowVGPU-OmaUri-Begin -->
@ -375,10 +415,18 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowVGPU-DFProperties-End -->
 <!-- AllowVGPU-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowVGPU-AllowedValues-End -->
 <!-- AllowVGPU-GpMapping-Begin -->
 **Group policy mapping**:
@ -405,7 +453,7 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
 <!-- AllowVideoInput-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowVideoInput-Applicability-End -->
 <!-- AllowVideoInput-OmaUri-Begin -->
@ -440,10 +488,18 @@ Note that there may be security implications of exposing host video input to the
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowVideoInput-DFProperties-End -->
 <!-- AllowVideoInput-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowVideoInput-AllowedValues-End -->
 <!-- AllowVideoInput-GpMapping-Begin -->
 **Group policy mapping**:
@ -505,11 +561,19 @@ Note that there may be security implications of exposing folders from the host i
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 | Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- AllowWriteToMappedFolders-DFProperties-End -->
 <!-- AllowWriteToMappedFolders-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Not allowed. |
 | 1 (Default) | Allowed. |
 <!-- AllowWriteToMappedFolders-AllowedValues-End -->
 <!-- AllowWriteToMappedFolders-GpMapping-Begin -->
 **Group policy mapping**:
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@ -1,7 +1,7 @@
 ---
 title: SUPL CSP
 description: Learn more about the SUPL CSP.
-ms.date: 01/18/2024
+ms.date: 11/27/2024
 ---
 <!-- Auto-Generated CSP Document -->
@ -289,7 +289,7 @@ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-on
 <!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
+Optional. Determines the full version (`X.Y.Z` where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
 <!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-End -->
 <!-- Device-SUPL1-Ext-Microsoft-FullVersion-Editable-Begin -->
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@ -837,10 +837,10 @@ items:
      items:
      - name: PassportForWork DDF file
        href: passportforwork-ddf.md
-    - name: PDE
+    - name: Personal Data Encryption
      href: personaldataencryption-csp.md
      items:
-      - name: PDE DDF file
+      - name: Personal Data Encryption DDF file
        href: personaldataencryption-ddf-file.md
    - name: Personalization
      href: personalization-csp.md
--- a/windows/client-management/recall-sensitive-information-filtering.md
+++ b/windows/client-management/recall-sensitive-information-filtering.md
@ -0,0 +1,190 @@
 ---
 title: Sensitive information filtering in Recall
 description: Learn about the types of potentially sensitive information Recall detects.
 ms.topic: reference
 ms.subservice: windows-copilot
 ms.date: 11/22/2024
 ms.author: mstewart
 author: mestew
 ms.collection:
  - windows-copilot
  - magic-ai-copilot
 appliesto:
 - ✅ <a href="https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs" target="_blank">Copilot+ PCs</a>
 ---
 # Reference for sensitive information filtering in Recall
 This article provides information about the types of potentially sensitive information that [Recall](manage-recall.md) detects when the **Sensitive Information Filtering** setting is enabled.
 ## Types of potentially sensitive information
 Types of potentially sensitive information that Recall detects and filters include:
 ABA Routing Number </br>
 Argentina National Identity (DNI) Number </br>
 Argentina Unique Tax Identification Key (CUIT/CUIL) </br>
 Australia Bank Account Number </br>
 Australia Drivers License Number </br>
 Australia Tax File Number </br>
 Austria Driver's License Number </br>
 Austria Identity Card </br>
 Austria Social Security Number </br>
 Austria Tax Identification Number </br>
 Austria Value Added Tax </br>
 Azure Document DB Auth Key </br>
 Azure IAAS Database Connection String and Azure SQL Connection String </br>
 Azure IoT Connection String </br>
 Azure Redis Cache Connection String </br>
 Azure SAS </br>
 Azure Secrets (Generic) </br>
 Azure Service Bus Connection String </br>
 Azure Storage Account Key </br>
 Belgium Driver's License Number </br>
 Belgium National Number </br>
 Belgium Value Added Tax Number </br>
 Brazil CPF Number </br>
 Brazil Legal Entity Number (CNPJ) </br>
 Brazil National ID Card (RG) </br>
 Bulgaria Driver's License Number </br>
 Bulgaria Uniform Civil Number </br>
 Canada Bank Account Number </br>
 Canada Driver's License Number </br>
 Canada Social Insurance Number </br>
 Chile Identity Card Number </br>
 China Resident Identity Card (PRC) Number </br>
 Colombia National ID </br>
 Credit Card Number </br>
 Croatia Driver's License Number </br>
 Croatia Identity Card Number </br>
 Croatia Personal Identification (OIB) Number </br>
 Cyprus Driver's License Number </br>
 Cyprus Identity Card </br>
 Cyprus Tax Identification Number </br>
 Czech Driver's License Number </br>
 Czech Personal Identity Number </br>
 DEA Number </br>
 Denmark Driver's License Number </br>
 Denmark Personal Identification Number </br>
 Ecuador Unique Identification Number </br>
 Estonia Driver's License Number </br>
 Estonia Personal Identification Code </br>
 EU Debit Card Number </br>
 EU Driver's License Number </br>
 EU National Id Card </br>
 EU SSN or Equivalent Number </br>
 EU Tax File Number </br>
 Finland Driver's License Number </br>
 Finnish National ID </br>
 France CNI </br>
 France Driver's License Number </br>
 France INSEE </br>
 France Tax Identification Number (numéro SPI.) </br>
 France Value Added Tax Number </br>
 General Password </br>
 German Driver's License Number </br>
 Germany Identity Card Number </br>
 Germany Tax Identification Number </br>
 Germany Value Added Tax Number </br>
 Greece Driver's License Number </br>
 Greece National ID Card </br>
 Greece Social Security Number (AMKA) </br>
 Greek Tax Identification Number </br>
 Hong Kong Identity Card (HKID) number </br>
 Hungarian Social Security Number (TAJ) </br>
 Hungarian Value Added Tax Number </br>
 Hungary Driver's License Number </br>
 Hungary Personal Identification Number </br>
 Hungary Tax Identification Number </br>
 IBAN </br>
 India Driver's License Number </br>
 India GST number </br>
 India Permanent Account Number </br>
 India Unique Identification (Aadhaar) number </br>
 India Voter Id Card </br>
 Indonesia Drivers License Number </br>
 Indonesia Identity Card (KTP) Number </br>
 Ireland Driver's License Number </br>
 Ireland Personal Public Service (PPS) Number </br>
 Israel Bank Account Number </br>
 Israel National ID Number </br>
 Italy Driver's license Number </br>
 Italy Fiscal Code </br>
 Italy Value Added Tax </br>
 Japan Bank Account Number </br>
 Japan Driver's License Number </br>
 Japan Residence Card Number </br>
 Japan Resident Registration Number </br>
 Japan Social Insurance Number </br>
 Japanese My Number – Corporate </br>
 Japanese My Number – Personal </br>
 Latvia Driver's License Number </br>
 Latvia Personal Code </br>
 Lithuania Driver's License Number </br>
 Lithuania Personal Code </br>
 Luxembourg Driver's License Number </br>
 Luxembourg National Identification Number (Natural persons) </br>
 Luxembourg National Identification Number (Non-natural persons) </br>
 Malaysia ID Card Number </br>
 Malta Driver's License Number </br>
 Malta Identity Card Number </br>
 Malta Tax ID Number </br>
 Mexico Unique Population Registry Code (CURP) </br>
 Netherlands Citizen's Service (BSN) Number </br>
 Netherlands Driver's License Number </br>
 Netherlands Tax Identification Number </br>
 Netherlands Value Added Tax Number </br>
 New Zealand Bank Account Number </br>
 New Zealand Driver License Number </br>
 New Zealand Inland Revenue Number </br>
 Newzealand Social Welfare Number </br>
 Norway Identification Number </br>
 Philippines National ID </br>
 Philippines Passport Number </br>
 Philippines Unified Multi-Purpose ID number </br>
 Poland Driver's License Number </br>
 Poland Identity Card </br>
 Poland National ID (PESEL) </br>
 Poland Tax Identification Number </br>
 Polish REGON Number </br>
 Portugal Citizen Card Number </br>
 Portugal Driver's License Number </br>
 Portugal Tax Identification Number </br>
 Qatari ID Card Number </br>
 Romania Driver's License Number </br>
 Romania Personal Numerical Code (CNP) </br>
 Saudi Arabia National ID </br>
 Singapore Driving License Number </br>
 Singapore National Registration Identity Card (NRIC) Number </br>
 Slovakia Driver's License Number </br>
 Slovakia Personal Number </br>
 Slovenia Driver's License Number </br>
 Slovenia Tax Identification Number </br>
 Slovenia Unique Master Citizen Number </br>
 South Africa Identification Number </br>
 South Korea Driver's License Number </br>
 South Korea Resident Registration Number </br>
 Spain DNI </br>
 Spain Driver's License Number </br>
 Spain SSN </br>
 Spain Tax Identification Number </br>
 Sweden Driver's License Number </br>
 Sweden National ID </br>
 Sweden Tax Identification Number </br>
 SWIFT Code </br>
 Swiss SSN AHV Number </br>
 Taiwan Resident Certificate (ARC/TARC) </br>
 Taiwanese National ID </br>
 Thai Citizen ID </br>
 Turkish National Identity </br>
 U.K. Driver's License Number </br>
 U.K. Electoral Number </br>
 U.K. NHS Number </br>
 U.K. NINO </br>
 U.K. Unique Taxpayer Reference Number </br>
 U.S. Bank Account Number </br>
 U.S. Driver's License Number </br>
 U.S. Individual Taxpayer Identification Number (ITIN) </br>
 U.S. Social Security Number </br>
 UAE Identity Card Number </br>
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@ -51,7 +51,9 @@ items:
              - name: Updated Windows and Microsoft Copilot experience
                href: manage-windows-copilot.md
              - name: Manage Recall
-                href: manage-recall.md                
+                href: manage-recall.md
              - name: Reference for sensitive information filtering in Recall
                href: recall-sensitive-information-filtering.md                                 
              - name: Secured-Core PC Configuration Lock
                href: config-lock.md
              - name: Certificate renewal
--- a/windows/configuration/assigned-access/shell-launcher/index.md
+++ b/windows/configuration/assigned-access/shell-launcher/index.md
@ -78,7 +78,7 @@ $shellLauncherConfiguration = @"
 $namespaceName="root\cimv2\mdm\dmmap"
 $className="MDM_AssignedAccess"
 $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.Configuration = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
+$obj.ShellLauncher = [System.Net.WebUtility]::HtmlEncode($shellLauncherConfiguration)
 $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
 if($cimSetError) {
    Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
@ -86,6 +86,7 @@ if($cimSetError) {
    $timeout = New-TimeSpan -Seconds 30
    $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
    $eventLogFilterHashTable = @{ LogName='Microsoft-Windows-AssignedAccess/Admin' }
    do{
        $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
    } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
--- a/windows/configuration/cellular/provisioning-apn.md
+++ b/windows/configuration/cellular/provisioning-apn.md
@ -2,7 +2,7 @@
 title: Configure cellular settings
 description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
 ms.topic: concept-article
-ms.date: 04/23/2024
+ms.date: 12/05/2024
 ---
 # Configure cellular settings
--- a/windows/configuration/custom-logon/images/customlogoncad.jpg
+++ b/windows/configuration/custom-logon/images/customlogoncad.jpg
--- a/windows/configuration/custom-logon/index.md
+++ b/windows/configuration/custom-logon/index.md
@ -0,0 +1,133 @@
 ---
 title: Custom Logon
 description: Custom Logon
 ms.date: 03/05/2024
 ms.topic: overview
 ---
 # Custom Logon
 You can use the Custom Logon feature to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
 Custom Logon settings don't modify the credential behavior of **Winlogon**, so you can use any credential provider that is compatible with Windows 10 to provide a custom sign-in experience for your device. For more information about creating a custom logon experience, see [Winlogon and Credential Providers](/windows/win32/secauthn/winlogon-and-credential-providers).
 ## Requirements
 Custom Logon can be enabled on:
 - Windows 10 Enterprise
 - Windows 10 IoT Enterprise
 - Windows 10 Education
 - Windows 11 Enterprise
 - Windows 11 IoT Enterprise
 - Windows 11 Education
 ## Terminology
 **Turn on, enable:** To make the feature available and optionally apply settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line.
 **Configure:** To customize the setting or subsettings.
 **Embedded Logon:** This feature is called Embedded Logon in Windows 10, version 1511.
 **Custom Logon:** This feature is called Custom Logon in Windows 10, version 1607 and later.
 ## Turn on Custom Logon
 Custom Logon is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Custom Logon in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed and you're applying a provisioning package to configure Custom Logon, you must first turn on Custom Logon in order for a provisioning package to be successfully applied.
 The Custom Logon feature is available in the Control Panel. You can set Custom Logon by following these steps:
 ### Turn on Custom Logon in Control Panel
 1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
 1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Custom Logon**.
 1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
 ### Turn on Custom Logon using DISM
 1. Open a command prompt with administrator rights.
 1. Enable the feature using the following command.
    ```cmd
    dism /online /enable-feature /featureName:Client-EmbeddedLogon
    ```
 ## Configure Custom Logon
 ### Configure Custom Logon settings using Unattend
 You can configure the Unattend settings in the [Microsoft-Windows-Embedded-EmbeddedLogon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon) component to add custom logon features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the custom logon settings and XML examples, see the settings in Microsoft-Windows-Embedded-EmbeddedLogon.
 The following example shows how to disable all Welcome screen UI elements and the **Switch user** button.
 ```xml
 <settings pass="specialize">
    <component name="Microsoft-Windows-Embedded-EmbeddedLogon" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <BrandingNeutral>17</BrandingNeutral>
      <AnimationDisabled>1</AnimationDisabled>
      <NoLockScreen>1</NoLockScreen>
      <UIVerbosityLevel>1</UIVerbosityLevel>
      <HideAutoLogonUI>1</HideAutoLogonUI>
    </component>
 </settings>
 ```
 ### Remove buttons from Logon screen
 To remove buttons from the Welcome screen, set the appropriate value for **BrandingNeutral** in the following registry key:
 ```text
 HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon
 ```
 1. Make sure you have enabled Custom Logon following the instructions in [Turn on Custom Logon](#turn-on-custom-logon).
 1. In the Windows search bar, type "Registry Editor" to open the **Registry Editor** window.
 1. Use the file navigation in the left pane to access **HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon**.
 1. In the right pane, right click on **BrandingNeutral** and select **Modify**.
 1. Select the correct **Base** and enter the value for your desired customizations according to the following table, and click **OK** to apply the changes.
 > [!NOTE]
 > Changing the **Base** of **BrandingNeutral** will automatically convert the value field to the selected base. To ensure you are getting the correct value, select the base before entering the value.
 The following table shows the possible values. To disable multiple Logon screen UI elements together, you can select the **Decimal** base when modifying the **BrandingNeutral** value, and combine actions by adding the decimal values of the desired actions and inputting the sum as the value of **BrandingNeutral**. For example, to disable the Power button and the Language button, select the decimal option for the base, then add the decimal values of each, in this case 2 and 4 respectively, and input the total (6) as the value for **BrandingNeutral**.
 | Action |Description| Registry value (Hexadecimal) | Registry value (Decimal)|
 |--------|------------|----|---|
 | Disable all Logon screen UI elements |Disables the Power, Language, and Ease of Access buttons on the Logon and Ctrl+Alt+Del screens. |`0x1` | 1|
 | Disable the Power button |Disables the Power button on the Logon and Ctrl+Alt+Del screens.|`0x2` |2|
 | Disable the Language button |Disables the Language button on the Logon and Ctrl+Alt+Del screens.|`0x4` |4|
 | Disable the Ease of Access button |Disables the Ease of Access button on the Logon and Ctrl+Alt+Del screens.|`0x8` |8|
 | Disable the Switch user button |Disables the Switch User button from the Ctrl+Alt+Del screen, preventing a user from switching accounts. | `0x10` |16|
 |Disable the Blocked Shutdown Resolver (BSDR) screen|Disables the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users aren't given a chance to cancel the shutdown process. | `0x20` |32|
 In the following image of the `[ctrl + alt + del]` screen, you can see the Switch user button highlighted by a light green outline, the Language button highlighted by an orange outline, the Ease of Access button highlighted by a red outline, and the power button highlighted by a yellow outline. If you disable these buttons, they're hidden from the UI.
 ![custom logon screen](images/customlogoncad.jpg)
 You can remove the Wireless UI option from the Welcome screen by using Group Policy.
 ### Remove Wireless UI from Logon screen
 You use the following steps to remove Wireless UI from the Welcome screen
 1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.
 1. In the Local Group Policy Editor, under **Computer Configuration**, expand **Administrative Templates**, expand **System**, and then tap or click **Logon**.
 1. Double-tap or click **Do not display network selection UI**.
 ## Additional Customizations
 The following table shows additional customizations that can be made using registry keys.
 |Action  |Path  |Registry Key and Value |
 |---------|---------|---------|
 |Hide Autologon UI   |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon  |`HideAutoLogonUI = 1`|
 |Hide First Logon Animation    |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon  |`HideFirstLogonAnimation = 1`   |
 |Disable Authentication Animation  |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI   |`AnimationDisabled = 1`    |
 |Disable Lock Screen   | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization |`NoLockScreen = 1`   |
 ## Related articles
 - [Troubleshooting Custom Logon](troubleshoot.md)
 - [Unbranded Boot](../unbranded-boot/index.md)
 - [Shell Launcher](../shell-launcher/index.md)
--- a/windows/configuration/custom-logon/troubleshoot.md
+++ b/windows/configuration/custom-logon/troubleshoot.md
@ -0,0 +1,105 @@
 ---
 title: Troubleshooting Custom Logon
 description: Troubleshooting Custom Logon
 ms.date: 05/02/2017
 ms.topic: troubleshooting
 ---
 # Troubleshooting Custom Logon
 This section highlights some common issues that you may encounter when using Custom Logon.
 ## When automatic sign-in is enabled, the device asks for a password when resuming from sleep or hibernate
 This can occur when your device is configured to require a password when waking up from a sleep state.
 ### To disable password protection on wake-up
 1. If you have write filters enabled on your device, perform the following steps to disable them so that you can save setting changes:
   1. At an administrator command prompt, type the following command:
      ```cmd
      uwfmgr.exe filter disable
      ```
   1. To restart the device, type the following command:
      ```cmd
      uwfmgr.exe restart
      ```
 1. In **Contol Panel**, search for **Power Options** , and then select the Power Options heading.
 1. Under the **Power Options** heading, select **Require a password on wake up**.
 1. On the **Define power buttons and turn on password protection** page, under **Password protection on wakeup**, select **Don't require a password**.
 1. If you have disabled write filters, perform the following steps to enable them again:
   1. At an administrator command prompt, type the following command:
      ```cmd
      uwfmgr.exe filter enable
      ```
   1. To restart the device, type the following command:
      ```cmd
      uwfmgr.exe restart
      ```
 ## The device displays a black screen during setup
 Set the **HideAutoLogonUI** and **AnimationDisabled** settings to **0** (zero). The device will then display a default screen during setup.
 ## The device displays a black screen when Ctrl+Alt+Del is pressed
 **HideAutoLogonUI** and**ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
 ## The device displays a black screen when Windows key + L is used to lock the device
 **HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
 ### The device displays a black screen when Notepad is opened, any characters are typed and the current user signs out, or the device is rebooted, or the device is shut down
 **HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the Blocked Shutdown Resolver Screen (BSDR).
 > [!WARNING]
 > When the BSDR screen is disabled, restarting, or shutting down the device causes the OS to immediately force close any open applications that are blocking system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This can result in lost data if any open applications have unsaved data.
 ## The device displays a black screen when the device is suspended and then resumed
 **HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the password protection on wake-up.
 ### To disable password protection on wake-up
 1. In **Control Panel**, select **Power Options**.
 1. In the **Power Options** item, select **Require a password on wake up**.
 1. On the **Define power buttons and turn on password protection** page, under **Password protection on wake up**, select **Don't require a password**.
 ### The device displays a black screen when a password expiration screen is displayed
 **HideAutoLogonUI** has a known issue. To avoid a black screen, we recommend you set the password to never expire.
 ### To set a password to never expire on an individual user account
 1. On your device, open a command prompt with administrator privileges.
 1. Type the following, replacing *&lt;accountname&gt;* with the name of the account you want to remove the password expiration from.
   ```cmd
   net accounts <accountname> /expires:never
   ```
 ### To set passwords to never expire on all user accounts
 1. On your device, open a command prompt with administrator privileges.
 1. Type the following
   ```cmd
   net accounts /MaxPWAge:unlimited
   ```
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@ -80,12 +80,18 @@
        "assigned-access//**/*.yml": "paolomatarazzo",
        "cellular//**/*.md": "paolomatarazzo",
        "cellular//**/*.yml": "paolomatarazzo",
        "custom-logon//**/*.md": "terrywarwick",
        "custom-logon//**/*.yml": "terrywarwick",
        "keyboard-filter//**/*.md": "terrywarwick",
        "keyboard-filter//**/*.yml": "terrywarwick",
        "lock-screen//**/*.md": "paolomatarazzo",
        "lock-screen//**/*.yml": "paolomatarazzo",
        "provisioning-packages//**/*.md": "vinaypamnani-msft",
        "provisioning-packages//**/*.yml": "vinaypamnani-msft",
        "shared-pc//**/*.md": "paolomatarazzo",
        "shared-pc//**/*.yml": "paolomatarazzo",
        "shell-launcher//**/*.md": "terrywarwick",
        "shell-launcher//**/*.yml": "terrywarwick",
        "start//**/*.md": "paolomatarazzo",
        "start//**/*.yml": "paolomatarazzo",
        "store//**/*.md": "paolomatarazzo",
@ -94,6 +100,10 @@
        "taskbar//**/*.yml": "paolomatarazzo",
        "tips//**/*.md": "paolomatarazzo",
        "tips//**/*.yml": "paolomatarazzo",
        "unbranded-boot//**/*.md": "terrywarwick",
        "unbranded-boot//**/*.yml": "terrywarwick",
        "unified-write-filter//**/*.md": "terrywarwick",
        "unified-write-filter//**/*.yml": "terrywarwick",
        "wcd//**/*.md": "vinaypamnani-msft",
        "wcd//**/*.yml": "vinaypamnani-msft"
      },
@ -104,12 +114,18 @@
        "assigned-access//**/*.yml": "paoloma",
        "cellular//**/*.md": "paoloma",
        "cellular//**/*.yml": "paoloma",
        "custom-logon//**/*.md": "twarwick",
        "custom-logon//**/*.yml": "twarwick",
        "lock-screen//**/*.md": "paoloma",
        "keyboard-filter//**/*.md": "twarwick",
        "keyboard-filter//**/*.yml": "twarwick",
        "lock-screen//**/*.yml": "paoloma",
        "provisioning-packages//**/*.md": "vinpa",
        "provisioning-packages//**/*.yml": "vinpa",
        "shared-pc//**/*.md": "paoloma",
        "shared-pc//**/*.yml": "paoloma",
        "shell-launcher//**/*.md": "twarwick",
        "shell-launcher//**/*.yml": "twarwick",
        "start//**/*.md": "paoloma",
        "start//**/*.yml": "paoloma",
        "store//**/*.md": "paoloma",
@ -118,6 +134,10 @@
        "taskbar//**/*.yml": "paoloma",
        "tips//**/*.md": "paoloma",
        "tips//**/*.yml": "paoloma",
        "unbranded-boot//**/*.md": "twarwick",
        "unbranded-boot//**/*.yml": "twarwick",
        "unified-write-filter//**/*.md": "twarwick",
        "unified-write-filter//**/*.yml": "twarwick",
        "wcd//**/*.md": "vinpa",
        "wcd//**/*.yml": "vinpa"
      },
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@ -11,7 +11,7 @@ metadata:
  author: paolomatarazzo
  ms.author: paoloma
  manager: aaroncz
-  ms.date: 04/25/2024
+  ms.date: 12/05/2024
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
--- a/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md
+++ b/windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md
@ -0,0 +1,74 @@
 ---
 title: Disable all blocked key combinations
 description: Disable all blocked key combinations
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # Disable all blocked key combinations
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 The following sample Windows PowerShell script uses the WMI providers to disable all blocked key combinations for Keyboard Filter by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. The key combination configurations aren't removed, but Keyboard Filter stops blocking any keys.
 ## Disable-all-rules.ps1
 ```powershell
 #
 # Copyright (C) Microsoft. All rights reserved.
 #
 <#
 .Synopsis
    This Windows PowerShell script shows how to enumerate all existing keyboard filter
    rules and how to disable them by setting the Enabled property directly.
 .Description
    For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
    set the Enabled property to false/0 to disable the filter rule, thus
    allowing all key sequences through the filter.
 .Parameter ComputerName
    Optional parameter to specify the remote computer that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 #>
 param(
    [String]$ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"}
 $CommonParams += $PSBoundParameters
 Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
    foreach {
        if ($_.Enabled) {
            $_.Enabled = 0;
            $_.Put() | Out-Null;
            Write-Host Disabled $_.Id
        }
    }
 Get-WMIObject -class WEKF_CustomKey @CommonParams |
    foreach {
        if ($_.Enabled) {
            $_.Enabled = 0;
            $_.Put() | Out-Null;
            Write-Host Disabled $_.Id
        }
    }
 Get-WMIObject -class WEKF_Scancode @CommonParams |
    foreach {
        if ($_.Enabled) {
            $_.Enabled = 0;
            $_.Put() | Out-Null;
            "Disabled {0}+{1:X4}" -f $_.Modifiers,$_.Scancode
        }
    }
 ```
 ## Related articles
 - [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
 - [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 - [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/index.md
+++ b/windows/configuration/keyboard-filter/index.md
@ -0,0 +1,144 @@
 ---
 title: Keyboard Filter
 description: Keyboard Filter
 ms.date: 01/13/2025
 ms.topic: overview
 ---
 # Keyboard Filter
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, a customer can use certain Microsoft Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to alter the operation of a device by locking the screen or using Task Manager to close a running application. This behavior might not be desirable if your device is intended for a dedicated purpose.
 The Keyboard Filter feature works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard. Switching from one language to another might cause the location of suppressed keys on the keyboard layout to change. Keyboard Filter detects these dynamic layout changes and continues to suppress keys correctly.
 > [!NOTE]
 > Keyboard filter is not supported in a remote desktop session.
 ## Terminology
 - **Turn on, enable:** Make the setting available to the device and optionally apply the settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line
 - **Configure:** To customize the setting or subsettings
 - **Embedded Keyboard Filter:** This feature is called Embedded Keyboard Filter in Windows 10, version 1511
 - **Keyboard Filter:** This feature is called Keyboard Filter in Windows 10, version 1607 and later
 ## Turn on Keyboard Filter
 By default, Keyboard Filter isn't turned on. You can turn Keyboard Filter on or off for your device by using the following steps.
 Turning on an off Keyboard Filter requires that you restart your device. Keyboard Filter is automatically enabled after the restart.
 ### Turn on Keyboard Filter by using Control Panel
 1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
 1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Keyboard Filter**.
 1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
 1. Restart your device to apply the changes.
 ### Configure Keyboard using Unattend
 1. You can configure the Unattend settings in the [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice) component to add Keyboard Filter features to your image during the design or imaging phase.
 1. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the keyboard filter settings and XML examples, see the settings in [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice).
 ### Turn on and configure Keyboard Filter using Windows Configuration Designer
 The Keyboard Filter settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image deployment time or runtime. You can set one or all keyboard filter settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime.
 1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package), selecting the **Advanced Provisioning** option.
   > [!Note]
   > In the **Choose which settings to view and configure** window, choose **Common to all Windows desktop editions**.
 1. On the **Available customizations** page, select **Runtime settings** &gt; **SMISettings**, and then set the desired values for the keyboard filter settings.
 1. Once you have finished configuring the settings and building the provisioning package, you can apply the package to the image deployment time or runtime. For more information, see [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package).
 This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package. For more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
 ### Turn on and configure Keyboard Filter by using DISM
 1. Open a command prompt with administrator privileges.
 1. Enable the feature using the following command.
   ```cmd
   Dism /online /Enable-Feature /FeatureName:Client-KeyboardFilter
   ```
 1. Once the script completes, restart the device to apply the change.
 ## Keyboard Filter features
 Keyboard Filter has the following features:
 - Supports hardware keyboards, the standard Windows on-screen keyboard, and the touch keyboard (TabTip.exe)
 - Suppresses key combinations even when they come from multiple keyboards
    For example, if a user presses the Ctrl key and the Alt key on a hardware keyboard, while at the same time pressing Delete on a software keyboard, Keyboard Filter can still detect and suppress the Ctrl+Alt+Delete functionality.
 - Supports numeric keypads and keys designed to access media player and browser functionality
 - Can configure a key to breakout of a locked down user session to return to the Welcome screen
 - Automatically handles dynamic layout changes
 - Can be enabled or disabled for administrator accounts
 - Can force disabling of Ease of Access functionality
 - Supports x86 and x64 architectures
 ## Keyboard scan codes and layouts
 When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout. The layout defines the mapping of keys on the physical keyboard, and has many variants. A key on a keyboard always sends the same scan code when pressed, however this scan code can map to different virtual keys for different layouts. For example, in the English (United States) keyboard layout, the key to the right of the P key maps to `{`. However, in the Swedish (Sweden) keyboard layout, the same key maps to `Å`.
 Keyboard Filter can block keys either by the scan code or the virtual key. Blocking keys by the scan code is useful for custom keyboards that have special scan codes that don't translate into any single virtual key. Blocking keys by the virtual key is more convenient because it's easier to read and Keyboard Filter suppresses the key correctly even when the location of the key changes because of a layout change.
 When you configure Keyboard Filter to block keys by using the virtual key, you must use the English names for the virtual keys. For more information about the names of the virtual keys, see keyboard filter key names.
 For the Windows on-screen keyboard, keyboard filter converts each keystroke into a scan code based on the layout, and back into a virtual key. This allows keyboard filter to suppress the on-screen keyboard keys in the same manner as physical keyboard keys if they're configured with either scan code or virtual key.
 ## Keyboard Filter and ease of access features
 By default, ease of access features are enabled and Keyboard Filter is disabled for administrator accounts.
 If Sticky Keys are enabled, a user can bypass Keyboard Filter in certain situations. You can configure keyboard filter to disable all ease of access features and prevent users from enabling them.
 You can enable ease of access features for administrator accounts, while still disabling them for standard user accounts, by making sure that Keyboard Filter is disabled for administrator accounts.
 ## Keyboard Filter configuration
 You can configure the following options for Keyboard Filter:
 - Set/unset predefined key combinations to be suppressed
 - Add/remove custom defined key combinations to be suppressed
 - Enable/disable keyboard filter for administrator accounts
 - Force disabling ease of access features
 - Configure a breakout key sequence to break out of a locked down account
 Most configuration changes take effect immediately. Some changes, such as enabling or disabling Keyboard Filter for administrators, don't take effect until the user signs out of the account and then back in. If you change the breakout key scan code, you must restart the device before the change take effect.
 You can configure keyboard filter by using Windows Management Instrumentation (WMI) providers. You can use the Keyboard Filter WMI providers directly in a PowerShell script or in an application.
 For more information about Keyboard Filter WMI providers, see [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md).
 ## Keyboard breakout
 You may need to sign in to a locked down device with a different account in order to service or configure the device. You can configure a breakout key to break out of a locked down account by specifying a key scan code. A user can press this key consecutively five times to switch to the Welcome screen so that you can sign in to a different account.
 The breakout key is set to the scan code for the left Windows logo key by default. You can use the [WEKF_Settings](wekf-settings.md) WMI class to change the breakout key scan code. If you change the breakout key scan code, you must restart the device before the change takes effect.
 ## Keyboard Filter considerations
 Starting a device in Safe Mode bypasses keyboard filter. The Keyboard Filter service isn't loaded in Safe Mode, and keys aren't blocked in Safe Mode.
 Keyboard filter can't block the Sleep key.
 Some hardware keys, such as rotation lock, don't have a defined virtual key. You can still block these keys by using the scan code of the key.
 The add (+), multiply (\*), subtract (-), divide (/), and decimal (.) keys have different virtual keys and scan codes on the numeric keypad than on the main keyboard. You must block both keys to block these keys. For example, to block the multiply key, you must add a rule to block "\*" and a rule to block Multiply.
 When locking the screen by using the on-screen keyboard, or a combination of a physical keyboard and the on-screen keyboard, the on-screen keyboard sends an extra Windows logo key keystroke to the OS. If your device is using the Windows 10 shell and you use keyboard filter to block Windows logo key+L, the extra Windows logo key keystroke causes the shell to switch between the **Start** screen and the last active app when a user attempts to lock the device by using the on-screen keyboard, which may be unexpected behavior.
 Some custom keyboard software, such as Microsoft IntelliType Pro, can install Keyboard Filter drivers that prevent Keyboard Filter from being able to block some or all keys, typically extended keys like BrowserHome and Search.
 ## In this section
 - [Keyboard Filter key names](keyboardfilter-key-names.md)
 - [Predefined key combinations](predefined-key-combinations.md)
 - [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 - [Windows PowerShell script samples for Keyboard Filter](keyboardfilter-powershell-script-samples.md)
--- a/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md
+++ b/windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md
@ -0,0 +1,160 @@
 ---
 title: Add blocked key combinations
 description: Add blocked key combinations
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # Add blocked key combinations
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create three functions to configure Keyboard Filter so that Keyboard Filter blocks key combinations. It demonstrates several ways to use each function.
 The first function, `Enable-Predefine-Key`, blocks key combinations that are predefined for Keyboard Filter.
 The second function, `Enable-Custom-Key`, blocks custom key combinations by using the English key names.
 The third function, `Enable-Scancode`, blocks custom key combinations by using the keyboard scan code for the key.
 ## Enable-rules.ps1
 ```powershell
 #
 # Copyright (C) Microsoft. All rights reserved.
 #
 <#
 .Synopsis
    This script shows how to use the built in WMI providers to enable and add
    keyboard filter rules through Windows PowerShell on the local computer.
 .Parameter ComputerName
    Optional parameter to specify a remote machine that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 #>
 param (
    [String] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"}
 $CommonParams += $PSBoundParameters
 function Enable-Predefined-Key($Id) {
    <#
    .Synopsis
        Toggle on a Predefined Key keyboard filter Rule
    .Description
        Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
        filter against key value "Id", and set that instance's "Enabled"
        property to 1/true.
    .Example
        Enable-Predefined-Key "Ctrl+Alt+Del"
        Enable CAD filtering
 #>
    $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
        where {
            $_.Id -eq "$Id"
        };
    if ($predefined) {
        $predefined.Enabled = 1;
        $predefined.Put() | Out-Null;
        Write-Host Enabled $Id
    } else {
        Write-Error "$Id is not a valid predefined key"
    }
 }
 function Enable-Custom-Key($Id) {
    <#
    .Synopsis
        Toggle on a Custom Key keyboard filter Rule
    .Description
        Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
        filter against key value "Id", and set that instance's "Enabled"
        property to 1/true.
        In the case that the Custom instance does not exist, add a new
        instance of WEKF_CustomKey using Set-WMIInstance.
    .Example
        Enable-Custom-Key "Ctrl+V"
        Enable filtering of the Ctrl + V sequence.
 #>
    $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
        where {
            $_.Id -eq "$Id"
        };
    if ($custom) {
 # Rule exists.  Just enable it.
        $custom.Enabled = 1;
        $custom.Put() | Out-Null;
        "Enabled Custom Filter $Id.";
    } else {
        Set-WMIInstance `
            -class WEKF_CustomKey `
            -argument @{Id="$Id"} `
            @CommonParams | Out-Null
        "Added Custom Filter $Id.";
    }
 }
 function Enable-Scancode($Modifiers, [int]$Code) {
    <#
    .Synopsis
        Toggle on a Scancode keyboard filter Rule
    .Description
        Use Get-WMIObject to enumerate all WEKF_Scancode instances,
        filter against key values of "Modifiers" and "Scancode", and set
        that instance's "Enabled" property to 1/true.
        In the case that the Scancode instance does not exist, add a new
        instance of WEKF_Scancode using Set-WMIInstance.
    .Example
        Enable-Scancode "Ctrl" 37
        Enable filtering of the Ctrl + keyboard scancode 37 (base-10)
        sequence.
 #>
    $scancode =
        Get-WMIObject -class WEKF_Scancode @CommonParams |
            where {
                ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
            }
    if($scancode) {
        $scancode.Enabled = 1
        $scancode.Put() | Out-Null
        "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
    } else {
        Set-WMIInstance `
            -class WEKF_Scancode `
            -argument @{Modifiers="$Modifiers"; Scancode=$Code} `
            @CommonParams | Out-Null
        "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
    }
 }
 # Some example uses of the functions defined above.
 Enable-Predefined-Key "Ctrl+Alt+Del"
 Enable-Predefined-Key "Ctrl+Esc"
 Enable-Custom-Key "Ctrl+V"
 Enable-Custom-Key "Numpad0"
 Enable-Custom-Key "Shift+Numpad1"
 Enable-Custom-Key "%"
 Enable-Scancode "Ctrl" 37
 ```
 ## Related topics
 [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
 [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/keyboardfilter-key-names.md
+++ b/windows/configuration/keyboard-filter/keyboardfilter-key-names.md
@ -0,0 +1,179 @@
 ---
 title: Keyboard Filter key names
 description: Keyboard Filter key names
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # Keyboard Filter key names
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 You can configure Keyboard Filter to block keys or key combinations. A key combination consists of one or more modifier keys, separated by a plus sign (+), and either a key name or a key scan code. In addition to the keys listed in the following tables, you can use the predefined key combinations names as custom key combinations. However, we recommend using the predefined key settings when enabling or disabling predefined key combinations.
 The key names are grouped as follows:
 - [Modifier keys](#modifier-keys)
 - [System keys](#system-keys)
 - [Cursor and edit keys](#cursor-and-edit-keys)
 - [State keys](#state-keys)
 - [OEM keys](#oem-keys)
 - [Function keys](#function-keys)
 - [Numeric keypad keys](#numeric-keypad-keys)
 ## Modifier keys
 You can use the modifier keys listed in the following table when you configure keyboard filter. Multiple modifiers are separated by a plus sign (+). You can also configure Keyboard Filter to block any modifier key even if it's not part of a key combination.
 | Modifier key name | Virtual key | Description |
 | ----------------- | ----------- | ----------- |
 | `Ctrl`     | VK_CONTROL  | The <kbd>Ctrl</kbd> key |
 | `LCtrl`    | VK_LCONTROL | The left <kbd>Ctrl</kbd> key |
 | `RCtrl`    | VK_RCONTROL | The right <kbd>Ctrl</kbd> key |
 | `Control`  | VK_CONTROL  | The <kbd>Ctrl</kbd> key |
 | `LControl` | VK_LCONTROL | The left <kbd>Ctrl</kbd> key |
 | `RControl` | VK_RCONTROL | The right <kbd>Ctrl</kbd> key |
 | `Alt`      | VK_MENU     | The <kbd>Alt</kbd> key |
 | `LAlt`     | VK_LMENU    | The left <kbd>Alt</kbd> key |
 | `RAlt`     | VK_RMENU    | The right <kbd>Alt</kbd> key |
 | `Shift`    | VK_SHIFT    | The <kbd>Shift</kbd> key |
 | `LShift`   | VK_LSHIFT   | The left <kbd>Shift</kbd> key |
 | `RShift`   | VK_RSHIFT   | The right <kbd>Shift</kbd> key |
 | `Win`      | VK_WIN      | The <kbd>Windows</kbd> logo key |
 | `LWin`     | VK_LWIN     | The left <kbd>Windows</kbd> logo key |
 | `RWin`     | VK_RWIN     | The right <kbd>Windows</kbd> logo key |
 | `Windows`  | VK_WIN      | The <kbd>Windows</kbd> logo key |
 | `LWindows` | VK_LWIN     | The left <kbd>Windows</kbd> logo key |
 | `RWindows` | VK_RWIN     | The right <kbd>Windows</kbd> key |
 ## System keys
 | Modifier key name | Virtual key | Description |
 | ----------------- | ----------- | ----------- |
 | `Ctrl`     | VK_CONTROL   | The <kbd>Ctrl</kbd> key |
 | `LCtrl`    | VK_LCONTROL  | The left <kbd>Ctrl</kbd> key |
 | `RCtrl`    | VK_RCONTROL  | The right <kbd>Ctrl</kbd> key |
 | `Control`  | VK_CONTROL   | The <kbd>Ctrl</kbd> key |
 | `LControl` | VK_LCONTROL  | The left <kbd>Ctrl</kbd> key |
 | `RControl` | VK_RCONTROL  | The right <kbd>Ctrl</kbd> key |
 | `Alt`      | VK_MENU      | The <kbd>Alt</kbd> key |
 | `LAlt`     | VK_LMENU     | The left <kbd>Alt</kbd> key |
 | `RAlt`     | VK_RMENU     | The right <kbd>Alt</kbd> key |
 | `Shift`    | VK_SHIFT     | The <kbd>Shift</kbd> key |
 | `LShift`   | VK_LSHIFT    | The left <kbd>Shift</kbd> key |
 | `RShift`   | VK_RSHIFT    | The right <kbd>Shift</kbd> key |
 | `Win`      | VK_WIN       | The <kbd>Windows</kbd> logo key |
 | `LWin`     | VK_LWIN      | The left <kbd>Windows</kbd> logo key |
 | `RWin`     | VK_RWIN      | The right <kbd>Windows</kbd> logo key |
 | `Windows`  | VK_WIN       | The <kbd>Windows</kbd> logo key |
 | `LWindows` | VK_LWIN      | The left <kbd>Windows</kbd> logo key |
 | `RWindows` | VK_RWIN      | The right <kbd>Windows</kbd> logo key |
 ## Cursor and edit keys
 | Key name | Virtual key | Description |
 | ----------------- | ----------- | ----------- |
 | `PageUp`   | VK_PRIOR     | The <kbd>Page Up</kbd> key |
 | `Prior`    | VK_PRIOR     | The <kbd>Page Up</kbd> key |
 | `PgUp`     | VK_PRIOR     | The <kbd>Page Up</kbd> key |
 | `PageDown` | VK_NEXT      | The <kbd>Page Down</kbd> key |
 | `PgDown`   | VK_NEXT      | The <kbd>Page Down</kbd> key |
 | `Next`     | VK_NEXT      | The <kbd>Page Down</kbd> key |
 | `End`      | VK_END       | The <kbd>End</kbd> key |
 | `Home`     | VK_HOME      | The <kbd>Home</kbd> key |
 | `Left`     | VK_LEFT      | The <kbd>Left Arrow</kbd> key |
 | `Up`       | VK_UP        | The <kbd>Up Arrow</kbd> key |
 | `Right`    | VK_RIGHT     | The <kbd>Right Arrow</kbd> key |
 | `Down`     | VK_DOWN      | The <kbd>Down Arrow</kbd> key |
 | `Insert`   | VK_INSERT    | The <kbd>Insert</kbd> key |
 | `Delete`   | VK_DELETE    | The <kbd>Delete</kbd> key |
 | `Del`      | VK_DELETE    | The <kbd>Delete</kbd> key |
 | `Separator` | VK_SEPARATOR | The <kbd>Separator</kbd> key |
 ## State keys
 | Key name | Virtual key | Description |
 | ----------------- | ----------- | ----------- |
 | `NumLock`       | VK_NUMLOCK  | The <kbd>Num Lock</kbd> key |
 | `ScrollLock`    | VK_SCROLL   | The <kbd>Scroll Lock</kbd> key |
 | `Scroll`        | VK_SCROLL   | The <kbd>Scroll Lock</kbd> key |
 | `CapsLock`      | VK_CAPITAL  | The <kbd>Caps Lock</kbd> key |
 | `Capital`       | VK_CAPITAL  | The <kbd>Caps Lock</kbd> key |
 ## OEM keys
 | Key name | Virtual key | Description |
 | ----------------- | ----------- | ----------- |
 | `KeypadEqual`   | VK_OEM_NEC_EQUAL  | The <kbd>Equals (=)</kbd> key on the numeric keypad (OEM-specific) |
 | `Dictionary`    | VK_OEM_FJ_JISHO   | The Dictionary key (OEM-specific) |
 | `Unregister`    | VK_OEM_FJ_MASSHOU | The Unregister Word key (OEM-specific) |
 | `Register`      | VK_OEM_FJ_TOUROKU | The Register Word key (OEM-specific) |
 | `LeftOyayubi`   | VK_OEM_FJ_LOYA    | The Left OYAYUBI key (OEM-specific) |
 | `RightOyayubi`  | VK_OEM_FJ_ROYA    | The Right OYAYUBI key (OEM-specific) |
 | `OemPlus`       | VK_OEM_PLUS       | For any country/region, the <kbd>Plus Sign (+)</kbd> key |
 | `OemComma`      | VK_OEM_COMMA      | For any country/region, the <kbd>Comma (,)</kbd> key |
 | `OemMinus`      | VK_OEM_MINUS      | For any country/region, the <kbd>Minus Sign (-)</kbd> key |
 | `OemPeriod`     | VK_OEM_PERIOD     | For any country/region, the <kbd>Period (.)</kbd> key |
 | `Oem1`          | VK_OEM_1          | Varies by keyboard |
 | `Oem2`          | VK_OEM_2          | Varies by keyboard |
 | `Oem3`          | VK_OEM_3          | Varies by keyboard |
 | `Oem4`          | VK_OEM_4          | Varies by keyboard |
 | `Oem5`          | VK_OEM_5          | Varies by keyboard |
 | `Oem6`          | VK_OEM_6          | Varies by keyboard |
 | `Oem7`          | VK_OEM_7          | Varies by keyboard |
 | `Oem8`          | VK_OEM_8          | Varies by keyboard |
 | `OemAX`         | VK_OEM_AX         | The <kbd>AX</kbd> key on a Japanese AX keyboard |
 | `Oem102`        | VK_OEM_102        | Either the angle bracket key or the backslash key on the RT 102-key keyboard |
 ## Function keys
 | Key name | Virtual key | Description |
 | ----------------- | ----------- | ----------- |
 | `F1`  | VK_F1   | The <kbd>F1</kbd> key |
 | `F2`  | VK_F2   | The <kbd>F2</kbd> key |
 | `F3`  | VK_F3   | The <kbd>F3</kbd> key |
 | `F4`  | VK_F4   | The <kbd>F4</kbd> key |
 | `F5`  | VK_F5   | The <kbd>F5</kbd> key |
 | `F6`  | VK_F6   | The <kbd>F6</kbd> key |
 | `F7`  | VK_F7   | The <kbd>F7</kbd> key |
 | `F8`  | VK_F8   | The <kbd>F8</kbd> key |
 | `F9`  | VK_F9   | The <kbd>F9</kbd> key |
 | `F10` | VK_F10  | The <kbd>F10</kbd> key |
 | `F11` | VK_F11  | The <kbd>F11</kbd> key |
 | `F12` | VK_F12  | The <kbd>F12</kbd> key |
 | `F13` | VK_F13  | The <kbd>F13</kbd> key |
 | `F14` | VK_F14  | The <kbd>F14</kbd> key |
 | `F15` | VK_F15  | The <kbd>F15</kbd> key |
 | `F16` | VK_F16  | The <kbd>F16</kbd> key |
 | `F17` | VK_F17  | The <kbd>F17</kbd> key |
 | `F18` | VK_F18  | The <kbd>F18</kbd> key |
 | `F19` | VK_F19  | The <kbd>F19</kbd> key |
 | `F20` | VK_F20  | The <kbd>F20</kbd> key |
 | `F21` | VK_F21  | The <kbd>F21</kbd> key |
 | `F22` | VK_F22  | The <kbd>F22</kbd> key |
 | `F23` | VK_F23  | The <kbd>F23</kbd> key |
 | `F24` | VK_F24  | The <kbd>F24</kbd> key |
 ## Numeric keypad keys
 | Key name | Virtual key | Description |
 | ----------------- | ----------- | ----------- |
 | `Numpad0`   | VK_NUMPAD0  | The <kbd>0</kbd> key on the numeric keypad |
 | `Numpad1`   | VK_NUMPAD1  | The <kbd>1</kbd> key on the numeric keypad |
 | `Numpad2`   | VK_NUMPAD2  | The <kbd>2</kbd> key on the numeric keypad |
 | `Numpad3`   | VK_NUMPAD3  | The <kbd>3</kbd> key on the numeric keypad |
 | `Numpad4`   | VK_NUMPAD4  | The <kbd>4</kbd> key on the numeric keypad |
 | `Numpad5`   | VK_NUMPAD5  | The <kbd>5</kbd> key on the numeric keypad |
 | `Numpad6`   | VK_NUMPAD6  | The <kbd>6</kbd> key on the numeric keypad |
 | `Numpad7`   | VK_NUMPAD7  | The <kbd>7</kbd> key on the numeric keypad |
 | `Numpad8`   | VK_NUMPAD8  | The <kbd>8</kbd> key on the numeric keypad |
 | `Numpad9`   | VK_NUMPAD9  | The <kbd>9</kbd> key on the numeric keypad |
 | `Multiply`  | VK_MULTIPLY | The <kbd>Multiply (*)</kbd> key on the numeric keypad |
 | `Add`       | VK_ADD      | The <kbd>Add (+)</kbd> key on the numeric keypad |
 | `Subtract`  | VK_SUBTRACT | The <kbd>Subtract (-)</kbd> key on the numeric keypad |
 | `Decimal`   | VK_DECIMAL  | The <kbd>Decimal (.)</kbd> key on the numeric keypad |
 | `Divide`    | VK_DIVIDE   | The <kbd>Divide (/)</kbd> key on the numeric keypad |
 ## Related articles
 - [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md
+++ b/windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md
@ -0,0 +1,71 @@
 ---
 title: List all configured key combinations
 description: List all configured key combinations
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # List all configured key combinations
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to displays all key combination configurations for Keyboard Filter.
 ## List-rules.ps1
 ```powershell
 #
 # Copyright (C) Microsoft. All rights reserved.
 #
 <#
 .Synopsis
    Enumerate all active keyboard filter rules on the system.
 .Description
    For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
    get the Enabled property.  If Enabled, then output a short description
    of the rule.
 .Parameter ComputerName
    Optional parameter to specify the remote machine that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 #>
 param (
    [String] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"}
 $CommonParams += $PSBoundParameters
 write-host Enabled Predefined Keys -foregroundcolor cyan
 Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
    foreach {
        if ($_.Enabled) {
            write-host $_.Id
        }
    }
 write-host Enabled Custom Keys -foregroundcolor cyan
 Get-WMIObject -class WEKF_CustomKey @CommonParams |
    foreach {
        if ($_.Enabled) {
            write-host $_.Id
        }
    }
 write-host Enabled Scancodes -foregroundcolor cyan
 Get-WMIObject -class WEKF_Scancode @CommonParams |
    foreach {
        if ($_.Enabled) {
            "{0}+{1:X4}" -f $_.Modifiers, $_.Scancode
        }
    }
 ```
 ## Related articles
 [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
 [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md
+++ b/windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md
@ -0,0 +1,26 @@
 ---
 title: Windows PowerShell script samples for Keyboard Filter
 description: Windows PowerShell script samples for Keyboard Filter
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # Windows PowerShell script samples for Keyboard Filter
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 The list below describes sample Windows PowerShell scripts that demonstrate how to use the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
 | Script | Description |
 | ------ | ----------- |
 | [Add blocked key combinations](keyboardfilter-add-blocked-key-combinations.md) | Demonstrates how to block key combinations for Keyboard Filter.|
 | [Disable all blocked key combinations](disable-all-blocked-key-combinations.md) | Demonstrates how to disable all blocked key combinations for Keyboard Filter. |
 | [List all configured key combinations](keyboardfilter-list-all-configured-key-combinations.md) | Demonstrates how to list all defined key combination configurations for Keyboard Filter. |
 | [Modify global settings](modify-global-settings.md) | Demonstrates how to modify global settings for Keyboard Filter. |
 | [Remove key combination configurations](remove-key-combination-configurations.md) | Demonstrates how to remove a custom defined key combination configuration for Keyboard Filter. |
 ## Related articles
 [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md
+++ b/windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md
@ -0,0 +1,23 @@
 ---
 title: Keyboard Filter WMI provider reference
 description: Keyboard Filter WMI provider reference
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # Keyboard Filter WMI provider reference
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 Describes the Windows Management Instrumentation (WMI) provider classes that you use to configure Keyboard Filter during run time.
 | WMI Provider Class | Description |
 | ------------------ | ----------- |
 | [WEKF_CustomKey](wekf-customkey.md) | Blocks or unblocks custom defined key combinations. |
 | [WEKF_PredefinedKey](wekf-predefinedkey.md) | Blocks or unblocks predefined key combinations. |
 | [WEKF_Scancode](wekf-scancode.md) | Blocks or unblocks key combinations by using keyboard scan codes. |
 | [WEKF_Settings](wekf-settings.md) | Enables or disables settings for Keyboard Filter. |
 ## Related topics
 [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/modify-global-settings.md
+++ b/windows/configuration/keyboard-filter/modify-global-settings.md
@ -0,0 +1,172 @@
 ---
 title: Modify global settings
 description: Modify global settings
 ms.date: 01/13/2025
 ms.topic: how-to
 ---
 # Modify global settings
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 The following sample Windows PowerShell scripts use the Windows Management Instrumentation (WMI) providers to modify global settings for Keyboard Filter.
 The function **Get-Setting** retrieves the value of a global setting for Keyboard Filter.
 In the first script, the function **Set-DisableKeyboardFilterForAdministrators** modifies the value of the **DisableKeyboardFilterForAdministrators** setting.
 In the second script, the function **Set-ForceOffAccessibility** modifies the value of the **ForceOffAccessibility** setting.
 ## Set-DisableKeyboardFilterForAdministrators.ps1
 ```powershell
 #
 # Copyright (C) Microsoft. All rights reserved.
 #
 <#
 .Synopsis
    This script shows how to enumerate WEKF_Settings to find global settings
    that can be set on the keyboard filter.  In this specific script, the
    global setting to be set is "DisableKeyboardFilterForAdministrators".
 .Parameter ComputerName
    Optional parameter to specify a remote computer that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 .Parameter On
    Switch if present that sets "DisableKeyboardFilterForAdministrators" to
    true.  If not present, sets the setting to false.
 #>
 param (
    [Switch] $On = $False,
    [String] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"};
 if ($PSBoundParameters.ContainsKey("ComputerName")) {
    $CommonParams += @{"ComputerName" = $ComputerName};
 }
 function Get-Setting([String] $Name) {
    <#
    .Synopsis
        Get a WMIObject by name from WEKF_Settings
    .Parameter Name
        The name of the setting, which is the key for the WEKF_Settings class.
 #>
    $Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
        where {
            $_.Name -eq $Name
        }
    return $Entry
 }
 function Set-DisableKeyboardFilterForAdministrators([Bool] $Value) {
    <#
    .Synopsis
        Set the DisableKeyboardFilterForAdministrators setting to true or
        false.
    .Description
        Set DisableKeyboardFilterForAdministrators to true or false based
        on $Value
    .Parameter Value
        A Boolean value
 #>
    $Setting = Get-Setting("DisableKeyboardFilterForAdministrators")
    if ($Setting) {
        if ($Value) {
            $Setting.Value = "true"
        } else {
            $Setting.Value = "false"
        }
        $Setting.Put() | Out-Null;
    } else {
        Write-Error "Unable to find DisableKeyboardFilterForAdministrators setting";
    }
 }
 Set-DisableKeyboardFilterForAdministrators $On
 ```
 ## Set-ForceOffAccessibility.ps1
 ```powershell
 #
 # Copyright (C) Microsoft. All rights reserved.
 #
 <#
 .Synopsis
    This script shows how to enumerate WEKF_Settings to find global settings
    that can be set on the keyboard filter.  In this specific script, the
    global setting to be set is "ForceOffAccessibility".
 .Parameter ComputerName
    Optional parameter to specify a remote computer that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 .Parameter Enabled
    Switch if present that sets "ForceOffAccessibility" to true.  If not
    present, sets the setting to false.
 #>
 param (
    [Switch] $Enabled = $False,
    [String] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"};
 if ($PSBoundParameters.ContainsKey("ComputerName")) {
    $CommonParams += @{"ComputerName" = $ComputerName};
 }
 function Get-Setting([String] $Name) {
    <#
    .Synopsis
        Get a WMIObject by name from WEKF_Settings
    .Parameter Name
        The name of the setting, which is the key for the WEKF_Settings class.
 #>
    $Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
        where {
            $_.Name -eq $Name
        }
    return $Entry
 }
 function Set-ForceOffAccessibility([Bool] $Value) {
    <#
    .Synopsis
        Set the ForceOffAccessibility setting to true or false.
    .Description
        Set ForceOffAccessibility to true or false based on $Value
    .Parameter Value
        A Boolean value
 #>
    $Setting = Get-Setting("ForceOffAccessibility")
    if ($Setting) {
        if ($Value) {
            $Setting.Value = "true"
        } else {
            $Setting.Value = "false"
        }
        $Setting.Put() | Out-Null;
    } else {
        Write-Error "Unable to find ForceOffAccessibility setting";
    }
 }
 Set-ForceOffAccessibility $Enabled
 ```
 ## Related topics
 [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
 [WEKF_Settings](wekf-settings.md)
 [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/predefined-key-combinations.md
+++ b/windows/configuration/keyboard-filter/predefined-key-combinations.md
@ -0,0 +1,160 @@
 ---
 title: Predefined key combinations
 description: Predefined key combinations
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # Predefined key combinations
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 This topic lists a set of key combinations that are predefined by a keyboard filter.  You can list the value of the WEKF_PredefinedKey.Id to get a complete list of key combinations defined by a keyboard filter.
 You can use the values in the WEKF_PredefinedKey.Id column to configure the Windows Management Instrumentation (WMI) class [WEKF_PredefinedKey](wekf-predefinedkey.md).
 ## Accessibility keys
 The following table contains predefined key combinations for accessibility:
 | Key combination                      | WEKF_PredefinedKey.Id     | Blocked behavior            |
 |:-------------------------------------|:--------------------------|:----------------------------|
 | Left Alt + Left Shift + Print Screen | **LShift+LAlt+PrintScrn** | Open High Contrast.         |
 | Left Alt + Left Shift + Num Lock     | **LShift+LAlt+NumLock**   | Open Mouse Keys.            |
 | Windows logo key + U                 | **Win+U**                 | Open Ease of Access Center. |
 ## Application keys
 The following table contains predefined key combinations for controlling application state:
 | Key combination       | WEKF_PredefinedKey.Id | Blocked behavior   |
 |:----------------------|:----------------------|:-------------------|
 | Alt + F4              | **Alt+F4**            | Close application. |
 | Ctrl + F4             | **Ctrl+F4**           | Close window.      |
 | Windows logo key + F1 | **Win+F1**            | Open Windows Help. |
 ## Shell keys
 The following table contains predefined key combinations for general UI control:
 | Key combination                        | WEKF_PredefinedKey.Id | Blocked behavior                                                                                                                     |
 |:---------------------------------------|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
 | Alt + Spacebar                         | **Alt+Space**         | Open shortcut menu for the active window.                                                                                            |
 | Ctrl + Esc                             | **Ctrl+Esc**          | Open the Start screen.                                                                                                               |
 | Ctrl + Windows logo key + F            | **Ctrl+Win+F**        | Open Find Computers.                                                                                                                 |
 | Windows logo key + Break               | **Win+Break**         | Open System dialog box.                                                                                                              |
 | Windows logo key + E                   | **Win+E**             | Open Windows Explorer.                                                                                                               |
 | Windows + F                            | **Win+F**             | Open Search.                                                                                                                         |
 | Windows logo key + P                   | **Win+P**             | Cycle through Presentation Mode. Also blocks the Windows logo key + Shift + P and the Windows logo key + Ctrl + P key combinations.  |
 | Windows logo key + R                   | **Win+R**             | Open Run dialog box.                                                                                                                 |
 | Alt + Tab                              | **Alt+Tab**           | Switch task. Also blocks the Alt + Shift + Tab key combination.                                                                      |
 | Ctrl + Tab                             | **Ctrl+Tab**          | Switch window.                                                                                                                       |
 | Windows logo key + Tab                 | **Win+Tab**           | Cycle through Microsoft Store apps. Also blocks the Windows logo key + Ctrl + Tab and Windows logo key + Shift + Tab key combinations. |
 | Windows logo key + D                   | **Win+D**             | Show desktop.                                                                                                                        |
 | Windows logo key + M                   | **Win+M**             | Minimize all windows.                                                                                                                |
 | Windows logo key + Home                | **Win+Home**          | Minimize or restore all inactive windows.                                                                                            |
 | Windows logo key + T                   | **Win+T**             | Set focus on taskbar and cycle through programs.                                                                                     |
 | Windows logo key + B                   | **Win+B**             | Set focus in the notification area.                                                                                                  |
 | Windows logo key + Minus Sign          | **Win+-**             | Zoom out.                                                                                                                            |
 | Windows logo key + Plus Sign           | **Win++**             | Zoom in.                                                                                                                             |
 | Windows logo key + Esc                 | **Win+Esc**           | Close Magnifier application.                                                                                                         |
 | Windows logo key + Up Arrow            | **Win+Up**            | Maximize the active window.                                                                                                          |
 | Windows logo key + Down Arrow          | **Win+Down**          | Minimize the active window.                                                                                                          |
 | Windows logo key + Left Arrow          | **Win+Left**          | Snap the active window to the left half of screen.                                                                                   |
 | Windows logo key + Right Arrow         | **Win+Right**         | Snap the active window to the right half of screen.                                                                                  |
 | Windows logo key + Shift + Up Arrow    | **Win+Shift+Up**      | Maximize the active window vertically.                                                                                               |
 | Windows logo key + Shift + Down Arrow  | **Win+Shift+Down**    | Minimize the active window.                                                                                                          |
 | Windows logo key + Shift + Left Arrow  | **Win+Shift+Left**    | Move the active window to left monitor.                                                                                              |
 | Windows logo key + Shift + Right Arrow | **Win+Shift+Right**   | Move the active window to right monitor.                                                                                             |
 | Windows logo key + Spacebar            | **Win+Space**         | Switch layout.                                                                                                                       |
 | Windows logo key + O                   | **Win+O**             | Lock device orientation.                                                                                                             |
 | Windows logo key + Page Up             | **Win+PageUp**        | Move a Microsoft Store app to the left monitor.                                                                                        |
 | Windows logo key + Page Down           | **Win+PageDown**      | Move a Microsoft Store app to right monitor.                                                                                           |
 | Windows logo key + Period              | **Win+.**             | Snap the current screen to the left or right gutter. Also blocks the Windows logo key + Shift + Period key combination.              |
 | Windows logo key + C                   | **Win+C**             | Activate Cortana in listening mode (after user has enabled the shortcut through the UI).                                                                                                                         |
 | Windows logo key + I                   | **Win+I**             | Open Settings charm.                                                                                                                 |
 | Windows logo key + K                   | **Win+K**             | Open Connect charm.                                                                                                                  |
 | Windows logo key + H                   | **Win+H**             | Start dictation.                                                                                                                  |
 | Windows logo key + Q                   | **Win+Q**             | Open Search charm.                                                                                                                   |
 | Windows logo key + W                   | **Win+W**             | Open Windows Ink workspace.                                                                                                         |
 | Windows logo key + Z                   | **Win+Z**             | Open app bar.                                                                                                                        |
 | Windows logo key + /                   | **Win+/**             | Open input method editor (IME).                                                                                                      |
 | Windows logo key + J                   | **Win+J**             | Swap between snapped and filled applications.                                                                                        |
 | Windows logo key + Comma               | **Win+,**             | Peek at the desktop.                                                                                                                 |
 | Windows logo key + V                   | **Win+V**             | Cycle through toasts in reverse order.                                                                                               |
 ## Modifier keys
 The following table contains predefined key combinations for modifier keys (such as Shift and Ctrl):
 | Key combination  | WEKF_PredefinedKey.Id | Blocked key            |
 |:-----------------|:----------------------|:-----------------------|
 | Alt              | **Alt**               | Both Alt keys          |
 | Application      | **Application**       | Application key        |
 | Ctrl             | **Ctrl**              | Both Ctrl keys         |
 | Shift            | **Shift**             | Both Shift keys        |
 | Windows logo key | **Windows**           | Both Windows logo keys |
 ## Security keys
 The following table contains predefined key combinations for OS security:
 | Key combination        | WEKF_PredefinedKey.Id | Blocked behavior                  |
 |:-----------------------|:----------------------|:----------------------------------|
 | Ctrl + Alt + Delete    | **Ctrl+Alt+Del**      | Open the Windows Security screen. |
 | Ctrl + Shift + Esc     | **Shift+Ctrl+Esc**    | Open Task Manager.                |
 | Windows logo key + L   | **Win+L**             | Lock the device.                  |
 ## Extended shell keys
 The following table contains predefined key combinations for extended shell functions (such as automatically opening certain apps):
 | Key combination     | WEKF_PredefinedKey.Id | Blocked key             |
 |:--------------------|:----------------------|:------------------------|
 | LaunchMail          | **LaunchMail**        | Start Mail key          |
 | LaunchMediaSelect   | **LaunchMediaSelect** | Select Media key        |
 | LaunchApp1          | **LaunchApp1**        | Start Application 1 key |
 | LaunchApp2          | **LaunchApp2**        | Start Application 2 key |
 ## Browser keys
 The following table contains predefined key combinations for controlling the browser:
 | Key combination  | WEKF_PredefinedKey.Id | Blocked key                |
 |:-----------------|:----------------------|:---------------------------|
 | BrowserBack      | **BrowserBack**       | Browser Back key           |
 | BrowserForward   | **BrowserForward**    | Browser Forward key        |
 | BrowserRefresh   | **BrowserRefresh**    | Browser Refresh key        |
 | BrowserStop      | **BrowserStop**       | Browser Stop key           |
 | BrowserSearch    | **BrowserSearch**     | Browser Search key         |
 | BrowserFavorites | **BrowserFavorites**  | Browser Favorites key      |
 | BrowserHome      | **BrowserHome**       | Browser Start and Home key |
 ## Media keys
 The following table contains predefined key combinations for controlling media playback:
 | Key combination | WEKF_PredefinedKey.Id | Blocked key          |
 |:----------------|:----------------------|:---------------------|
 | VolumeMute      | **VolumeMute**        | Volume Mute key      |
 | VolumeDown      | **VolumeDown**        | Volume Down key      |
 | VolumeUp        | **VolumeUp**          | Volume Up key        |
 | MediaNext       | **MediaNext**         | Next Track key       |
 | MediaPrev       | **MediaPrev**         | Previous Track key   |
 | MediaStop       | **MediaStop**         | Stop Media key       |
 | MediaPlayPause  | **MediaPlayPause**    | Play/Pause Media key |
 ## Microsoft Surface keyboard keys
 The following table contains predefined key combinations for Microsoft Surface devices:
 | Key combination               | WEKF_PredefinedKey.Id | Blocked key  |
 |:------------------------------|:----------------------|:-------------|
 | Left Alt + Windows logo key   | **AltWin**            | Share key    |
 | Left Ctrl + Windows logo key  | **CtrlWin**           | Devices key  |
 | Left Shift + Windows logo key | **ShiftWin**          | Search key   |
 | F21                           | **F21**               | Settings key |
 ## Related topics
 [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/remove-key-combination-configurations.md
+++ b/windows/configuration/keyboard-filter/remove-key-combination-configurations.md
@ -0,0 +1,106 @@
 ---
 title: Remove key combination configurations
 description: Remove key combination configurations
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # Remove key combination configurations
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create two functions to remove custom-defined key combination configurations from Keyboard Filter. It demonstrates several ways to use each function.
 The first function, **Remove-Custom-Key**, removes custom key combination configurations.
 The second function, **Remove-Scancode**, removes custom scan code configurations.
 You can't remove the predefined key combination configurations for Keyboard Filter, but you can disable them.
 ## Remove-rules.ps1
 ```powershell
 #
 # Copyright (C) Microsoft. All rights reserved.
 #
 <#
 .Synopsis
    This script shows how to use the build in WMI providers to remove keyboard filter rules.  Rules of type WEKF_PredefinedKey cannot be removed.
 .Parameter ComputerName
    Optional parameter to specify the remote computer that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 #>
 param(
    [string] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"}
 $CommonParams += $PSBoundParameters
 function Remove-Custom-Key($Id) {
    <#
    .Synopsis
        Remove an instance of WEKF_CustomKey
    .Description
        Enumerate all instances of WEKF_CustomKey.  When an instance has an
        Id that matches $Id, delete it.
    .Example
        Remove-Custom-Key "Ctrl+V"
        This removes the instance of WEKF_CustomKey with a key Id of "Ctrl+V"
 #>
    $customInstance = Get-WMIObject -class WEKF_CustomKey @CommonParams |
        where {$_.Id -eq $Id}
    if ($customInstance) {
        $customInstance.Delete();
        "Removed Custom Filter $Id.";
    } else {
        "Custom Filter $Id does not exist.";
    }
 }
 function Remove-Scancode($Modifiers, [int]$Code) {
    <#
    .Synopsis
        Remove and instance of WEKF_Scancode
    .Description
        Enumerate all instances of WEKF_Scancode.  When an instance has a
        matching modifiers and code, delete it.
    .Example
        Remove-Scancode "Ctrl" 37
        This removes the instance of WEKF_Scancode with Modifiers="Ctrl" and
        Scancode=37.
 #>
    $scancodeInstance = Get-WMIObject -class WEKF_Scancode @CommonParams |
        where {($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)}
    if ($scancodeInstance) {
        $scancodeInstance.Delete();
        "Removed Scancode $Modifiers+$Code.";
    } else {
        "Scancode $Modifiers+$Code does not exist.";
    }
 }
 # Some example uses of the functions defined above.
 Remove-Custom-Key "Ctrl+V"
 Remove-Custom-Key "Numpad0"
 Remove-Custom-Key "Shift+Numpad1"
 Remove-Custom-Key "%"
 Remove-Scancode "Ctrl" 37
 ```
 ## Related articles
 [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
 [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 [Keyboard filter](index.md)
--- a/windows/configuration/keyboard-filter/toc.yml
+++ b/windows/configuration/keyboard-filter/toc.yml
@ -0,0 +1,53 @@
 items:
 - name: Keyboard Filter
  items:
  - name: About keyboard filter
    href: index.md
  - name: Key Names
    href: keyboardfilter-key-names.md
  - name: Predefined Key Combinations
    href: keyboardfilter-list-all-configured-key-combinations.md
  - name: WMI Provider Reference
    items:
    - name: Overview
      href: keyboardfilter-wmi-provider-reference.md
    - name: Class WEKF_CustomKey
      items:
      - name: Overview
        href: wekf-customkey.md
      - name: Add
        href: wekf-customkeyadd.md
      - name: Remove
        href: wekf-customkeyremove.md
    - name: Class WEKF_PredefinedKey
      items:
      - name: Overview
        href: wekf-predefinedkey.md
      - name: Disable
        href: wekf-predefinedkeydisable.md
      - name: Enable
        href: wekf-predefinedkeyenable.md
    - name: Class WEKF_Scancode
      items:
      - name: Overview
        href: wekf-scancode.md
      - name: Add
        href: wekf-scancodeadd.md
      - name: Remove
        href: wekf-scancoderemove.md
    - name: Class WEKF-Settings
      href: wekf-settings.md
  - name: PowerShell script samples
    items:
    - name: Overview
      href: keyboardfilter-powershell-script-samples.md
    - name: Add blocked key Combinations
      href: keyboardfilter-add-blocked-key-combinations.md
    - name: Disable all blocked key Combinations
      href: disable-all-blocked-key-combinations.md
    - name: List all configured key combinations
      href: keyboardfilter-list-all-configured-key-combinations.md
    - name: Modify global settings
      href: modify-global-settings.md
    - name: Remove key combination configurations
      href: remove-key-combination-configurations.md
--- a/windows/configuration/keyboard-filter/wekf-customkey.md
+++ b/windows/configuration/keyboard-filter/wekf-customkey.md
@ -0,0 +1,128 @@
 ---
 title: WEKF_CustomKey
 description: WEKF_CustomKey
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_CustomKey
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 Adds or removes custom-defined key combinations.
 ## Syntax
 ```powershell
 class WEKF_CustomKey {
    [Static] uint32 Add(
        [In] string CustomKey
    );
    [Static] uint32 Remove(
        [In] string CustomKey
    );
    [Key] string Id;
    [Read, Write] boolean Enabled;
 };
 ```
 ## Members
 The following tables list any methods and properties that belong to this class.
 ### Methods
 | Methods | Description |
 |---------|-------------|
 | [WEKF_CustomKey.Add](wekf-customkeyadd.md) | Creates a new custom key combination and enables Keyboard Filter to block the new key combination. |
 | [WEKF_CustomKey.Remove](wekf-customkeyremove.md) | Removes the specified custom key combination. Keyboard Filter stops blocking the key combination that was removed. |
 ### Properties
 | Property | Data&nbsp;type | Qualifiers | Description  |
 |----------|----------------|------------|--------------|
 | **Id** | string | [key] | The name of the custom key combination. |
 | **Enabled** | Boolean | [read, write] | Indicates if the key is blocked or unblocked. This property can be one of the following values </br>- **true**  Indicates that the key is blocked.</br>- **false** Indicates that the key isn't blocked. |
 ### Remarks
 You can specify key combinations by including the modifier keys in the name. The most common modifier names are <kbd>>Ctrl</kbd>, <kbd>>Shift</kbd>, <kbd>>Alt</kbd>, and <kbd>>Win</kbd>. You can't block a combination of non-modifier keys. For example, you can block a key combination of <kbd>>Ctrl</kbd>+<kbd>>Shift</kbd>+<kbd>>F</kbd>, but you can't block a key combination of <kbd>>A</kbd>+<kbd>>D</kbd>.
 When you block a <kbd>>Shift</kbd>-modified key, you must enter the key as <kbd>>Shift</kbd> + the unmodified key. For example, to block the <kbd>>%</kbd> key on an English keyboard layout, you must specify the key as <kbd>>Shift</kbd>+<kbd>>5</kbd>. Attempting to block <kbd>>%</kbd>, results in Keyboard Filter blocking <kbd>>5</kbd> instead.
 When you specify the key combination to block, you must use the English names for the keys. For a list of the key names you can specify, see Keyboard Filter key names.
 ## Example
 The following code demonstrates how to add or enable a custom key combination that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly and doesn't call any of the methods defined in **WEKF_CustomKey**.
 ```powershell
 <#
 .Synopsis
    This script shows how to use the WMI provider to enable and add
    Keyboard Filter rules through Windows PowerShell on the local computer.
 .Parameter ComputerName
    Optional parameter to specify a remote machine that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 #>
 param (
    [String] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"}
 $CommonParams += $PSBoundParameters
 function Enable-Custom-Key($Id) {
    <#
    .Synopsis
        Toggle on a Custom Key Keyboard Filter Rule
    .Description
        Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
        filter against key value "Id", and set that instance's "Enabled"
        property to 1/true.
        In the case that the Custom instance does not exist, add a new
        instance of WEKF_CustomKey using Set-WMIInstance.
    .Example
        Enable-Custom-Key "Ctrl+V"
        Enable filtering of the Ctrl + V sequence.
 #>
    $custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
        where {
            $_.Id -eq "$Id"
        };
    if ($custom) {
 # Rule exists.  Just enable it.
        $custom.Enabled = 1;
        $custom.Put() | Out-Null;
        "Enabled Custom Filter $Id.";
    } else {
        Set-WMIInstance `
            -class WEKF_CustomKey `
            -argument @{Id="$Id"} `
            @CommonParams | Out-Null
        "Added Custom Filter $Id.";
    }
 }
 # Some example uses of the function defined above.
 Enable-Custom-Key "Ctrl+V"
 Enable-Custom-Key "Numpad0"
 Enable-Custom-Key "Shift+Numpad1"
 ```
 ## Related articles
 [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 [Keyboard Filter key names](keyboardfilter-key-names.md)
--- a/windows/configuration/keyboard-filter/wekf-customkeyadd.md
+++ b/windows/configuration/keyboard-filter/wekf-customkeyadd.md
@ -0,0 +1,94 @@
 ---
 title: WEKF_CustomKey.Add
 description: WEKF_CustomKey.Add
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_CustomKey.Add
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 Creates a new custom key combination and enables Keyboard Filter to block the new key combination.
 ## Syntax
 ```powershell
 [Static] uint32 Add(
    [In] string CustomKey
 );
 ```
 ## Parameters
 **CustomKey**</br>\[in\] The custom key combination to add. For a list of valid key names, see [Keyboard Filter key names](keyboardfilter-key-names.md).
 ## Return Value
 Returns an HRESULT value that indicates a [WMI Non-Error Constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI Error Constant](/windows/win32/wmisdk/wmi-error-constants).
 ## Remarks
 **WEKF_CustomKey.Add** creates a new **WEKF_CustomKey** object and sets the **Enabled** property of the new object to **true**, and the **Id** property to *CustomKey*.
 If a **WEKF_CustomKey** object already exists with the **Id** property equal to *CustomKey*, then **WEKF_CustomKey.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_CustomKey** object has the **Enabled** property set to **false**, Keyboard Filter does not block the custom key combination.
 ## Example
 The following code demonstrates how to add or enable a custom key that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
 ```powershell
 $COMPUTER = "localhost"
 $NAMESPACE = "root\standardcimv2\embedded"
 # Create a handle to the class instance so we can call the static methods
 $classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
 # Create a function to add or enable a key combination for Keyboard Filter to block
 function Enable-Custom-Key($KeyId) {
 # Check to see if the custom key object already exists
    $objCustomKey = Get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey |
            where {$_.Id -eq "$KeyId"};
    if ($objCustomKey) {
 # The custom key already exists, so just enable it
        $objCustomKey.Enabled = 1;
        $objCustomKey.Put() | Out-Null;
        "Enabled ${KeyId}.";
    } else {
 # Create a new custom key object by calling the static Add method
        $retval = $classCustomKey.Add($KeyId);
 # Check the return value to verify that the Add is successful
        if ($retval.ReturnValue -eq 0) {
            "Added ${KeyID}."
        } else {
            "Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
        }
    }
 }
 # Enable Keyboard Filter to block several custom keys
 Enable-Custom-Key "Ctrl+v"
 Enable-Custom-Key "Ctrl+v"
 Enable-Custom-Key "Shift+4"
 Enable-Custom-Key "Ctrl+Alt+w"
 # List all the currently existing custom keys
 $objCustomKeyList = get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey
 foreach ($objCustomKeyItem in $objCustomKeyList) {
    "Custom key: " + $objCustomKeyItem.Id
    "   enabled: " + $objCustomKeyItem.Enabled
    }
 ```
 ## Related articles
 - [WEKF_CustomKey](wekf-customkey.md)
 - [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/wekf-customkeyremove.md
+++ b/windows/configuration/keyboard-filter/wekf-customkeyremove.md
@ -0,0 +1,86 @@
 ---
 title: WEKF_CustomKey.Remove
 description: WEKF_CustomKey.Remove
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_CustomKey.Remove
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 Removes a custom key combination, causing Keyboard Filter to stop blocking the removed key combination.
 ## Syntax
 ```powershell
 [Static] uint32 Remove(
    [In] string CustomKey
 );
 ```
 ## Parameters
 **CustomKey**</br>\[in\] The custom key combination to remove.
 ## Return Value
 Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
 ## Remarks
 **WEKF_CustomKey.Remove** removes an existing **WEKF_CustomKey** object. If the object doesn't exist, **WEKF_CustomKey.Remove** returns an error with the value 0x8007007B.
 Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
 ## Example
 The following code demonstrates how to remove a custom key from Keyboard Filter so it's no longer blocked by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
 ```powershell
 $COMPUTER = "localhost"
 $NAMESPACE = "root\standardcimv2\embedded"
 # Create a handle to the class instance so we can call the static methods
 $classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
 # Create a function to remove a key combination
 function Remove-Custom-Key($KeyId) {
 # Call the static Remove() method on the class reference
    $retval = $classCustomKey.Remove($KeyId)
 # Check the return value for status
    if ($retval.ReturnValue -eq 0) {
 # Custom key combination removed successfully
        "Removed ${KeyID}."
    } elseif ($retval.ReturnValue -eq 2147942523) {
 # No object exists with the specified custom key
        "Failed to remove ${KeyID}. No object found."
    } else {
 # Unknown error, report error code in hexadecimal
        "Failed to remove ${KeyID}. Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
    }
 }
 # Example of removing a custom key so that Keyboard Filter stops blocking it
 Remove-Custom-Key "Ctrl+Alt+w"
 # Example of removing all custom keys that have the Enabled property set to false
 $objDisabledCustomKeys = Get-WmiObject -Namespace $NAMESPACE -Class WEKF_CustomKey;
 foreach ($objCustomKey in $objDisabledCustomKeys) {
    if (!$objCustomKey.Enabled) {
        Remove-Custom-Key($objCustomKey.Id);
    }
 }
 ```
 ## Related topics
 - [WEKF_CustomKey](wekf-customkey.md)
 - [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/wekf-predefinedkey.md
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkey.md
@ -0,0 +1,112 @@
 ---
 title: WEKF_PredefinedKey
 description: WEKF_PredefinedKey
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_PredefinedKey
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 This class blocks or unblocks predefined key combinations, such as Ctrl+Alt+Delete.
 ## Syntax
 ```powershell
 class WEKF_PredefinedKey {
    [Static] uint32 Enable (
        [In] string PredefinedKey
    );
    [Static] uint32 Disable (
        [In] string PredefinedKey
    );
    [Key] string Id;
    [Read, Write] boolean Enabled;
 };
 ```
 ## Members
 The following tables list any constructors, methods, fields, and properties that belong to this class.
 ### Methods
 | Methods                                                    | Description                            |
 |:-----------------------------------------------------------|:---------------------------------------|
 | [WEKF_PredefinedKey.Enable](wekf-predefinedkeyenable.md)   | Blocks the specified predefined key.   |
 | [WEKF_PredefinedKey.Disable](wekf-predefinedkeydisable.md) | Unblocks the specified predefined key. |
 ### Properties
 | Property    | Data type | Qualifiers    | Description                                                                                                                                                           |
 |:------------|:----------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **Id**      | string    | [key]         | The name of the predefined key combination.                                                                                                                           |
 | **Enabled** | Boolean   | [read, write] | Indicates whether the key is blocked or unblocked. To indicate that the key is blocked, specify **true**. To indicate that the key isn't blocked, specify **false**. |
 ### Remarks
 All accounts have read access to the **WEKF_PRedefinedKey** class, but only administrator accounts can modify the class.
 For a list of predefined key combinations for Keyboard Filter, see [Predefined key combinations](predefined-key-combinations.md).
 ## Example
 The following sample Windows PowerShell script blocks the Ctrl+Alt+Delete and the Ctrl+Esc key combinations when the Keyboard Filter service is running.
 ```powershell
 <#
 .Synopsis
    This script shows how to use the built in WMI providers to enable and add
    Keyboard Filter rules through Windows PowerShell on the local computer.
 .Parameter ComputerName
    Optional parameter to specify a remote machine that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 #>
 param (
    [String] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"}
 $CommonParams += $PSBoundParameters
 function Enable-Predefined-Key($Id) {
    <#
    .Synposis
        Toggle on a Predefined Key Keyboard Filter Rule
    .Description
        Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
        filter against key value "Id", and set that instance's "Enabled"
        property to 1/true.
    .Example
        Enable-Predefined-Key "Ctrl+Alt+Delete"
        Enable CAD filtering
 #>
    $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
        where {
            $_.Id -eq "$Id"
        };
    if ($predefined) {
        $predefined.Enabled = 1;
        $predefined.Put() | Out-Null;
        Write-Host Enabled $Id
    } else {
        Write-Error $Id is not a valid predefined key
    }
 }
 # Some example uses of the function defined above.
 Enable-Predefined-Key "Ctrl+Alt+Delete"
 Enable-Predefined-Key "Ctrl+Esc"
 ```
 ## Related articles
 - [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 - [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md
@ -0,0 +1,34 @@
 ---
 title: WEKF_PredefinedKey.Disable
 description: WEKF_PredefinedKey.Disable
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_PredefinedKey.Disable
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 Unblocks the specified predefined key combination.
 ## Syntax
 ```powershell
 [Static] uint32 Disable(
    [In] string PredefinedKey
 );
 ```
 ## Parameters
 **PredefinedKey**</br>\[in\] The predefined key combination to unblock. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
 ## Return Value
 Returns an HRESULT value that indicates [WMI Non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
 ## Related articles
 - [WEKF_PredefinedKey](wekf-predefinedkey.md)
 - [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md
+++ b/windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md
@ -0,0 +1,33 @@
 ---
 title: WEKF_PredefinedKey.Enable
 description: WEKF_PredefinedKey.Enable
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_PredefinedKey.Enable
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 This method blocks the specified predefined key combination.
 ## Syntax
 ```powershell
 [Static] uint32 Enable(
    [In] string PredefinedKey
 );
 ```
 ## Parameters
 **PredefinedKey**</br>The predefined key combination to block. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
 ## Return Value
 Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
 ## Related articles
 - [WEKF_PredefinedKey](wekf-predefinedkey.md)
 - [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/wekf-scancode.md
+++ b/windows/configuration/keyboard-filter/wekf-scancode.md
@ -0,0 +1,126 @@
 ---
 title: WEKF_Scancode
 description: WEKF_Scancode
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_Scancode
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 Blocks or unblocks key combinations by using the keyboard scan code, which is an integer number that is generated whenever a key is pressed or released.
 ## Syntax
 ```powershell
 class WEKF_Scancode {
    [Static] uint32 Add(
        [In] string Modifiers,
        [In] uint16 scancode
    );
    [Static] uint32 Remove(
        [In] string Modifiers,
        [In] uint16 Scancode
    );
    [Key] string Modifiers;
    [Key] uint16 Scancode;
    [Read, Write] boolean Enabled;
 }
 ```
 ## Members
 The following tables list any constructors, methods, fields, and properties that belong to this class.
 ### Methods
 | Methods | Description |
 |---------|-------------|
 | [WEKF_Scancode.Add](wekf-scancodeadd.md) | Adds a new custom scan code combination and enables Keyboard Filter to block the new scan code combination. |
 | [WEKF_Scancode.Remove](wekf-scancoderemove.md) | Removes the specified custom scan code combination. Keyboard Filter stops blocking the scan code combination that was removed. |
 ### Properties
 | Property | Data&nbsp;type | Qualifiers | Description |
 |----------|----------------|------------|-------------|
 | **Modifiers** | string | [key] | The modifier keys that are part of the key combination to block. |
 | **Scancode** | uint16 | [key] | The scan code part of the key combination to block. |
 | **Enabled** | Boolean | [read, write] | Indicates whether the scan code is blocked or unblocked. This property can be one of the following values:</br>- **true** Indicates that the scan code is blocked.</br>- **false** Indicates that the scan code isn't blocked. |
 ### Remarks
 Scan codes are generated by the keyboard whenever a key is pressed. The same physical key will always generate the same scan code, regardless of which keyboard layout is currently being used by the system.
 You can specify key combinations by including the modifier keys in the *Modifiers* parameter of the **Add** method or by modifying the **Modifiers** property. The most common modifier names are <kbd>>Ctrl</kbd>, <kbd>>Shift</kbd>, <kbd>>Alt</kbd>, and <kbd>>Win</kbd>.
 ## Example
 The following code demonstrates how to add or enable a keyboard scan code that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly, and doesn't call any of the methods defined in **WEKF_Scancode**.
 ```powershell
 <#
 .Synopsis
    This script shows how to use the WMI provider to enable and add
    Keyboard Filter rules through Windows Powershell on the local computer.
 .Parameter ComputerName
    Optional parameter to specify a remote machine that this script should
    manage.  If not specified, the script will execute all WMI operations
    locally.
 #>
 param (
    [String] $ComputerName
 )
 $CommonParams = @{"namespace"="root\standardcimv2\embedded"}
 $CommonParams += $PSBoundParameters
 function Enable-Scancode($Modifiers, [int]$Code) {
    <#
    .Synopsis
        Toggle on a Scancode Keyboard Filter Rule
    .Description
        Use Get-WMIObject to enumerate all WEKF_Scancode instances,
        filter against key values of "Modifiers" and "Scancode", and set
        that instance's "Enabled" property to 1/true.
        In the case that the Scancode instance does not exist, add a new
        instance of WEKF_Scancode using Set-WMIInstance.
    .Example
        Enable-Predefined-Key "Ctrl+V"
        Enable filtering of the Ctrl + V sequence.
 #>
    $scancode =
        Get-WMIObject -class WEKF_Scancode @CommonParams |
            where {
                ($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
            }
    if($scancode) {
        $scancode.Enabled = 1
        $scancode.Put() | Out-Null
        "Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
    } else {
        Set-WMIInstance `
            -class WEKF_Scancode `
            -argument @{Modifiers="$Modifiers"; Scancode=$Code} `
            @CommonParams | Out-Null
        "Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
    }
 }
 # Some example uses of the function defined above.
 Enable-Scancode "Ctrl" 37
 ```
 ## Related articles
 [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
 [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/wekf-scancodeadd.md
+++ b/windows/configuration/keyboard-filter/wekf-scancodeadd.md
@ -0,0 +1,42 @@
 ---
 title: WEKF_Scancode.Add
 description: WEKF_Scancode.Add
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_Scancode.Add
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 This method adds a new custom scan code combination and enables Keyboard Filter to block the new combination.
 ## Syntax
 ```powershell
 [Static] uint32 Add(
    [In] string Modifiers,
    [In] uint16 Scancode
 );
 ```
 ## Parameters
 **Modifers**</br>The modifier keys that are part of the key combination to block.
 **Scancode**</br>The hardware scan code of the key to block.
 ## Return Value
 Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
 ## Remarks
 **WEKF_Scancode.Add** creates a new **WEKF_Scancode** object and sets the **Enabled** property of the new object to **true**.
 If a **WEKF_Scancode** object already exists with same *Modifiers* and *Scancode* properties, then **WEKF_Scancode.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_Scancode** object has the **Enabled** property set to **false**, Keyboard Filter doesn't block the scan code.
 ## Related articles
 - [WEKF_Scancode](wekf-scancode.md)
 - [Keyboard Filter](index.md)
--- a/windows/configuration/keyboard-filter/wekf-scancoderemove.md
+++ b/windows/configuration/keyboard-filter/wekf-scancoderemove.md
@ -0,0 +1,42 @@
 ---
 title: WEKF_Scancode.Remove
 description: WEKF_Scancode.Remove
 ms.date: 01/13/2025
 ms.topic: reference
 ---
 # WEKF_Scancode.Remove
 [!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
 This method removes a custom scan code key combination, causing Keyboard Filter to stop blocking the removed combination.
 ## Syntax
 ```powershell
 [Static] uint32 Remove(
    [In] string Modifiers,
    [In] uint16 Scancode
 );
 ```
 ## Parameters
 **Modifiers**</br>The modifier keys of the combination to remove.
 **Scancode**</br>The scan code of the combination to remove.
 ## Return Value
 Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
 ## Remarks
 **WEKF_Scancode.Remove** removes an existing **WEKF_Scancode** object. If the object doesn't exist, **WEKF_Scancode.Remove** returns an error with the value 0x8007007B.
 Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
 ## Related articles
 - [WEKF_Scancode](wekf-scancode.md)
 - [Keyboard Filter](index.md)
--- a/Show More
+++ b/Show More